Jump to content

Recommended Posts

Hi guys,

Anyone know how I can get shell access in using any modern browsers (Chrome, IE, Firefox, etc. so that the browser doesn't bitch at me and say I need to upgrade to latest browser version) by browsing to a URL? I tried putting a malicious iframe on my evil portal and using these exploits: auxiliary/server/browser_autopwn, auxiliary/server/browser_autopwn2.

I even tried downgrading to IE 8  then using the exploit: exploit/windows/browser/ms10_002_aurora.

But so far I got nothing. :( No meterpreter sessions.

 

This is for a presentation, by the way. Any of you guys suggest a different way? I am desperate. Wait not really. Just really frustrated. Hope someone can help.

 

Thanks in advance!

Share this post


Link to post
Share on other sites

While I've not done this on the pineapple,  only on websites I've tested. 

My advice would be to take a look at RFD attacks (Reflected File Download attacks). 

 

It should be possible to set up a vulnerable page/site using EvilPortal or something similar on the pineapple and then your link should auto-download and run shell commands on the users device. (works on both win and nix but I've only tested against windows users)

I'm not going to walk you through the whole attack but it's easy to do and requires little to no input from a user (it's also possible to bypass all browser security warnings also)

Here is a very good walkthrough by Oren Hafif who now works for FaceBook security I think. 

FACEBOOK RFD ATTACKS

Good luck.

PS this would make an awesome module (hint hint @Foxtrot and would give easy total pwnage to the pineapple devices) 

Edited by zoro25

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...