WINDOWS 7 - EXPLOITATION
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK9hYIGo2rvAe4eCnimvG0xVbJI3rnzv5DAKv_3KcWXmEXz9btWeNi5pcYBWDM42mcNE8q3HY34KsXPY2S_5WbmfH18RYUApU3gdVQB58r22Lsursu1meNVL27FJp0daKKWcFRAsqNUOM4/s1600/W7_LAYOUT.jpg)
- Bad Blue es is File Sharing web service application available for Windows systems that allows users to share files.
http://www.badblue.com/down.htm
- However, this application suffers from a vulnerability that can be exploited with a stack buffer overflow, affecting the PassThru functionality in ext.dll, for versions 2.72b and earlier:
https://www.exploit-db.com/exploits/16806/
- Once BadBlue downloaded, installed and accepted the License agreement, finally it is working on Windows 7, running on port TCP 80:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9lPicoEFuqZ_jOSwVcA9yCXz8bgey6ZdF_8L97Xa9iWqXVJq_E3vmtH3NJhW61Wz82sZOILvt4GyJeFI_XcdBd3PK896JdfgsbFzaansBKliTfZSLFTu6D2_S7tywGxVjgk4-xu0mXt-s/s1600/screenshot.2.jpg)
- The attacker detects that Bad Blue web server is running on victim's port 80:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMZg_evKP-xGH1l4m_eDOypii6H1JxHwVEBxwJKBq88J_PSZZKbpPbYwTcB4tpDiRW6n1r_ABYipG68tJ-JMzw1F0bVII2uhf2Amv-f-E-CxQZCbsW_qZvRI5JQPObsPP3KrvGebBwsG6n/s1600/screenshot.15.jpg)
- Searching exploits for BadBlue into the Metasploit Framework:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGmHtC8k4cnuERUR1Fr2_dChkZZZJhMkKvqPQDH3kpUtNwUBW4nqDvQsheuI27DEmkoG0VxOsX7FR4uJecjPaTivlbXXJk-XL4zKS_o3bFZNIFt83BllLCQ7ECQcXqeI3LYP3StvXmPJ7_/s1600/screenshot.3.jpg)
- Let's try this exploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQJeETz9dGARrf30nwS5H8KiDfIEtV7-j-n9yGm3H6YF8VNxNHktK4xEQ8HQsnijaZS3oS6nNV_rZIw_UK2p2HKdyAdl8bWAursXFwDZMDfyW6lpSHSMrR1XMNEmMnhLE3JtzIUCdTTzIZ/s1600/screenshot.4.jpg)
- Options for this exploit are simple:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi25Yr4TTlKZtQrwQzF49RQSgZQgxqvGHQq9TXBImPk8u5dTDsiwKg_v7v7EXHH44R9sPtx_HZ-9nmltepknj5vmD8K76IjXV_mEZSGVe4KenZLOA26wedEodyqd3RSFrE9y-aHKfFmpuXZ/s1600/screenshot.5.jpg)
- The remote host is set to the victim's IP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSXzHOP3ZlosqTYe-98fgVWh1JA2aut7xoaLZxKMjFfTFWYBzrR5j_pN5DsUMNB-iU5nQLgFhUgXgsnTDconVc8mSgKQHYHr_OPVjLH5XW73rzz1gJPJ1xDMDvEgejSf4Te13ekKQVkXxt/s1600/screenshot.6.jpg)
- The exploitation is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJf3w9w1klE8QgB07Aqj1dYZyvSLDTvjzqnHOZ3u6oqgvioI8ZLB9rF8pUL3nFnh68ldS9bonszg0YQXJvESho_3GWzMLbAXQ5vJbdbno-f6hpEfI03MwDLgFMXGldRGXIdR0xM6hQ7Jj7/s1600/screenshot.7.jpg)