Last updated at Tue, 25 Jul 2017 20:24:48 GMT
Over the weekend, there was a brief conversation between @Mr_Protocol and @Mubix on Twitter about downloading the Metasploitable VM (which you can torrent here by the way). While Metasploitable is a fine Linux target, it's not Windows -- due to licensing restrictions, we can't redistribute those particular bytes. The usual advice is to set up a target server in a VMWare with whatever operating system you like, and go to town. In fact, we have a lovely how-to right here.
This reminded me of a topic I spoke about at our local hacker group a couple weeks ago -- the hassle of, and solution to, researching and developing Windows client exploitation techniques when you're in a hurry. These days, vulnerable client software is actually kind of a pain to get a hold of. Not everyone has handy installation media for Windows, since physical discs can get lost pretty quickly, so you can't get a hold of your crusty old Internet Explorer 6. Or, you might have a target desktop in some unknown state, and you have no idea what, if any client software is already installed, and you don't want to stomp on anything important. Or, you might just now be getting started with client-side exploits, and don't have a lab set up yet.
In any event, if the goal is to quickly get a Meterpreter shell in a client exploit context (where the victim is a user who has to click on something to be exploited), the venerable Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow exploit module is where it's at.
I won't go into ancient history about the bug, but the short story is, it started life as 0-day malware, and @jduck and friends converted it into a Metasploit module a few days later. The great thing about this exploit is that the vulnerable software is a snap to get a hold of, even a year later. Adobe graciously makes available about a million old versions of Acrobat Reader, so you can pick it up over FTP right this second if you need to. This is in stark contrast to most client Windows software -- once the vulnerable version of Product X is patched, the old version is (nominally) gone forever, yanked without mercy from the vendor's site.
Another major win for this particular exploit in a testing context is that exploitation is cross-browser. I've used it successfully with Internet Explorer, Mozilla Firefox, Chrome, Safari, and Opera, and I imagine it will work with any other browser which supports Acroread as a plugin. Of course, you need not rely on browser transport at all -- maybe the attack vector you're testing is over e-mail, or FTP, or getting the victim to click on a Windows file share. For those cases, we also have the Cooltype SING exploit as a stand alone file format exploit as well, so you can control the delivery to your heart's content.
It's rare to find a reliable stack buffer overflow exploit like this that has such an easy to create Windows client environment, and here we've been sitting on this one for over a year. True, it's not a straight browser exploit, so any R&D work you might be doing with it isn't going to be pure Javascript, but that's a pretty minor limitation. For my recent lightning talk, I was able to survey all the browsers mentioned above in about 5 minutes to test detection gear when you deliver exploits within an iframe source that's encoded with a data URI scheme.
So, here's the tl;dr version of the above: If you want to exploit a client machine in a hurry, you could do worse than installing Adobe Acrobat Reader 9.3.4, available from Adobe itself, and firing off adobe_cooltype_sing. If you want to read that last sentence with more zoomy text animations, you can check my Prezi slides on the topic as well.
