Hack Like a Pro: How to Find Almost Every Known Vulnerability & Exploit Out There

How to Find Almost Every Known Vulnerability & Exploit Out There

Welcome back, my nascent hackers!

Earlier, I wrote a guide on finding operating system and application vulnerabilities in Microsoft's own security bulletins/vulnerability database. In this tutorial, I will demonstrate another invaluable resource for finding vulnerabilities and exploits by using the SecurityFocus database.

Most often, when we're trying to hack a system, the vulnerabilities and exploits that will work on the target are not going to be simply handed to us, like I have done in these tutorials. We need to do a bit of research to find what will work on a particular target system. After running reconnaissance on the system, we can determine what operating system is running, what ports are open, and what services are running. From there, we need to decide upon the best strategy to compromise the system without being detected. That's not always going to be obvious or simple.

We most likely will have to do a little research first to find the proper vulnerability on the target system and then find an exploit to take advantage of it. In this tutorial, we'll look at one of the most complete and helpful resources in finding vulnerabilities and exploits.

Step 1: Navigate to SecurityFocus

Let's start by navigating to www.securityfocus.com. It should look like this.

We can see that the SecurityFocus database has some handy tools for searching for vulnerabilities. It will allow us to search by vendor, by title of the software and by the version. Finally, it will allow us to search by CVE, which is the Common Vulnerability and Exploit number. These numbers are assigned by Mitre Corporation, who is funded by the National Cyber Security Division of the U.S. Homeland Security.

Step 2: Searching for Vulnerabilities

The CVE database includes nearly every vulnerability that has been found in the wild or discovered by security researchers, even if the software publisher doesn't want it known or hasn't patched it yet.

For instance, Adobe has had a very bad run in recent years with poorly designed software that's full of security vulnerabilities. These include such ubiquitous software as Adobe Reader, Adobe Flash, etc. Since nearly every client-side computer system has Adobe Flash or Reader installed on it, let's take a look at the known vulnerabilities to these applications.

Let's look at Adobe Flash. Simply select Adobe in the pull-down menu of vendors and then select Flash Player from the pull-down in the title window. Finally, click on the submit button and the system will return pages of Adobe Flash Player vulnerabilities.

The very first vulnerability to appear is Adobe Flash Player APS813-17 Multiple Remote Code Execution Vulnerabilies. This is a brand new vulnerability just published July 9, 2013. Woohoo!

Even better, it allows for "remote code execution," or in other words, it will allow for the installation of a listener/rootkit on the system running Flash Player. If we scroll down, we see that this vulnerability is included in the Android Flash Player 11.1.102.59 and nearly every version of Adobe Flash Player right up to 11.2.202.235. Since the current version of Adobe Flash Player is 11.8, this would mean that unless the user has updated their Flash Player very recently, this vulnerability exists on their system.

Step 3: Finding Exploits

Now that we've found a vulnerability that virtually every PC will have, the next step is to find an exploit. A vulnerability is simply a weakness or hole in the system that can be exploited, it does not necessarily mean it has been exploited. Developing an exploit requires some advanced coding skills, but is not beyond the capability of a talented, aspiring hacker.

To find the exploit for this vulnerability, we simply need to click on the EXPLOIT tab at the top of the page. This will open that tab and reveal any and all exploits that have been developed for that vulnerability. When we do that for this brand new vulnerability, we can see that no one has yet developed the exploit.

So....all my newbie hackers, here is your opportunity to make your name and develop an exploit for this brand new vulnerability!

Step 4: More Adobe Flash Vulnerabilities

We can see that SecurityFocus has over four pages of vulnerabilities for Adobe Flash alone. This doesn't count all the other Adobe products that are almost as flawed as Flash Player. Do you have any question in your mind now why Apple banned Flash Player from its iOS?

Let's take a look at some of the other Flash Player vulnerabilities. If we scroll down a bit, we come to a vulnerability called Adobe Flash Player CVE-2012-0754 . That one sounds interesting, let's click on it.

We can see that it was published just last year ago in February 2012 and was updated just last June 2013. If we look down a bit, we can see all the browsers and operating systems that are vulnerable when running Flash Player.

Now, if we click on the Exploit tab, we can see that an exploit is available and we can get it through clicking on the link.

Step 5: Finding the Exploit for Use in Metasploit

Finally, we can go to BackTrack and open Metasploit. There we can search for this exploit search for this exploit.

  • msf> search adobe flash mp4

We can see that Metasploit has incorporated this exploit into its latest version and updates and is ready for us to use to own nearly any system (XP, Vista, and Windows 7 SP1) running Adobe Flash!

Red map and Network access photos via Shutterstock

20 Comments

I realize this question is off topic, but would appreciate some help.

  1. What video player can I use with backtrack? I attempted to download VLC, but it was blocked.
  2. How to get Backtrack to recognize my printer?

Thank you for any consideration of my questions.

Charles:

I don't understand why VLC was blocked. I have it running on my system. Can you send me more info?

As for the printer, most printers are plug and play in BackTrack. Are you using a VM? If so, the issue is the VM.

OTW

I tried downloading via Firefox which reported that the address was not understood.

I then used Konqueror and was told the protocol not supported.

I am not using VM.

My printer is Canon MX410 wireless

Charles:

In Linux, we usually use a package manager such rpm or apt-get.

I'm pretty sure your printer is supported.

OTW

Make sure you are downloading the correct version for Ubuntu Linux and the particular architecture.

OTW

You can find the list of supported Canon printers here.

Thanks for bringing that up. Links fixed.

Thank you OTW for this tutorial.. I came across this question and would like to hear your feed backs.

Describe any two language defects that a hacker can use to create an exploit. For example, SQL";", binary HTML/XML injection, late-bound substitution, C string buffer overflow, binary fuzzing, .. etc.

I'm having trouble finding vulnerabilities in vBulletin. I assume it's because I don't yet know how to use the search function correctly. Is there another site for vBulletin vulnerabilities?

That's what I was using lol. Ok I better just get used to using the site. Thanks OTW. The Vbulletin thing btw, is for a site that the admin abandoned about 3-4 years ago. It's clogged with spam bots so I going to ban them all.

Awesome! Some of these articles are a bit hard to find because I can only display the first page when I'm in the How-To categories, I tried with different computers and navigators.

OTW,

Is there a way to find out remotely what version of certain software the victim has insalled (maybe using recon tools like nmap) ?

Funest

PS: Keep doing these awesome tutorials!

Funest:

There are numerous ways, but the most surefire way is to use SNMP and get the MIB info.

OTW

Do you have any tutorial on that?

Yes, type "snmp" into the search window.

Thanks OTW, stay awesome!

edit

Share Your Thoughts

  • Hot
  • Latest