Exploitation Using Client-Side Attacks
119
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
msf exploit(ms10_002_aurora) >
By setting these options, you can fine-tune a lot of the payload and exploit
details. Now suppose you wanted to change the amount of tries a reverse con-
nection would do. The default is 5, but you might be concerned with timeouts
and want to increase the connection retries. Here, we set it to 10:
msf exploit(ms10_002_aurora) >
set ReverseConnectRetries 10
In this case, you want to migrate automatically to a new process in case
the targeted user closes the browser right away. Under the
AutoRunScript
, sim-
ply let Metasploit know to autorun a script as soon as a Meterpreter console is
created. Using the
migrate
command with the
-f
switch tells Meterpreter to
launch a new process automatically and migrate to it:
msf exploit(ms10_002_aurora) >
set AutoRunScript migrate -f
Now attempt to run the exploit and see what happens. Try closing the
connection and see if your Meterpreter session still stays active.
Since this is a browser-based exploit, you will most likely be running as a
limited user account. Remember to issue the
use priv
and
getsystem
commands
to attempt privilege escalation on the target machine.
That’s it! You just successfully executed your first client-side attack using
a pretty famous exploit. Note that new exploits are frequently being released,
so be sure to search for all the browser exploits and find which one best suits
your needs for a particular target.
File Format Exploits
File format bugs
are exploitable vulnerabilities found within a given applica-
tion, such as an Adobe PDF document. This class of exploit relies on a user
actually opening a malicious file in a vulnerable application. Malicious files
can be hosted remotely or sent via email. We briefly mentioned leveraging
file format bugs as a spear-phishing attack in the beginning of this chapter,
and we’ll offer more about spear-phishing in Chapter 10.
In traditional file format exploits, you could leverage anything to which
you think your target will be susceptible. This could be a Microsoft Word
document, a PDF, an image, or anything else that might be applicable. In
this example, we’ll be leveraging MS11-006, known as the Microsoft Win-
dows CreateSizedDIBSECTION Stack Buffer Overflow.
Within Metasploit, perform a search for
ms11_006
. Our first step is to get
into our exploit through
msfconsole
, and type
info
to see what options are