-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add DFLAG_BIG_CREATION to capability flags for erlang_cookie_rce.rb #15634
Conversation
I have been having trouble with this module (and other projects) using the included set of capability flags (0x3499c) on a specific host. I took some time to analyze the problem and it appears to be with the included flag set. In my case (and I suspect others'), the target node was rejecting the client with "not_allowed". After testing I found that simply adding DFLAG_BIG_CREATION (0x40000) allowed this exploit to work, both on the host I was having trouble with, and an older one where this (unmodified) exploit was working. Breakdown of flags is below. ``` 0x0007499c == 0b0000 0000 0111 0100 1001 1001 1100 | ||| | | | | | ||-- DFLAG_EXTENDED_REFERENCES | ||| | | | | | |-- DFLAG_DIST_MONITOR | ||| | | | | |-- DFLAG_FUN_TAGS | ||| | | | |-- DFLAG_NEW_FUN_TAGS | ||| | | |-- DFLAG_EXTENDED_PIDS_PORTS | ||| | |-- DFLAG_NEW_FLOATS | ||| |-- DFLAG_SMALL_ATOM_TAGS | |||-- DFLAG__UTF8_ATOMS | ||-- DFLAG_MAP_TAG | |-- **DFLAG_BIG_CREATION** |-- DFLAG_HANDSHAKE_23 ```
@@ -141,7 +141,7 @@ def exploit | |||
send_name << [(@our_node.length+7).to_s(16)].pack('H*') # | |||
send_name << "\x6e" # Tag: n | |||
send_name << "\x00\x05" # Version: R6 (5) | |||
send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c) | |||
send_name << "\x00\x07\x49\x9c" # Flags (0x0003499c) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the comment is out of date now. You also included a really detailed description in the PR text. Since you put effort into it, would you mind putting it all in as a comment here so we know what's going on in the future?
0x0007499c == 0b0000 0000 0111 0100 1001 1001 1100
| ||| | | | | | ||-- DFLAG_EXTENDED_REFERENCES
| ||| | | | | | |-- DFLAG_DIST_MONITOR
| ||| | | | | |-- DFLAG_FUN_TAGS
| ||| | | | |-- DFLAG_NEW_FUN_TAGS
| ||| | | |-- DFLAG_EXTENDED_PIDS_PORTS
| ||| | |-- DFLAG_NEW_FLOATS
| ||| |-- DFLAG_SMALL_ATOM_TAGS
| |||-- DFLAG__UTF8_ATOMS
| ||-- DFLAG_MAP_TAG
| |-- **DFLAG_BIG_CREATION**
|-- DFLAG_HANDSHAKE_23
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I'm not quite sure of the flow here. When you say "put it all in as a comment here", do you mean to add the notes and flags breakdown to the ruby module? I can, no problem, just want to make sure I understand what you're saying.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just listing out the flags that are set would be helpful. Something like DLFAG_BIG_CREATION | DFLAG_MAP_TAG
etc, but it might have to be broken across lines because it'd contain so many.
Whatever you think would have been helpful for you if you had to do this again.
Do you have any tips on setting up an environment where the server would be affected by this issue? |
Mostly anywhere you can get a RabbitMQ instance running. I've had success with Ubuntu 20.04 and 18.04 with native repos ( The cookie value to pass in can be found in |
Added descriptive comment for included capability flags.
Extraneous `.`. Thanks, macOS!
Old and Busted
New and Improved:
|
Release NotesThis PR fixes an issue in |
I have been having trouble getting this module (and other projects) to work on a specific target. I took some time to analyze the problem and it appears to be with the included capability flag set (0x3499c). In my case (and I suspect others'), the target node was rejecting the client with "not_allowed". After testing I found that simply adding DFLAG_BIG_CREATION (0x40000) allowed this exploit to work, both on the host I was having trouble with, and an older one where this (unmodified) exploit was still working. Breakdown of flags is below.
This fixes the
send_name
procedure in this exploit for some hosts which support slightly different capability flags. The updated flags also appear to continue working against hosts where this exploit worked previously.Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/multi/misc/erlang_cookie_rce
set RHOST <ip>
set COOKIE <cookie>
set TARGET <target>
set LHOST <host>
exploit