OK, so today I will show you how we can leverage a common XSS vulnerability and take it up a notch, yes that is right, a notch higher than we did previously with XSS Shell & XSS Tunnel. This time we will be using our common XSS to result in full OS compromise. Now I have seen a lot of tutorials involving Metasploit but most of them involve attacking XP with no Security updates which just doesn’t seem fair (or impressive). My kid brother could take care of that....so I decided to show you it is possible with little effort to compromise an up to date system running Windows 7 OS with Internet Explorer 8 for browser. This way you know I am being serious when I say this is a valid exploit and a noteworthy reason to double check your user input validation scheme(s). Please follow along, and I hope you enjoy the ride...
OK so you have found XSS vulnerability and you saved it and found it is persistent XSS injection that will affect all users who view the injected page. Even if it is not persistent you can use Social Engineering to get the same effect (i.e. high traffic to exploited page/link), be creative…I am sure you can convince someone to click a link somehow :p We will then use this to work with XSSF and Metasploit to take it up a notch. Where we previously used our injection to point our victims to an alert box, or as shown in previous write-up we could point to the XSS Shell we were hosting, but instead this time we will now be injecting the path to out XSSF + Metasploit setup. XSSF works in the same manner as XSS Shell BUT the primary difference is it is coded in ruby and you can incorporate it directly into the Metasploit framework which allows us to extend our exploits to all of the wonderful Browser Exploits that are already built into MSF (let’s be honest XSS Shell is nice but limited in scope). Now we can take a common XSS alert box and turn it into a Reverse Meterpreter Shell resulting in full OS compromise. I bet you didn't see that coming!
In order to get XSSF incorporated into MSF you need to follow a few quick steps:
- Download XSSF from here: http://code.google.com/p/xssf/downloads/list
- You also need to have an up to date working version of Metasploit already installed (I will not cover this and make assumption you can figure it out on your own). If you do not already have it installed you can download the latest release from here (free version is just fine): http://metasploit.com/download/
- The latest version will help us to avoid any DB issues or any issues with your ruby installs being outdated ;)
OK, now fire up Metasploit however you like, from the console or via Armitage. I will be using Armitage for the purposes of today's article since it helps keep things easy. Once you’re connected to your DB of choice and MSF is up and running we will want to do two things:
- First - unzip the XSSF download into the MSF folder on your machine.
- Secondly - run your choice method of opening MSF
- - Armitage or ./msfconsole
- Third - type this at MSF console: load xssf
You should now be greeted with the message banner for XSSF indicating that all went well. I had zero problems making it this far so if you have problems check your paths to make sure you unzipped everything properly and to the right locations. Once we have XSSF incorporated into Metasploit it is time to start tweaking our XSS Vulnerabilities and Injections to now point towards this setup. The default will run on localhost:8888 (use xssf_urls command to see full list generated at startup), and then you will need to inject some form of this XSS attack vector in order to get your victims to be sent to our XSSF Metasploit link:
NOTE: You can change the value following interval= to suite your needs as it will affect the browser refresh rate. I suggest playing with it and find what works for you, probably best between 2 & 5 (5 is default and works fine in my opinion).
Once this is injected instead of sending an alert box to our victims who view the page they will go on as if nothing happened while secretly they become our Zombies. Once we have zombies we can feed them to an XSS Tunnel session which works as outlined in my previous tutorial on XSS Shell and XSS Tunnel but now you can use the XSS Tunnel address that XSSF has created instead of fumbling with setting up XSS Shell and connecting with XSS Tunnel, just point your tools at localhost:8889 and let them rip. That is fun and can be convenient for leveraging other modules like the CSRF one......BUT you can also now leverage Metasploit to perform further Browser attacks against our Zombies and spawn Meterpreter shells all over the place!
Please watch this video for the full details:
NO SOUND version: http://www.youtube.com/watch?v=jwirABFe1Ok
I am pretty sure you can get all the commands from the video as I filmed everything as I walked through it so should cover everything you would need to get situated for the first time and on your way. If you have questions please let me know and I will do what I can to help you figure things out. As always, I hope you have enjoyed!
Until next time...