Tips for an Information Security Analyst/Pentester career - Ep. 42: Client-side attacks (pt. 3)

This time we're going to analyze a client-side attacks actioned by a buffer overflow exploit (exploit/windows/fileformat/winamp_maki_bof), delivered through a vulnerable Winamp version, available here.

This module creates a malicious script to be placed inside the "scripts" subdirectory in Winamp.

This fictitious skin, when run, will deliver a buffer overflow.

We setup our usual reverse shell payload, configuring LPORT as our Kali VM's IP address.

The exploit creates a file in the root directory.

Moving to our Windows 7 VM, we need to copy the C:\Program Files (x86)\Winamp\Skins\Bento directory to our Kali VM.

In Kali, we copy the file created with Metasploit inside the Bento\Scripts folder, after renaming Bento  to  Rocketship. 

Then, we zip the Rocketship folder and copy it to /var/www/html.

We setup a handler (multi/handler) to pick up the reverse connection from the victim machine and assign it the familiar windows/meterpreter/reverse_tcp payload.

With that being done, we can download the zipped file to Windows 7 and get ready to launch the exploit.

When we launch Winamp with the Rocketship skin, it crashes and we can take advantage of a buffer overflow, which allows us to hack in.

I'm unable to perform a privilege escalation, so I background the session and use a different exploit (exploit/windows/local/bypassuac) to achieve it.

I can successfully earn a privilege escalation.

Wrap-up

Once again, we were able to successfully hack an otherwise hardened system thanks to a vulnerable and outdated software installed on a specific client.

This reinforces the concept that updates are not only recommended but paramount for the very survival of an organization.

Episode 43

Episode 41