search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.25k stars 14k forks source link

redis_replication_cmd_exec: write to data/exploits/redis/module.c fails due insufficient permissions #14868

Open qszx opened 3 years ago

qszx commented 3 years ago

[] Started reverse TCP handler on 192.168.190.128:4444 [-] 202.91.247.216:6379 - Exploit failed: Msf::Auxiliary::Scanner::AttemptFailed bad-config: Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master. [] Exploit completed, but no session was created. msf6 exploit(linux/redis/redis_replication_cmd_exec) > set SRVHOST 185.59.221.44 SRVHOST => 185.59.221.44 msf6 exploit(linux/redis/redis_replication_cmd_exec) > run

[] Started reverse TCP handler on 192.168.190.128:4444 [-] 202.91.247.216:6379 - Exploit failed: Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c [] Exploit completed, but no session was created. msf6 exploit(linux/redis/redis_replication_cmd_exec) > debug Please provide the below information in any Github issues you open. New issues can be opened here https://github.com/rapid7/metasploit-framework/issues/new/choose ENSURE YOU HAVE REMOVED ANY SENSITIVE INFORMATION BEFORE SUBMITTING!

===8<=== CUT AND PASTE EVERYTHING BELOW THIS LINE ===8<===

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse ``` [framework/core] LHOST=eth0 [framework/ui/console] ActiveModule=exploit/linux/redis/redis_replication_cmd_exec [linux/redis/redis_replication_cmd_exec] PAYLOAD=linux/x64/meterpreter/reverse_tcp SRVPORT=6379 WORKSPACE= VERBOSE=false WfsDelay=0 EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false EXE::EICAR=false EXE::Custom= EXE::Path= EXE::Template= EXE::Inject=false EXE::OldMethod=false EXE::FallBack=false MSI::EICAR=false MSI::Custom= MSI::Path= MSI::Template= MSI::UAC=false SRVHOST=185.59.221.44 ListenerComm= SSL=false SSLCompression=false SSLCipher= TCP::max_send_size=0 TCP::send_delay=0 RHOSTS=202.91.247.216 RPORT=6379 SSLVersion=Auto SSLVerifyMode=PEER Proxies= CPORT= CHOST= ConnectTimeout=10 ShowProgress=true ShowProgressPercent=10 HTTP::no_cache=false HTTP::chunked=false HTTP::header_folding=false HTTP::junk_headers=false HTTP::compression=none HTTP::server_name=Apache URIHOST= URIPORT= SendRobots=false CMDSTAGER::FLAVOR=auto CMDSTAGER::DECODER= CMDSTAGER::TEMP= CMDSTAGER::SSL=false FileDropperDelay= PASSWORD=foobared READ_TIMEOUT=2 CUSTOM=true RedisModuleInit= RedisModuleTrigger= RedisModuleName= LHOST= LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 AutoLoadStdapi=true AutoVerifySession=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependFork=false PrependSetresuid=false PrependSetreuid=false PrependSetuid=false PrependSetresgid=false PrependSetregid=false PrependSetgid=false PrependChrootBreak=false AppendExit=false MeterpreterDebugLevel=0 RemoteMeterpreterDebugFile= ```

History

The following commands were ran during the session and before this issue occurred:

Collapse ``` 0 search redis 1 use exploit/linux/redis/redis_replication_cmd_exec 2 options 3 set RHOSTS xx 4 run 5 set RHOSTS xx 6 run 7 setg LHOST eth0 8 run 9 set SRVHOST 185.59.221.44 10 run 11 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse ``` [03/10/2021 03:07:37] [e(0)] core: Failed to connect to the database: No database YAML file [03/10/2021 03:07:40] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [03/10/2021 03:07:40] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [03/10/2021 03:07:40] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [03/10/2021 03:07:40] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [03/10/2021 03:14:42] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec) - Msf::OptionValidateError One or more options failed to validate: RHOSTS. [03/10/2021 03:15:13] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec) - Msf::OptionValidateError One or more options failed to validate: LHOST. [03/10/2021 03:16:17] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec): Msf::Auxiliary::Scanner::AttemptFailed bad-config: Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master. - Msf::Auxiliary::Scanner::AttemptFailed bad-config: Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master. [03/10/2021 03:17:42] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec): Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c - Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse ``` [03/10/2021 03:07:37] [e(0)] core: Failed to connect to the database: No database YAML file [03/10/2021 03:07:37] [d(0)] core: Created user based module store [03/10/2021 03:07:40] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [03/10/2021 03:07:40] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [03/10/2021 03:07:40] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [03/10/2021 03:07:40] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [03/10/2021 03:14:42] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec) - Msf::OptionValidateError One or more options failed to validate: RHOSTS. [03/10/2021 03:15:13] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec) - Msf::OptionValidateError One or more options failed to validate: LHOST. [03/10/2021 03:16:17] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec): Msf::Auxiliary::Scanner::AttemptFailed bad-config: Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master. - Msf::Auxiliary::Scanner::AttemptFailed bad-config: Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master. [03/10/2021 03:17:42] [e(0)] core: Exploit failed (linux/redis/redis_replication_cmd_exec): Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c - Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse ``` Framework: 6.0.31-dev Ruby: ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-linux-gnu] Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```

msf6 exploit(linux/redis/redis_replication_cmd_exec) > set SRVHOST 127.0.0.1 SRVHOST => 127.0.0.1 msf6 exploit(linux/redis/redis_replication_cmd_exec) > run

[] Started reverse TCP handler on 192.168.190.128:4444 [-] 202.91.247.216:6379 - Exploit failed: Errno::EACCES Permission denied @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/redis/module.c [] Exploit completed, but no session was created.

┌──(root💀kali)-[/home/kali] └─# chmod 777 /usr/share/metasploit-framework/data/exploits/redis/module.c chmod: cannot access '/usr/share/metasploit-framework/data/exploits/redis/module.c': No such file or directory

bcoles commented 3 years ago

Bug exists here:

https://github.com/rapid7/metasploit-framework/blob/17ef194c52ff4e5adb8349d67879e910a063a062/modules/exploits/linux/redis/redis_replication_cmd_exec.rb#L231-L237

The module attempts to write to the Metasploit ./data/ directory.

hack3r-0m commented 3 years ago

@bcoles I would like to work on this issue

bcoles commented 3 years ago

@bcoles I would like to work on this issue

All yours. I don't think anyone else is working on it.

I suggest performing all changes to the template erb file in memory rather than writing files out to the data directory. I haven't looked at the module code, so I'm not sure if there's any reason why this data has to be written to disk. Writing to data is generally frowned upon (if not forbidden outright). If files need to be stored somewhere they're usually stored somewhere under ~/.msf4/ in the user's home directory.

bcoles commented 2 years ago

@hack3r-0m any luck with this?

rorymckinley commented 1 year ago

@bcoles @hack3r-0m

I have taken a look at this.

The data is written to disk so that the resulting file can then used by a Makefile. This behaviour is triggered when the user wishes to use a custom payload.

I am thinking that the lowest risk approach may be to do the following:

  1. Copy the contents found here to a new directory within Msf::Config.local_directory.
  2. Build the exploit using the existing Makefile.
  3. Remove any files that were copied in step (1) (or perhaps optionally leave these behind for debugging purposes).

Is there any of the above that does not sound like a good idea?

PS I notice that there does not appear to be test coverage for this exploit, so I may see if there is some way to introduce some tests before starting.