Posted on Leave a comment

GhostRAT Client Buffer Overflow Exploit

Hello aspiring hackers. Welcome back. Previously we have seen how to exploit vulnerabilities in C&C servers of some popular malware like Darkcomet and PoisonIvy RATs. Today we will see how to exploit a vulnerability in another popular RAT named GhostRAT and hack a system.

Gh0st RAT is a remote access trojan designed for the Windows platform which was used by operators of GhostNet to hack into some of the most sensitive computer networks. It is actually a cyber spying computer program. Every RAT has a command & control server also called controller.

This module exploits a buffer overflow vulnerability in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability allows a hacker to execute remote code on the target machine.

Its highly unlikely that you will find a system with Gh0stRAT command and control server installed during a pentest, but we can’t say anything. So imagine a scenario where I am port scanning a network for systems with port 80 open and find this machine.

Then I perform a verbose scan on this machine to know what exactly is running on port 80 and I get this.

In the ensuing research I find out that this is a GhostRAT Command and Control Server and there is a Metasploit module for this RAT. I am not yet sure if my target is running the vulnerable version of this RAT. So I fire up Metasploit and search for the module as shown below.

I load the exploit and check its options as shown below.

I set the target IP and use the “check” command to see if our target is vulnerable to this exploit. The target appears to be vulnerable. I execute the exploit using the “run” command and voila, I get a meterpreter session successfully as shown below.

I check the privileges and system information using “getuid” and “sysinfo” commands respectively.

Liked this article? Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on 2 Comments

Easy Chat Server Buffer Overflow Exploit

Easy Chat Server is a Windows based software useful to set up a simple chat server. It is considered the simplest solution to set up a community chat room for a group or company. It is considered the simplest because it doesn’t require any other installation like Java. The latest version of Easy Chat server suffers from a buffer overflow vulnerability. This vulnerability is triggered during user registration to the easy chat server. Let’s see how we can exploit this vulnerability. During a pen test, while scanning the network, I happen to find a live system with open ports. Most important of this is that port 80 is open. Port 80 signifies a web server is running.

I decide to take a closer look at the system by running a verbose scan as shown below.

On port 80, a program called Easy Chat Server is running. I check Metasploit to find any exploits related to it. I found one related to versions 2.0 to 3.1 of Easy Chat Server. I am not sure of the version my target system is running. I load the easy chat server buffer overflow exploit and check its options.

I set the target IP and use the “check” command to see if this exploit will work but unfortunately this exploit doesn’t support check command. I decide to take my chances and execute the exploit using the “run” command.

Voila, I got the meterpreter session on our target. That’s all in Easy chat server buffer overflow exploit. Read about Serviio media server Command Execution exploit 

Posted on 1 Comment

Serviio Media Server Command Execution

Hello aspiring hackers. Today we will learn about the Serviio media server Command Execution Exploit. This exploit works on Serviio Media Server from versions 1.4.0 to 1.8.0 (1.8 is the present version, by the way). Serviio media server is a free media server which allows users to stream media files (music, video or images) to renderer devices like a TV set, Bluray player, gaming console or mobile phone on your connected home network. It is used by a number of organizations.

This media server has a console component which runs on port 23423 by default. This module exploits an unauthenticated remote command execution vulnerability in this console component. This is possible because the console service exposes a REST API whose endpoint does not sanitize user-supplied data in the ‘VIDEO’ parameter of the ‘checkStreamUrl’ method. This parameter is used in a call to cmd.exe which results in execution of arbitrary commands. Now let’s see how this exploit works.

So imagine a hacker while port scanning a specific port on multiple machines as shown below gets one positive result.

On performing a  verbose scan with OS detection enabled to probe further, it is indeed clear that a Serviio Media Server is running on this specific port and our target OS is Windows, so we can use our exploit.

Start Metasploit and load the module as shown below.

He sets the target IP and checks if the target is vulnerable (Remember we know the target is using Serviio Media server but have no idea if it is a vulnerable version).

Once the “check” command confirms that the target is vulnerable,  the other required options are set and the module is executed with “run” command. We directly get a meterpreter session with system privileges on our target. That’s asll in Serviio Media server Command Execution exploit. Want to learn how to hack Windows with HTA Webserver exploit.

Posted on Leave a comment

Zabbix Toggleids sql injection exploit

Hello everybody. Today we will see about Zabbix toggleids sql injection exploit. First things first, what’s Zabbix. It is an enterprise open source monitoring software for networks and applications designed to monitor and track the status of various network services, servers, and other network hardware.

Zabbix uses MySQL, PostgreSQL, SQLite, Oracle or IBM DB2 to store data. Its backend is written in C and the web frontend is written in PHP. It has a web based interface and can be installed in both Linux and Windows. It boasts of over 13,000 downloads per week.

Zabbix version 3.0.3 suffers from SQL injection which can be exploited to steal the credentials. Let’s see how this exploit works. Start Metasploit and load the module as shown below.

As you can see, we need to set only one option “RHOST” which is the IP address of the target running Zabbix. Once you set the target, check whether its vulnerable or not using the “check” command.

Once we know target is vulnerable, executing the exploit using command “run” downloads the current usernames and password hashes from database to a JSON file. We can crack these password hashes and login into the Zabbix instance. See how to crack hashes with Kali Linux.

How to stay safe?

There are patches available. Please update.

Posted on Leave a comment

Authorization bypass in Polycom

Good morning ethical hackers. Polycom HDX devices are popular worldwide for video conferencing. They are fit for meeting rooms and conference halls of various sizes as they support 1 to 3 displays. The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication.

So when all the conventional methods to get access to a network, this can work as an entry point of course if they are using this product. Let us see how this can be used in our pen test. Start Metasploit and load the exploit as shown below.

Set the target and check if it’s vulnerable as shown below using “check” command.

You can use the default payload or choose the required payload. I am using the below payload. After setting payload, type command “run” to run the exploit.  The exploit works as shown below.

That was about authorization bypass in Polycom. Want to learn about sql injection. Want to learn Ethical Hacking in Real World Scenarios. Subscribe to our Digital Magazine.