Good Evening friends. Today we will learn about hacking Windows with PoisonIvy buffer overflow exploit. This exploit hacks a system using a vulnerability in a RAT. RAT stands for Remote Access Trojan and is a type of malware. It works when a hacker sends a malicious file to the victim and he clicks on it. When victim clicks the malicious file, it sends a connection back to the hacker’s machine. The Hacker can control the victim’s machine using command & control server. Using RAT’s, the hacker can
- Block mouses and keyboards
- Change the desktop wallpapers
- Downloads, uploads, deletes, and rename files
- Destroys hardware by overclocking
- Drop viruses and worms
- Edit Registry
- Use your internet connection to perform denial of service attacks (DoS)
- Format drives
- Steal passwords, credit card numbers
- Alter your web browser’s homepage
- Hide desktop icons, task bar and file
(Data from Wikipedia )
The picture given below should explain the scenario. More about RATs later.
You can see the command and control server of Poison Ivy RAT below . Poison Ivy is one of the popular RAT’s and many variants of it are still active. It was used in RSA SecureID attack. Poison Ivy RAT 2.1.x versions suffer from a stack buffer overflow vulnerability. Using this vulnerability, the machines running C&C server can be hacked. So here, its a case of hacker getting hacked.
We will learn more about RATS in our next howtos. But now let us see how to hack a Windows machine running a PoisonIvy C&C server with PoisonIvy buffer overflow exploit. Open Metasploit and load the exploit as shown below. The only option necessary is RHOST. As shown below, this RAT runs on port number 3460. Set the RHOST and check whether the target is vulnerable.
Now, as the target is vulnerable, set the payload and hit on Run. You should get the meterpreter on the remote machine as shown below.
Hello aspiring hackers. In this howto, we will see hacking Advantech Webaccess Dashboard 8.0 with Metasploit. Advantech WebAccess is a 100% web based SCADA software. It is a cross-platform, cross-browser data access experience and a user interface based on HTML5 technology. With WebAccess, users can build an information management platform and improve the effectiveness of vertical markets development and management.
SCADA (Supervisory Control And Data Acquisition) is a system for remote monitoring and control that operates with coded signals over communication channels. Vulnerabilities in SCADA systems are considered very serious as they are used in monitoring various industrial and infrastructure processes like power generation, water treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms and large communication systems.
The version 8.0 of this Adavantech Webaccess suffers from arbitrary file upload vulnerability. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess and that too without the need of authentication. Start Metasploit and load the exploit as shown below.
Set the target IP address and check whether the target is vulnerable.
If the target is vulnerable a shown above, set the required payload. We are trying to get a shell in our target.
Execute the exploit by typing command “run”. The exploit will run and …………
a command shell will be opened on our target as shown below. See it was very easy to get into a SCADA system.
Good evening friends. “PCMan’s FTP Server is a free software mainly designed for beginners not familiar with computer, hoping that it can make setting up a basic FTP server very easily. Functionality and security are not the major concern. Usability, however, is the most important concern” according to their makers. However version 0.7 of this software has a Buffer Overflow vulnerability for which exploit has been released by Metasploit. First of all, we need to perform enumeration to find services in our targets. To know more about enumeration, read this. Now let’s see Hacking PCMAN FTP Server with Metasploit.
Start Metasploit and load the exploit. as shown below.
Set the IP address of our target as shown below. Check the payloads by typing command “show payloads”.
Choose any payload you require. I am choosing the meterpreter payload. Check if our target is vulnerable using the “check” command.
Next execute our exploit by typing command “run”. You will successfully get the meterpreter session on the target. The only downfall with this exploit is it is only working on Windows XP. Happy hacking.
Good morning friends. Today we will see how to hack Easy File sharing HTTP Server 7.2 with Metasploit. Easy File Sharing HTTP server is a is a Windows program that allows you to host a secure peer-to-peer and web-based file sharing system without any additional software or services. It doesn’t require additional HTML page design. It allows you to run a web site on your own PC, share photos, movies, videos and music/MP3 files securely. It also allows visitors to upload/download files easily through web-based interfaces. A recent version of this software i.e 7.2 has a SEH overflow vulnerability which can be exploited by crackers to spawn a shell in the target system. If you have gone through my previous howto’s you should be well aware how to find the vulnerable targets but in some cases we may require enumeration of our target machines. Read this to know more about enumeration. Now let’s see hacking Easy File Sharing HTTP Server 7.2 with Metasploit. Start Metasploit and load the module as shown below.
The only option it requires is the RHOST. Needless to say it is the IP address of our target. Set the target and check the payloads this exploit supports.
Set the payload you want. I have set the below payload.
Type command “show options” to check whether all options are set.
It’s time to run the exploit. Type command “run” and if all goes well, you will get a shell in the remote system. Happy hacking.
Good Evening friends. Today we will see how to exploit a vulnerability in the recent version of a popular program Atutor with Metasploit. This vulnerability exists in the most recent version released, i.e Atutor 2.2.1. For those newbies who don’t know what is atutor, it is an Open Source Web-based Learning Content Management System (LCMS) designed with accessibility and adaptability in mind. It boasts of 216 downloads per week from Sourceforge itself. There are two vulnerabilities present in the version mentioned above. We will exploit a SQL injection vulnerability in this howto. So let’s get onto hacking atutor 2.2.1 with Metasploit. Start Metasploit and load the exploit as shown below.
Set the required options. For present, we will only need the target IP address. Check if your target is vulnerable or not as shown below.
Type command “show payloads” and choose the required payload. I chose the payload below. Once again, type command “show options” and set the attacker system’s( i.e our system’s ) IP address which I am not gonna show below.
Run the exploit by typing command “run”. The exploit will run and a command shell will be opened into the target system as shown below. ( Watch out for the easter egg which we will use in our future howto’s).
To know about the target system, type commands as shown below. Happy hacking.
Good evening friends. Today we will see how to exploit PHP utility belt remote code execution vulnerability. All the credit for this exploit goes to one “WICS” of exploit-db.com. The exploit is shown below. Here in this howto, I will just show you how to use this exploit. For those guys who don’t know what PHP Utiltiy belt is, it is PHP utility belt is a ” set of tools for PHP developers. We can just install it in a browser-accessible directory and have at it.”
Here is video version of this howto. If you want textual version scroll down.
This is how php utility belt can be set up as shown below.
Before we try our exploit, let’s try to access a file known as “info.php” through the url as shown below. You will get an error as shown below.
Now enter the given PHP code as shown below and hit on “Run”. This is our remote command execution exploit.
Now once again try to access the file you tried to access above. you should get the file listed as shown below. Hence we successfully did a remote command execution.
NOTE: This is for education purpose only
Good Evening friends, today we will see about arbitrary file access vulnerability in Kodi 15. For those guys who have no idea what Kodi is, it is “an award-winning free and open source cross-platform software media player and entertainment hub for HTPCs. Kodi can be used to play almost all popular audio and video formats around.” We will exploit a LFI vulnerability in its web interface.
Before we start, let me make clear that the credit for finding this vulnerability goes to one “MICHAEL PRONK” of exploit-db. I am just showing how to use that exploit. The exploit is shown below.
Ok, now let’s see it in real time. Open Shodan ( which means you should have an account there ) and search for “title:kodi os:linux” as shown below. We are searching for all Linux machines with Kodi installed on them. The results will be as shown below.
Now open any one interface. It should look like below. Kodi, by default runs on port 8080.
Now we will try to access the passwd file available in this Linux machines. Just after port number, try this query
as shown below. You should get the contents of passwd file as shown below.
Here’s another example.