Publishing Metasploit msfweb through Apache


So I was sitting around and decided to build myself a web front end to some of the various monitoring I do on the boxen at the Renderlab. Things like weblogs, snort logs, traffic stats, etc. All very interesting, but basically useless on such a small scale. Consider it a 'I did it because I could' situation.

Along this process I rebuilt my server with OpenBSD 4.1 (the latest and greatest) and wondered if Metasploit would run on it. It does, quite nicely. The OpenBSD ports/packages have all the necessary RUBY parts needed to run. Not sure that all exploits are possible, but it runs and does seem to mostly function

So now I have a new webserver install, a working copy of metasploit on the server, but since metasploit runs it's web front end, msfweb on a RoR server on port 55555 and I'm not stupid enough to poke a hole in my firewall for it, I figured there must be a way to push the web front end through my apache server and out port 80 (with SSL and appropriate ACL's in place of course).

Googleing around showed mod_rewrite and mod_proxy could do this nicely. My goal was to be able to go to my front end and goto a /msf directory and be magically connected to the metasploit msfweb front end, still on port 55555, but now pushed out a page on port 80 (did I mention ssl and alot of ACL's)

Enabled mod_rewrite and mod_proxy in httpd.conf (google it yourself) and set about adding the new variables for the virtual server. In the virtual server it was pretty easy to do. You could do it with .htaccess files but for some reason it was not playing nice for me, so I want to the apache conf file instead.

Here's the trick. msfweb will rewrite/proxy fine if it's the root of the server it's rewriting/proxying from, but not a directory off the root. It's a regex problem I'm sure, but 2 man days were lost trying to get it to work.

Basically, if I wanted the msfweb at www.somedomain.com/ it would work no problem. If I wanted it to be through www.somedomain.com/msfweb, things would hit the fan and metasploit would break paths and not display more than the text for the buttons and nothing else.

At any rate, I ended up creating a subdomain of msfweb.somedomain.com. Any accesses to www.somedomain.com/msfweb would redirect to msfweb.somedomain.com which would in turn proxy's msfweb from localhost port 55555 to the root of the new subdomain.

Confused yet?

www.somedomain.com/msf has the following lines in the httpd.conf file in the www.somedomain.com virtual server:

RewriteEngine On
RewriteRule ^/msfweb/(.*)$ http://msfweb.somedomain.com/$1 [L]

So any requests to the http://www.somedomain.com/msfweb/ directory are redirected to msfweb.somedomain.com 's root.

Now, in the msfweb.somedomain.com's virtual host entry in the httpd.conf file, I added the following:

RewriteEngine On
RewriteRule ^(.*)$ http://localhost:55555$1 [P]

Any request to the root of msfweb.somedomain.com will proxy to the metasploit msfweb server on port 55555 of the webserver box (you can set it to another box if you like, just remember to change the msfweb script to use an external interface and not the loopback)

Try as I might to use a statement like ^/msfweb/(.*)$ and every iteration of slashes and anything else I could find or think of, but metasploit just did not like being proxied from a non root directory. If you know how, please let me know so I can update this and share with the world.

At the moment the CLI console is broken through the web interface, but that's probobly some wierd pathing or something, but is on the list of things to do.

Hopefully this saves someone out there the hours of head butting regex to get this working and they let me know it helped.

Not sure why it's ncessary to have a world accessible msfweb front end proxied through Apache, but someone might find it useful, so I'm sharing

Just don't do something stupid like publish it with world readable access to it and give anonymous strangers a powerful attack platform that traces back to your IP address

Any feedback, comments or updates? Send to render (AT) renderlab (DOT) net


Return to Main