[prev in list] [next in list] [prev in thread] [next in thread] 

List:       metasploit-framework
Subject:    Re: [framework] new exploit windows/browser/java_basicservice_impl
From:       Eric <dkn4a1 () gmail ! com>
Date:       2010-11-24 6:15:46
Message-ID: AANLkTi=yRQVEMc4-K9KOxf5ueog8cQxa5PcZ0dMw3ro_ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Tue, Nov 23, 2010 at 9:18 PM, Miguel Rios <miguelrios35@yahoo.com> wrote:

> The reason i want to have an html file to play around with instead of on
> the fly html serving is that one could throw in an iframe pointing to
> another machine waiting full of exploits so that as the
> java_basicservice_impl exploit is served up we can direct our victim
> onwards.
> The way it's setup now is that if the vic is not vulnerable to the
> java_basicservice_impl exploit then that's it, you can't exploit them
> further.
> I hope I'm making some sense here.


The way I use to do this is using wget, like
set up local server and

$ wget --user-agent=Mozilla\/4.0\ \(compatible\;\ MSIE\ 7.0\;\ Windows\ NT\
6.0\) URL

OR

In case if there are more files associated than only HTML file
you can change the user-agent in firefox using this 'user-agent-switcher'
addon and change to appropriate user agent.
Then browse.

Hope that helps.



> 
> 
> --- On *Mon, 11/22/10, egypt@metasploit.com <egypt@metasploit.com>* wrote:
> 
> 
> From: egypt@metasploit.com <egypt@metasploit.com>
> Subject: Re: [framework] new exploit windows/browser/java_basicservice_impl
> doesn't accept win payloads?
> To: "Miguel Rios" <miguelrios35@yahoo.com>
> Cc: framework@spool.metasploit.com
> Date: Monday, November 22, 2010, 9:03 PM
> 
> It might be possible to modify the exploit to use some other method of
> launching the jnlp file, but the current method of redirecting is
> blocked by default IE7 and 8 when inside an iframe.  Since
> browser_autopwn uses iframes for each exploit this issue makes the
> exploit largely useless in that context, so I have removed it from
> browser_autopwn.  I've also switched the order of targets so now
> Windows should be the default.  If you want to use a Java payload, set
> TARGET 1.
> 
> Hope this helped,
> egypt
> 
> On Mon, Nov 22, 2010 at 10:58 AM, Miguel Rios \
> <miguelrios35@yahoo.com<http://mc/compose?to=miguelrios35@yahoo.com>> wrote:
> > 
> > Hi,
> > 
> > I've been messing around with the new exploit mentioned above. However,
> although when I open the ruby file I can see the option to use windows as
> well as java payloads, the exploit fails when it attempts to use a windows
> payload. I even tried with browser_autopwn and it also picks a windows
> payload by default, although it fails.
> > 
> > I get this message:
> > 
> > [*] [2010.11.22-17:49:54] Starting exploit
> windows/browser/java_basicservice_impl with payload
> windows/meterpreter/reverse_tcp
> > [-] [2010.11.22-17:49:54] Exploit failed: windows/meterpreter/reverse_tcp
> is not a compatible payload.
> > [-] [2010.11.22-17:49:54] Failed to start exploit module
> windows/browser/java_basicservice_impl
> > 
> > 
> > Is this a bug? Also, while I'm at it, why can't we have these browser
> exploits write to an html file instead of serving the html on the fly?
> Writing to a file would allow for greater stealthiness and other goodies
> (like iframes), but it may not be feasible. Just an idea I thought I'd throw
> out.
> > 
> > Thanks
> > 
> > 
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
> > 
> 
> 
> 
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
> 
> 


[Attachment #5 (text/html)]

<br><br><div class="gmail_quote">On Tue, Nov 23, 2010 at 9:18 PM, Miguel Rios <span \
dir="ltr">&lt;<a href="mailto:miguelrios35@yahoo.com">miguelrios35@yahoo.com</a>&gt;</span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex;"> <table cellspacing="0" cellpadding="0" \
border="0"><tbody><tr><td valign="top" style="font:inherit">The reason i want to have \
an html file to play around with instead of on the fly html serving is that one could \
throw in an iframe pointing to another machine waiting full of exploits so that as \
the java_basicservice_impl exploit is served up we can direct our victim onwards.<br> \
The way it&#39;s setup now is that if the vic is not vulnerable to the \
java_basicservice_impl exploit then that&#39;s it, you can&#39;t exploit them \
further.<br>I hope I&#39;m making some sense here.</td></tr></tbody></table> \
</blockquote><div><br></div><div>The way I use to do this is using wget, \
like</div><div>set up local server and </div><div><br></div><div>$ wget \
--user-agent=Mozilla\/4.0\ \(compatible\;\ MSIE\ 7.0\;\ Windows\ NT\ 6.0\) URL</div> \
<div><br></div><div>OR</div><div><br></div><div>In case if there are more files \
associated than only HTML file</div><div>you can change the user-agent in firefox \
using this &#39;user-agent-switcher&#39; addon and change to appropriate user \
agent.</div> <div>Then browse.</div><div><br></div><div>Hope that \
helps.</div><div><br></div><div> </div><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><table \
cellspacing="0" cellpadding="0" border="0"> <tbody><tr><td valign="top" \
style="font:inherit"><div class="im"><br><br>--- On <b>Mon, 11/22/10, <a \
href="mailto:egypt@metasploit.com" target="_blank">egypt@metasploit.com</a> <i>&lt;<a \
href="mailto:egypt@metasploit.com" \
target="_blank">egypt@metasploit.com</a>&gt;</i></b> wrote:<br> </div><blockquote \
style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px"><div \
class="im"><br>From: <a href="mailto:egypt@metasploit.com" \
target="_blank">egypt@metasploit.com</a> &lt;<a href="mailto:egypt@metasploit.com" \
                target="_blank">egypt@metasploit.com</a>&gt;<br>
Subject: Re: [framework] new exploit windows/browser/java_basicservice_impl \
doesn&#39;t accept win payloads?<br>To: &quot;Miguel Rios&quot;  &lt;<a \
href="mailto:miguelrios35@yahoo.com" \
target="_blank">miguelrios35@yahoo.com</a>&gt;<br>Cc: <a \
href="mailto:framework@spool.metasploit.com" \
target="_blank">framework@spool.metasploit.com</a><br>Date: Monday, November 22, \
2010, 9:03 PM<br> <br></div><div><div></div><div class="h5"><div>It might be possible \
to modify the exploit to use some other method of<br>launching the jnlp file, but the \
current method of redirecting is<br>blocked by default IE7 and 8 when inside an \
iframe.  Since<br> browser_autopwn uses iframes for each exploit this issue makes \
the<br>exploit largely useless in that context, so I have removed it \
from<br>browser_autopwn.  I&#39;ve also switched the order of targets so \
now<br>Windows should be the default.  If you want to use a Java payload, set<br> \
TARGET 1.<br><br>Hope this helped,<br>egypt<br><br>On Mon, Nov 22, 2010 at 10:58 AM, \
Miguel Rios &lt;<a href="http://mc/compose?to=miguelrios35@yahoo.com" \
target="_blank">miguelrios35@yahoo.com</a>&gt; wrote:<br>&gt;<br>&gt; Hi,<br> \
&gt;<br>&gt; I&#39;ve been messing around with the new exploit mentioned  above. \
However, although when I open the ruby file I can see the option to use windows as \
well as java payloads, the exploit fails when it attempts to use a windows payload. I \
even tried with browser_autopwn and it also picks a windows payload by default, \
although it fails.<br> &gt;<br>&gt; I get this message:<br>&gt;<br>&gt; [*] \
[2010.11.22-17:49:54] Starting exploit windows/browser/java_basicservice_impl with \
payload windows/meterpreter/reverse_tcp<br>&gt; [-] [2010.11.22-17:49:54] Exploit \
failed: windows/meterpreter/reverse_tcp is not a compatible payload.<br> &gt; [-] \
[2010.11.22-17:49:54] Failed to start exploit module \
windows/browser/java_basicservice_impl<br>&gt;<br>&gt;<br>&gt; Is this a bug? Also, \
while I&#39;m at it, why can&#39;t we have these browser exploits write to an html \
file instead of serving the html on the fly? Writing to a file would allow for \
greater stealthiness and other goodies (like iframes), but it may not be feasible. \
Just an idea I  thought I&#39;d throw out.<br>&gt;<br>&gt; \
Thanks<br>&gt;<br>&gt;<br>&gt; \
_______________________________________________<br>&gt; <a \
href="https://mail.metasploit.com/mailman/listinfo/framework" \
target="_blank">https://mail.metasploit.com/mailman/listinfo/framework</a><br> \
&gt;<br></div></div></div></blockquote></td></tr></tbody></table><br>







      <br>_______________________________________________<br>
<a href="https://mail.metasploit.com/mailman/listinfo/framework" \
target="_blank">https://mail.metasploit.com/mailman/listinfo/framework</a><br> \
<br></blockquote></div><br>



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic