Hello friends. A while ago, we saw Poison Ivy buffer overflow exploit. This exploit is just like the Poison Ivy exploit but this time we target Darkcomet RAT. ( We will learn more about Darkcomet and RAT’s later ). In this case we can just download a file from the system running Darkcomet server.
Start Metasploit and load the exploit as shown below. Type command “show options” to see the options we need. Look at the options. Although you are familiar with the usual options, there are some new options like NEWVERSION, STORE_LOOT and TARGETFILE.
-NEWVERSION : This exploit works on all darkcomet versions from 3.2 to above. If the version we are targeting is above 5.1, we need to set this option to “true”.
-STORE_LOOT : If you set this option to true, the file we download will be stored in loot. If the option is false, the contents of the file will be outputted to console.
-TARGETFILE : the file to be downloaded from the remote system.
Set the options as required. I have set store_loot option to false. If you don’t set any targetfile, by default it will download the config file of Darkcomet.
Let’s see by running the exploit. We can see the contents of Darkcomet configuration file as shown below.
Now let’s try to download another file. For this, we need the RC4 key of Darkcomet and the password you got in the config file is useless. But there is high probability that a password has not been set. Then we can just set the DC prefix as key and run the exploit as shown below.
Here I am trying to download the hosts file but encounter an error. It’s probably Windows UAC protecting us.
Now let’s create a text file in the admin folder called hello.txt with content as “hello hacker”. Now set this as target file and run the exploit. We can see that the text of the file is successfully displayed as shown below.