Metasploit mailing list archives
browser_autopwn broken in current version of Metasploit?
From: Arnar Gunnarsson <addi () addi org>
Date: Thu, 30 Jun 2011 00:41:52 +0000
There seems to be some issue with the Javascript obfuscation feature in the browser_autopwn module in Metasploit v3.8.0-dev (r13067). I'm able to start the module, but when I browse to the URL of the browser_autopwn server I'm not being redirected to the actual exploits. msf > use auxiliary/server/browser_autopwn msf > set LHOST 192.168.43.140 msf > set URIPATH / msf > run [*] Starting exploit modules on host 192.168.43.140... [*] --- [.... snip] [*] --- Done, found 21 exploit modules [*] Using URL: http://0.0.0.0:8080/ [*] Local IP: http://192.168.43.140:8080/ [*] Server started. Now I navigate to http://192.168.43.140:8080/ using any of the three major browsers and they all result in the same Javascript error (line 2069). This happens before browser_autopwn identifies the OS and browser type and redirect the browser to a specific explot. The offending line (line 2069) NrkYCIMtz = nkenXYUAjhMoyZ.encode(NrkYCIMtz); * Information from Firefox's Error Console: --------------- Error: nkenXYUAjhMoyZ.encode is not a function Source File: http://192.168.43.140:8080/ * Information from Chrome's Developer Tools: --------------- Uncaught TypeError: Object #<Object> has no method 'encode' :8080/:2069 oBeiS :8080/:2069 lNFkLUahB :8080/:2075 (anonymous function) :8080/:2076 onload :8080/:2077 * Information from IE8's Developer Tools --------------- Object doesn't support this property or method 192.168.43.140:8080, line 2069 character 3 It is also woth mentioning that all the exploits have started correctly and I can even point a IE7 instance to a specific IE exploit URL that succeeds. But the redirect from URIPATH (http://192.168.43.140:8080/) to the specific IE exploit URL does not happen. - Addi _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- browser_autopwn broken in current version of Metasploit? Arnar Gunnarsson (Jun 29)