Type : Tutorial
Level : Medium
Attacker O.S : Backtrack 5 R3
Victim O.S : Windows 7 SP1, XP, Server
Exploit Author : eromang, mahmud ab rahman, sinn3r
Merry Christmas and Happy New Year 2013 everyone, hope all of you great and healthy and always blessed especially in this new year. Actually my holiday haven't finished 🙂 because I still have a plan to go to Harbin, China next week to view the ice festival there, it's such a blessing 🙂 ..
Anyway, last year was closed with a security news that hit Internet Explorer 6,7,8. Even the vulnerability was exist before end of the year, but it really trending in China and Taiwan. What I know that majority of internet users in China (more than 100 million) they use internet explorer for their browsing activity that's why it's hit very hard with this vulnerability.
Here's I got from metasploit about this exploit :
This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CDwnBindInfo object is freed by FollowHyperlink2, but a reference is kept in CDoc. As a result, when the reference is used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user.
Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.
1. Metasploit framework
2. Windows OS with Internet Explorer v 6, 7 or 8
Attacker IP Address : 192.168.8.92
Victim IP Address : 192.168.8.90
1. Open your metasploit framework console (type msfconsole from terminal) and add the exploit and payload.
in the example above I can get the ie_cbutton_uaf exploit after updating mymetasploit framework database, but you also can download it directly from this link https://github.com/rapid7/metasploit–framework/blob/master/modules/exploits/windows/browser/ie_cbutton_uaf.rb
2. The next step we need to set up the needed switch to make this exploit work, but first we need to see the available options to set up for this exploit.
3. Now we need to configure the options
4. The next step we need to make sure victim open the link. that already generated. In my example picture above is : Using URL : http://192.168.8.92/ie. When victim open that malicious link, the attacker will notice that.
5. To check whether new sessions created or not, you can run sessions -l command.
6. When attacker interact with that session(see picture below), then we know that it is victim machine…
We're in 🙂
1. Update your browser
2. When you feel something incorrect while visiting a webpage, just leave it don't continue