[prev in list] [next in list] [prev in thread] [next in thread]
List: metasploit-framework
Subject: Re: [framework] What is the most cool IE exploit and java on the
From: Lukas Kuzmiak <metasploit () backstep ! net>
Date: 2010-11-22 17:03:30
Message-ID: AANLkTi=XyVWRu2YEkePTwBW7H+eWaEjqHW6y29+zum19 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Btw,
same exploits are mostly doubled in metasploit in two categories:
windows/browser/something - this runs a webserver and should pass PDF with
actual content defined as PDF - that should allow showing in the browser
directly.
windows/fileformat/something - speaks for itself, generates a file, you can
put it somewhere online and depending on the webserver content-type
will/wont be passed. You can tweak it with some .php file, setting
Content-type to application/pdf and embed the data under it, which will
allow you to show it directly even if the extension is php and user won't
expect it even in the worst nightmares :)
Lukas
Only wimps use tape backup: _real_ men just upload their important stuff on
ftp, and let the rest of the world mirror it ;). Torvalds, Linus
(1996-07-20).
On Mon, Nov 22, 2010 at 5:59 PM, Lukas Kuzmiak <metasploit@backstep.net>wrote:
> Hey,
>
> I think this only depends on the browser and whether it has built-in
> support for pdf (module from adobe etc.) or not.
>
> In my Firefox, in about:plugins I see:
> Adobe Acrobat File: nppdf32.dllVersion: 9.4.1.222 Adobe PDF Plug-In For
> Firefox and Netscape "9.4.1"and some extensions table underneath it, once
> this is here it opens directly in the browser, however with the embedded
> module from Acrobat.
>
> Once Content-type header is defined as application/pdf it should open in
> the browser directly, if you use force-download type, then the download
> dialog should pop out.
>
> Not sure for IE though, should be very similar in the module point of view.
>
> I think it doesn't really matter as once the exploit works and user wants
> to open it, you will just get there.
>
> Regards,
> Lukas
>
> Only wimps use tape backup: _real_ men just upload their important stuff on
> ftp, and let the rest of the world mirror it ;). Torvalds, Linus
> (1996-07-20).
>
>
>
> On Mon, Nov 22, 2010 at 5:33 PM, Jeffs <jeffs@speakeasy.net> wrote:
>
>> Is there a method within the .pdf generation which forces the browser to
>> open the file versus the adobe application?
>>
>>
>> On 11/22/2010 9:13 AM, Gerry Brunelle wrote:
>>
>> I would honestly suggest doing something with a pdf exploit since most
>> large companies love pdf and their users normally seem to have an inherent
>> trust in pdf files. Maybe have the client open a pdf file in their browser
>> since that wont go through email scanners which are starting to get better
>> at picking up malicious pdf files.
>>
>> Gerry
>>
>> On Sun, Nov 21, 2010 at 11:42 PM, Richard Miles <
>> richard.k.miles@googlemail.com> wrote:
>>
>>> Hi
>>>
>>> There is no restriction.
>>>
>>> Do you suggest the most recent and most reliable one for Flash and Adobe?
>>>
>>> Yes, but browser autopwn is out of date.
>>>
>>> Thanks
>>>
>>> On Thu, Nov 11, 2010 at 4:01 PM, Chao Mu <chao.mu@minorcrash.com> wrote:
>>> > You may also want to consider Flash and Adobe vulnerabilities. Or are
>>> > you restricting yourself to IE and Java? If so, what versions? There
>>> > is always browser autopwn if you get lazy...
>>> >
>>> > On Wed, Nov 10, 2010 at 3:24 PM, Richard Miles
>>> > <richard.k.miles@googlemail.com> wrote:
>>> >>
>>> >> I'm going to execute a client side attack, my target is win-xp SP3 in
>>> >> Spanish. I'm able to make my client access a site controlled by me.
>>> >> What is the more recent and more cool (good reliable and recent
>>> >> patched) exploit for IE and Java available on metasploit? Both
>>> >> launched from browser..
>>> >>
>>> >> Thanks
>>> >> _______________________________________________
>>> >> https://mail.metasploit.com/mailman/listinfo/framework
>>> >
>>> _______________________________________________
>>> https://mail.metasploit.com/mailman/listinfo/framework
>>>
>>
>>
>> _______________________________________________https://mail.metasploit.com/mailman/listinfo/framework
>>
>>
>>
>> _______________________________________________
>> https://mail.metasploit.com/mailman/listinfo/framework
>>
>>
>
[Attachment #5 (text/html)]
Btw,<br><br>same exploits are mostly doubled in metasploit in two \
categories:<br><br>windows/browser/something - this runs a webserver and should pass \
PDF with actual content defined as PDF - that should allow showing in the browser \
directly.<br> <br>windows/fileformat/something - speaks for itself, generates a file, \
you can put it somewhere online and depending on the webserver content-type will/wont \
be passed. You can tweak it with some .php file, setting Content-type to \
application/pdf and embed the data under it, which will allow you to show it directly \
even if the extension is php and user won't expect it even in the worst \
nightmares :)<br> <br>Lukas<br><br clear="all">Only wimps use tape backup: _real_ men \
just upload their important stuff on ftp, and let the rest of the world mirror it ;). \
Torvalds, Linus (1996-07-20).<br> <br><br><div class="gmail_quote">On Mon, Nov 22, \
2010 at 5:59 PM, Lukas Kuzmiak <span dir="ltr"><<a \
href="mailto:metasploit@backstep.net">metasploit@backstep.net</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; \
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> Hey,<br><br>I think \
this only depends on the browser and whether it has built-in support for pdf (module \
from adobe etc.) or not.<br><br>In my Firefox, in about:plugins I see:<br><h2>Adobe \
Acrobat</h2> <dl><dd><span>File:</span>
nppdf32.dll</dd><dd><span>Version:</span>
9.4.1.222</dd><dd>
Adobe PDF Plug-In For Firefox and Netscape "9.4.1"</dd></dl>and some \
extensions table underneath it, once this is here it opens directly in the browser, \
however with the embedded module from Acrobat.<br><br>Once Content-type header is \
defined as application/pdf it should open in the browser directly, if you use \
force-download type, then the download dialog should pop out.<br>
<br>Not sure for IE though, should be very similar in the module point of \
view.<br><br>I think it doesn't really matter as once the exploit works and user \
wants to open it, you will just get there.<br><br>Regards,<br>
Lukas<br><br clear="all">Only wimps use tape backup: _real_ men just upload their \
important stuff on ftp, and let the rest of the world mirror it ;). Torvalds, Linus \
(1996-07-20).<div><div></div><div class="h5"><br> <br><br><div class="gmail_quote">On \
Mon, Nov 22, 2010 at 5:33 PM, Jeffs <span dir="ltr"><<a \
href="mailto:jeffs@speakeasy.net" target="_blank">jeffs@speakeasy.net</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; \
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div text="#000000" bgcolor="#ffffff">
Is there a method within the .pdf generation which forces the
browser to open the file versus the adobe application?<div><div></div><div><br>
<br>
On 11/22/2010 9:13 AM, Gerry Brunelle wrote:
<blockquote type="cite">I would honestly suggest doing something with a pdf
exploit since most large companies love pdf and their users
normally seem to have an inherent trust in pdf files. Maybe have
the client open a pdf file in their browser since that wont go
through email scanners which are starting to get better at picking
up malicious pdf files.<br>
<br>
Gerry<br>
<br>
<div class="gmail_quote">On Sun, Nov 21, 2010 at 11:42 PM, Richard
Miles <span dir="ltr"><<a href="mailto:richard.k.miles@googlemail.com" \
target="_blank">richard.k.miles@googlemail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; \
border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> Hi<br>
<br>
There is no restriction.<br>
<br>
Do you suggest the most recent and most reliable one for Flash
and Adobe?<br>
<br>
Yes, but browser autopwn is out of date.<br>
<br>
Thanks<br>
<div>
<div><br>
On Thu, Nov 11, 2010 at 4:01 PM, Chao Mu <<a href="http://chao.mu" \
target="_blank">chao.mu</a>@<a href="http://minorcrash.com" \
target="_blank">minorcrash.com</a>> wrote:<br>
> You may also want to consider Flash and Adobe
vulnerabilities. Or are<br>
> you restricting yourself to IE and Java? If so, what
versions? There<br>
> is always browser autopwn if you get lazy...<br>
><br>
> On Wed, Nov 10, 2010 at 3:24 PM, Richard Miles<br>
> <<a href="mailto:richard.k.miles@googlemail.com" \
target="_blank">richard.k.miles@googlemail.com</a>> wrote:<br>
>><br>
>> I'm going to execute a client side attack, my
target is win-xp SP3 in<br>
>> Spanish. I'm able to make my client access a site
controlled by me.<br>
>> What is the more recent and more cool (good
reliable and recent<br>
>> patched) exploit for IE and Java available on
metasploit? Both<br>
>> launched from browser..<br>
>><br>
>> Thanks<br>
>> _______________________________________________<br>
>> <a \
href="https://mail.metasploit.com/mailman/listinfo/framework" \
target="_blank">https://mail.metasploit.com/mailman/listinfo/framework</a><br> \
><br> _______________________________________________<br>
<a href="https://mail.metasploit.com/mailman/listinfo/framework" \
target="_blank">https://mail.metasploit.com/mailman/listinfo/framework</a><br> \
</div> </div>
</blockquote>
</div>
<br>
<pre><fieldset></fieldset>
_______________________________________________
<a href="https://mail.metasploit.com/mailman/listinfo/framework" \
target="_blank">https://mail.metasploit.com/mailman/listinfo/framework</a> </pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
<a href="https://mail.metasploit.com/mailman/listinfo/framework" \
target="_blank">https://mail.metasploit.com/mailman/listinfo/framework</a><br> \
<br></blockquote></div><br> </div></div></blockquote></div><br>
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic