The first exploits I ran were to simulate client side attacks. One involved creating a malicious pdf file with Metasploit and opening it on the victim machine. This was meant to simulate a malicious email attachment. The other involved setting up Metasploit to serve up a malicious web page. This would simulate someone clicking on a malicious link, either within an email or on a web page. The exploits that I tried were:
- adobe_utilprintf
- adobe_flatedecode_predictor02
- adobe_geticon
- adobe_jbig2decode (process)
- adobe_jbig2decode (seh)
- ms10_002_aurora
- ani_loadimage_chunksize
- ie_createobject
The machines I am attacking are both XP Pro SP2. The browser is IE6 and the version of Acrobat reader is 8.1. The users that executed the exploits were both non-admin. The exploits that worked were the jbig2decode and ie_createobject. Since the users were not running in administrator accounts I wasn't able to accomplish much. I was able to migrate to processes that they owned. I couldn't steal any tokens to escalate my privileges, so I couldn't migrate to any other processes. I could read and write within my own directory areas. I could read the registry but not write to it (at least not hlkm).
I can now see the proof that it is a good idea to run as non-admin. This week's work will involve trying to find a way to increase my privileges and pivot the attack to other machines on the internal LAN.
No comments:
Post a Comment