Exploiting Remote machine with Pastejacking
Pastejacking is a technique that takes over the clipboard of a machine, for instance, when we copy text from a website, that text can be riddled with malicious code that will execute when the text is pasted in a victim’s machine. This is a very good way to achieve a Meterpreter session because of its simplicity. All that needs to be done is; copy some harmless words from the browser and paste them on the command prompt and that’s it, session!!
We are going to walk you through the process, using a tool called PasteZort
Here’s how it happens:
The first thing you’ll need to do is get the tool from Github.
To keep it simple, from your Kali terminal, and type the following command
git clone https://github.com/Zetahack/PasteZort.git
This will make a PasteZort folder on your desktop with the tool in it
Open the folder and you will see all the files you need to run this tool, the inside of the folder will look like the screenshot given below.
In order to execute the tool we first must change the permission of the “encode.rb” file. Right click on the “encode.rb” file and open its properties, under properties, go to the “Permissions” tab, check the box in front of “Execute” that says “Allow executing the file as program”.
Navigate to the PasteZort folder from the Kali terminal, now execute the tool using “python ./PasteZOrt.py”. Your tool is now running.
Now we can get started on making our pastejacking payload using the tools interphase. We will be making a windows payload, so in front of “Objectves:” type “1” to choose Windows as the targeted operating system.
After that, again choose option “1” under “Select Payload” to generate a windows reverse tcp shell. Enter your IP address in “LHOST” and the port number you want the exploit to communicate with in “LPORT”
You will now get an option to enter the message you want displayed as the pastejacking text, for example: we have written “ping” and “http://www.hackingarticles.in”.
And that’s it, your payload is ready.
You will now be asked, if you would like to turn on Handler, type “Y” and press enter
Open a web browser on the victim machine and enter your IP in the address bar, the text you typed in the message section will appear, select the text and copy it.
Open a command prompt on the victim machine, paste the copied text and press Enter.
Go back to the Kali terminal and you will see Handler starting the reverse tcp and that’s it, you’ve done it. You now have a Meterpreter session, plain and simple.
The beauty of this tool lies in its simplicity, it has a clean interphase with an intuitive workflow and can get effective results without any mess. The message section makes it easy to make your payload look as harmless as possible. This also goes to show how easy it is to get hacked, so stay vigilant.
Have fun and stay ethical.
About The Author
Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here