How to integrate or deploy the browser exploit server

[standarduserllc]

I would like more information included in the github documentation about how to use/leverage/deploy or integrate the Browser Exploit Server into existing instances of Metasploit.

Useful Links:

• Wiki: browser_exploit_server

Summary

I want to deploy the above module into my Metasploit Instance on Kali but it isn't working. I've added the module to the modules path and it doesn't recognize it. I don't even get a coding error or anything. It's as though it loads it but it doesn't show up and the exploit count doesn't go up.

I've even attempted to loadpath after deployment, and -m /path/to/module to load the module into a running instance. I think it might be because it's an ERB...? But I can't seem to figure it out. Any pointers would be helpful.

Some recommended topics to cover:

• What deployment looks like.
• How to deploy and load.
• How to add new exploits (explicit details of how).

Motivation

Anyone that wants to leverage the tool to close the visibility gap on Browser vulnerabilities could benefit from this tool and I'd like to use it before I recommend it to a peer.

Steps to resolve this issue

[adfoster-r7]

Msf::Exploit::Remote::BrowserExploitServer is a reusable library component that you can include into a Metasploit module, it is not a standalone module by itself.

For example it is used in the auxiliary/gather/browser_info module:

https://github.com/rapid7/metasploit-framework/blob/f3214d67db14c1a53b73793886f6d0825d3f4682/modules/auxiliary/gather/browser_info.rb#L7C11-L7C53

Example usage:

msf6 > use auxiliary/gather/browser_info
msf6 auxiliary(gather/browser_info) > run SRVPORT=8000
[*] Auxiliary module running as background job 3.

[*] Using URL: http://x.x.x.x:8000/BRc9uDC
[*] Server started.
msf6 auxiliary(gather/browser_info) > 

And after visiting the URL in the browser the Metasploit module logs out the details:

msf6 auxiliary(gather/browser_info) > [*] Server started.
[*] No cookie received for x.x.x.x, resorting to headers hash.
[*] Gathering target information for x.x.x.x
[*] Sending HTML response to x.x.x.x
[*] Info receiver page called from x.x.x.x
[*] Received cookie 'ECArAOgKHvAwCWb' from x.x.x.x
[*] Received sniffed browser data over POST from x.x.x.x
{"os_vendor"=>["undefined"], "os_device"=>["undefined"], "ua_name"=>["Chrome"], "ua_ver"=>["127.0.0.0"], "arch"=>["x86"], "java"=>["null"], "silverlight"=>["false"], "flash"=>["null"], "vuln_test"=>["true"], "os_name"=>["Mac OS X"]}.
[*] Received cookie 'ECArAOgKHvAwCWb' from x.x.x.x
[*] Serving exploit to user x.x.x.x with tag ECArAOgKHvAwCWb
[*] Setting target "ECArAOgKHvAwCWb" to :tried.
[+] 10.4.228.79 - We have found the following interesting information:
[*] 10.4.228.79 - source = Browser allows JavaScript
[*] 10.4.228.79 - ua_name = Chrome
[*] 10.4.228.79 - ua_ver = 127.0.0.0
[*] 10.4.228.79 - arch = x86
[*] 10.4.228.79 - os_name = Mac OS X
[*] 10.4.228.79 - language = en-GB,en-US;q=0.9,en;q=0.8

[standarduserllc]

Appreciate the information. I figured this was a knowledge limitation on my part. Currently looking for a managed and profession Browser Exploitation Toolset that maintains all current/known browser exploits. Thought this might be something knew, didn't realize it was what has been built into metasploit for ever. Appreciate it again.