background image

Exploitation Using Client-Side Attacks

119

   Name           : WORKSPACE
   Current Setting:
   Description    : Specify the workspace for this module

msf exploit(ms10_002_aurora) >

By setting these options, you can fine-tune a lot of the payload and exploit 

details. Now suppose you wanted to change the amount of tries a reverse con-
nection would do. The default is 5, but you might be concerned with timeouts 
and want to increase the connection retries. Here, we set it to 10:

msf exploit(ms10_002_aurora) > 

set ReverseConnectRetries 10

In this case, you want to migrate automatically to a new process in case 

the targeted user closes the browser right away. Under the 

AutoRunScript

, sim-

ply let Metasploit know to autorun a script as soon as a Meterpreter console is 
created. Using the 

migrate

 command with the 

-f

 switch tells Meterpreter to 

launch a new process automatically and migrate to it:

msf exploit(ms10_002_aurora) > 

set AutoRunScript migrate -f

Now attempt to run the exploit and see what happens. Try closing the 

connection and see if your Meterpreter session still stays active. 

Since this is a browser-based exploit, you will most likely be running as a 

limited user account. Remember to issue the 

use priv

 and 

getsystem

 commands 

to attempt privilege escalation on the target machine.

That’s it! You just successfully executed your first client-side attack using 

a pretty famous exploit. Note that new exploits are frequently being released, 
so be sure to search for all the browser exploits and find which one best suits 
your needs for a particular target.

File Format Exploits

File format bugs

 are exploitable vulnerabilities found within a given applica-

tion, such as an Adobe PDF document. This class of exploit relies on a user 
actually opening a malicious file in a vulnerable application. Malicious files 
can be hosted remotely or sent via email. We briefly mentioned leveraging 
file format bugs as a spear-phishing attack in the beginning of this chapter, 
and we’ll offer more about spear-phishing in Chapter 10. 

In traditional file format exploits, you could leverage anything to which 

you think your target will be susceptible. This could be a Microsoft Word 
document, a PDF, an image, or anything else that might be applicable. In 
this example, we’ll be leveraging MS11-006, known as the Microsoft Win-
dows CreateSizedDIBSECTION Stack Buffer Overflow.

Within Metasploit, perform a search for 

ms11_006

. Our first step is to get 

into our exploit through 

msfconsole

, and type 

info

 to see what options are