All right. Now, let's take a look at something a little bit different.
We're going to work with clients. I'd attack. So So for everything we've done, we've gone over the network in some way. Be it
to port scan to run an exploit to button online password attack.
This case, we're not going to be working over the network. Instead of directly accessing a port
to run an attack of some sort. We're going to instead set up our own server and wait for our client or our target to come to us.
So this will allow us to access things that aren't listening on a port, but may be subject to vulnerabilities. For instance, browsers, pdf viewers, music players. Basically anything that opens some sort of file could be subject to the sort of attack as we can send it
potentially malicious files.
So I want to start with
the basic browser exploitation
particular one. Our Windows X P browser is actually probably vulnerable to lots of things. You may find
other things. It's vulnerable to almost do one. That's kind of like a mess. 08067 in terms of same for browsers, so I don't see it quite as much
now. It's not many people were using totally using such an older, too cheap version of
Internet Explorer. There will see some more up to date on their abilities in the section. But this particular vulnerability did
managed to exploit a lot of big name companies when it first came out
called Aurora Vulnerability that we show our options on it.
It's a little bit different than anything we've seems over like we don't have our host. It's just not there. So we have server host.
That's set to all I P addresses, which is fine server port. You change that to 80 or
could even set up in SSL service. If you have one, you can use it or you can generate one
and said this isso version
one that's not necessary but will certainly make our lives easier because we're actually going to send the length.
Well, we're not going to see the length. Rather, we're going to just type them in as the target
is your I pass. You don't something. You're AI path. It will just pick a random one, and that's not going to be very nice to have to type in.
Really. The only thing we have to set here is just your I thought.
to the usual suspects for Windows
that Taylor everybody's favorite when his interpreter
My I p address is, yes, that you don't want to be that wanted seven.
So where's our session and where things happening?
again, we're setting up a server. So all we've done here is created a server in the background. We do jobs. We can see it
automatically running. It was a background job.
That server is just running on Port 80 80 at the euro class and anyone who browses to that page
if they're vulnerable to this invest 10. There is air to Aurora issue.
the chimp to exploit their browser
and give us a session.
So we'll look later in the section
some method of social engineering. But our goal is gonna be one way or another to get people to browse to the site, do something like the D. N s boo thing that we did
previously in the course we could do social engineering units and then an email with a link in it.
So anyway, to get them to browse to this page
course, we'll just play the user. Open up our old version of Internet Explorer and just browse to it
is Port 80 80 which you could change that.
And it's called Class.
The browser should appear to hang. It did see it
may not work the first time
in general. It seems that brother flotation self isn't that study is some of the other memory corruption that did work, though in case years didn't and you have to try it again. Just reopen the browser and tried again. Notice where we start the exploit. Your server is still running in the background.
kill us or you don't have to change anything. Just
We did get a session wouldn't automatically drop into it. Those two sessions Dash are in and says its Session one
I was expected. We are at the usual. We logged in as Georges and administrators here. We can do
pretty much everything we could do this system
you're really unfortunate thing about this is that mature prayer actually runs entirely inside of the exploited process.
And the usual tries to use this brother they're obviously not going to be able to do so. It's memory has been corrupted to the point that it just can't function.
So you might have to do a task manager and force kill it. But regardless then if user uses Internet Explorer, they're probably pretty used to this sort of thing that their brother hangs and they have to restart.
So I probably won't even think much of it.
But we restarted our browser
per session, actually died,
so that's not a very good we had our session for about a minute.
But assuming the user wants to continue using their browser, which they probably will don't look like we're going to have our session for very long.
So what can we do about this? Let's get our session back first.
That Oh, yeah, lower.
You got my session back.
This is session too.
Do a PS to see over process is just like on like
the process I'm currently in is gonna be my I explored a XY,
but I want to go somewhere That's less likely than just disappear on me.
That's an explorer, Daddy. Exes are basically the start. Menu seems unlikely to just disappear, so it's
process. Isay is 388 h.
I used the metric Ritter command migrate brought us 3888
Process of migrating actually managed to kill the browser.
But my session is still alive, so I can use this my great functionality that allows me to take my I'm interpreter
memory and move it somewhere else into another processes memory space to allow me to live.
But this, unfortunately
relies on the fact that I happened to be sitting here
paying attention when this comes in, and I'm able to do it quickly.
Well, if we're doing any social engineering and we send out tons of e mails, we certainly don't want to sit here all day
and even into the night possibly waiting for sessions to come in. So is there some way toe automate this?
So about previously Cem
additional options is actually a couple things we can do.
We'll see metropolis scripting and the post exploitation section. We could actually use, um, interpreter script that's called migrate. The one we just did was a interpreter. Command is also a interpreter script, which could be a little confusing, but we'll talk about that in post exploitation. You could set
a mature, prettier script
so automatically migrate.
You would just spawn a new process, because if you had that process I do. You wouldn't know it.
You can tell it to dishpan a new process and go into it.
But there's one way to do it. One that's
a little bit better, actually. Is this repented? Migrate? Who's our photo run script? It's going to fall on the session
a little bit slower than this propensity. Migrate which bones and runs the show could and
process. So it actually before it gets to the session, has already gone into a new process.
So this was added in tomatoes. Boy, For this reason, some of your browser and other client side exploits the author will actually go ahead and set pretend migrate to true so you don't have to do it. It really just depends on the
preferences of the person who wrote it. As far as I can tell, some of them do so of them down.
So we just wanna *** Crippen migrate True.
Do you got the same ways Any other options? Problem is, now that we've made changes, this job that's running won't reflect those changes. So we actually need to kill this off.
Come on, run! Explode again
to take into account our option change.
It's tries one more time.
We get our mature, prettier Session
and let's see if we die, we'll kill the brother.
Still, non functional
memory corruption still occurred,
but this time we get to keep a recession and we didn't have to do anything. We didn't have to be there. We could possibly come back in the morning and it would still be. There was soothing, no user restarted or there wasn't a loss of network connectivity.