I read this tutorial from OTW on using new modules in Metasploit:
It was very useful, but now I'm stuck.
I suppose everyone has heard of the Hacking Team leak and their Flash exploit. It is already on exploit-db here:
https://www.exploit-db.com/exploits/37523/
Could somebody explain how to actually use an exploit like this?
When I run this one I get the following output:
Exploit failed: Errno::ENOENT No such file or directory @ rbsysopen - /usr/share/metasploit-framework/data/exploits/hackingteam/msf.swf
Which I don't understand, because why would it expect the hacking-team folder there?
Please help, as I would love to try out this exploit!
25 Responses
I miight be able to help. Can you specify the exact commands you entered when trying to put the exploit at the right place?
EDIT: Or would you prefer kindly waiting while I make a tutorial about that exact exploit and how to get it working?(shouldn't take a lot of time) Tell me which one of the options seems as the optimal one to you and I'll get to it :D
Yes. I did not put it in the same folder as OTW did as this is not a Joomla exploit, so I made something up myself (guess I went wrong there?):
mkdir -p /root/.msf4/modules/exploits/browser/flash
mv /root/Downloads/flashuaf.rb /root/.msf4/modules/exploits/browser/flash
Then in msfconsole:
use exploit/browser/flash/flashuaf
and exploit, because I thought the standard options might already work. These are the options set in case it helps:
Name Current Setting Required Description
---- --------------- -------- -----------
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
(I'm sorry don't know how to allign them properly here)
Hm.. I'm not really sure what the issue is here :/ I'll do some tests and I'll tell you if I find what the problem is and how to fix it in a maximum of 2 hours (kinda busy here, but I hope I'll manage).
Great, thanks for your time!
Okay I found the "problem", await explanation in a few minutes :D
You've correctly copied the exploit to metasploit, however the exploit itself contains a certain line of code, which basically tries to interact with a nonexistent file (and consequently a folder) , here is the line:
This is why the error is occurring. The solution is rather easy:
Make the exploit spit the same error again and watch what directory it points to. (As you can see for you it points to /usr/share/metasploit-framework/data/exploits/hackingteam/msf.swf) So what you need to do is make a directory in /usr/share/metasploit-framework/data/exploits called "hackingteam", enter it, then create an empty file there called msf.swf. Next you need to restart your metasploit (just close the terminal and open a new one) and now once you select your exploit and set the options it's not going to spit any errors at you :D
EDIT: Another way to do it is modify the line of code to use another destination with an existing empty msf.swf file (for example if I were to use a flash_byte_use_after as my preferred folder, I would modify the line like so:
path = ::File.join(Msf::Config.data.directory, 'exploits', 'flash_byte_use_after', 'msf.sfw')
and now the destination for the msf.sfw file would be
/usr/share/metasploit-framework/data/exploits/flash_byte_use_after/msf.swf)
and once again restart metasploit. Also I would love if you could make a local test for the exploit and see if it works correctly as I'm really curious about it but I don't quite have the opportunity right now :D
EDIT OF THE EDIT: I just tried it out and was able to get access to a Windows 7 32bit machine without a problem, so let's hope the issue is fixed for you too and happy hacking! :D
Great, thanks! I'll try it out tomorrow and post my results :)
Good find.
Thanks.
Hmm.. Everything goes fine, the server starts, I browse to the link on the victim pc (in multiple browsers), but then it gets stuck at 'Sending SWF...'.
I don't seem to be the only one having this problem:
https://community.rapid7.com/thread/7608
This is the output:
* 192.168.8.7 flashuaf - Gathering target information.
* 192.168.8.7 flashuaf - Sending HTML response.
* 192.168.8.7 flashuaf - Request: /oeps/rQeaKC/
* 192.168.8.7 flashuaf - Sending HTML...
* 192.168.8.7 flashuaf - Request: /oeps/rQeaKC/JxWv.swf
* 192.168.8.7 flashuaf - Sending SWF...
And I had so much hope to finally use an exploit succesfully... :P
Did you tweak any of the options once you selected the exploit? :D
The only thing I changed was the URIPATH, so I didn't have to enter the long random string at the end of the url. Please tell me if you are more succesful :)
I didn't change anything whatsoever and it worked on my part, but I don't think that the URIPATH would cause an issue so I'm not sure what the problem is, maybe someone else here could help :/
What browser and version did you use?
I used the newest (I believe) IE on a Windows 7 32-bit machine.
Weird thing is, in Chrome it connects but doesn't send the SWF, in Firefox there is a wrong flash version (probably already patched), but in Internet Explorer it can't even connect to the server... Guess I'll have to wait for the next great exploit :P
Or maybe someone else might see this and know what to do :D In the meantime if you wish to practice exploits just install some outdated vulnerable app and try to exploit it or set up a "metasploitable" vm :D
Thank you, this saved me from a lot of aggro.
How did you find where the error was OBSRV? Did you use some tool? Please tell!
Here is the output I get when I use this exploit, don't know if it's any useful but maybe you can get something out of it.
to Aperock: what type of machine is your victim? because this exploit will not working on 64 bit system
Oh really? Well damn, there's my mistake then. Thanks for noticing!
Too bad, I have the same problem on a 32 bit system :(
Hi there, i am trying to use the follow exploit and keep getting this error.
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit) anyone pls advice on what am doing wrong.
Exploit failed: Errno::ENOENT No such file or directory @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/cve-2017-0199.rtf
Exploit target:
Id Name
-- ----
0 Microsoft Office Word
msf exploit(officewordhta) > exploit
* Exploit running as background job.
* Started reverse TCP handler on 192.152.110.100:4444
msf exploit(officewordhta) > - Exploit failed: Errno::ENOENT No such file or directory @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/cve-2017-0199.rtf
Share Your Thoughts