My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
Load  
How to load the XSSF plugin ?
Featured
Updated Jul 2, 2011 by ludovic....@gmail.com

XSSF plugin loading instructions

  1. Start Metasploit Framework (MSF Console for example).
  2. Connect to a database if that's not automatically done.
  3. Load XSSF plugin using the command 'load xssf'.
    • XSSF server port can be modified using the command 'load xssf Port=80'.
    • XSSF server URI can be changed using the command 'load xssf Uri=/'.
    • Remote access to XSSF GUI and Tunnel can be activated using the command 'load xssf Public=true'.
    • XSSF mode for information messages can be changed using the command 'load xssf Mode=???'. Information messages are displayed during attacks or during tunnel transferts. Accepted modes are:
      • Quiet: Does not display anything.
      • Normal: Displays attacks and tunnel status messages only (default mode).
      • Verbose: Displays all 'Normal' mode messages plus received results from victims.
      • Debug: Displays all 'Verbose' mode messages plus XSSF exceptions error messages if exceptions are trigered (should not :-) ).

For example, to launch XSSF on port 80, on /xssf/ uri, with attacker's interfaces (GUI, Tunnel) available from remote and with all messages displayed from attacks, just launch XSSF with the command 'load xssf Port=80 Uri=/xssf/ Public=true Mode=Verbose'.

Note: Launching XSSF victims' server on port 'x' will launch attacker' server on port 'x + 1'. Attacker' server is useful to access web GUI (logs, stats, etc.) and to access XSSF Tunnel.

Comment by riccardo...@gmail.com, Jul 1, 2011

Hi, for me only words 'load xssf' command, other ones make no difference, it's like i'm always using 'load xssf' without parameters.

Comment by riccardo...@gmail.com, Jul 1, 2011

An example: 

msf > load xssf ServerPort=3000
[-] Your Ruby version is 1.9.1. Make sure your version is up-to-date with the last non-vulnerable version before using XSSF!



      ___           ___           ___           ___     
     |\__\         /\  \         /\  \         /\  \    
     |:|  |       /::\  \       /::\  \       /::\  \   
     |:|  |      /:/\ \  \     /:/\ \  \     /:/\:\  \  
     |:|__|__   _\:\~\ \  \   _\:\~\ \  \   /::\~\:\  \ 
 ____/::::\__\ /\ \:\ \ \__\ /\ \:\ \ \__\ /:/\:\ \:\__\
 \::::/~~/~    \:\ \:\ \/__/ \:\ \:\ \/__/ \/__\:\ \/__/
  ~~|:|~~|      \:\ \:\__\    \:\ \:\__\        \:\__\  
    |:|  |       \:\/:/  /     \:\/:/  /         \/__/  
    |:|  |        \::/  /       \::/  /                 
     \|__|         \/__/         \/__/  Cross-Site Scripting Framework 2.1
                                        Ludovic Courgnaud - CONIX Security


[+] Please use command 'xssf_urls' to see useful XSSF URLs
[*] Successfully loaded plugin: xssf
msf > xssf_urls 
[+] XSSF Server 	 : 'http://10.94.89.11:8888/' 		or 'http://<PUBLIC-IP>:8888/'
[+] Generic XSS injection: 'http://10.94.89.11:8888/loop' 	or 'http://<PUBLIC-IP>:8888/loop'
[+] XSSF test page	 : 'http://10.94.89.11:8888/test.html' or 'http://<PUBLIC-IP>:8888/test.html'

[+] XSSF Tunnel Proxy	: 'localhost:8889'
[+] XSSF logs page	: 'http://localhost:8889/gui.html?guipage=main'
[+] XSSF statistics page: 'http://localhost:8889/gui.html?guipage=stats'
[+] XSSF help page	: 'http://localhost:8889/gui.html?guipage=help'
Comment by project member ludovic....@gmail.com, Jul 1, 2011

OOps I'm really sorry! ServerPort? was name of parameter before last commit and package :( It is now 'Port' but I forgotten to update wiki... Thanks for telling me! I update wiki right now!

Comment by andrea.t...@gmail.com, Apr 19, 2012

Xssf no more work with metasploit framework after update this

:(


Sign in to add a comment
Powered by Google Project Hosting