Here’s a quick write up about using the new ie_setmousecapture_uaf exploit in Metasploit. This was done in a test environment within my Security lab.
For the past two week’s I’ve been closely following the new Internet Explorer Zero Day which affects all versions of Internet Explorer. About a week ago the code was disclosed, after the disclosure I’m sure that everyone in the Security community knew that it was only a matter a time before the exploit was packaged into the Metasploit Framework; and about 6 hours ago, it was!
A big thanks to Wei Chen for providing an excellent write up in the rapid7 community blog. As a side note, at this time, remote code execution currently only works through IE 9. As a supplementary Microsoft Office 2007 or 2010 also has to be installed.
Some quick ifconfigs:
Lets fire up the ie_setmousecapture_uaf exploit in msf on my host machine (10.10.10.2)
Notice that we have started the remote listener on the port 4444. This will listen for a connection which will be established when the victim hits this link:
The link can be sent to the victim through various means, my personal choice would be to convert the malicious link into a bitly or tinyURL first before sending it via email or social media message/post to the victim. This add’s a layer of obfuscation so that we can hide our real intent; For testing purposes I’m just going to send the plaintext IP to the victim machine.
The victim opens up the link in Internet Explorer. The response is just a generic white page, however we can see that the URL has changed on the victims side. It appears that the Microsoft Office hxds.dll can be loaded in to IE in order for the remote code execution to be leveraged.
On our host/attackers machine we can see that we have successfully spawned notepad as a process to migrate the payload to, from there we can open up the meterpreter session and do what ever we want with out victims machine.
Typically at this point the victim won’t suspect anything and close the browser. However our connection is still valid through the notepad.exe process due to the process migration. Lets take a quick look over on our victim’s machine. As we can see the process is still valid in memory until the user restarts their machine or potentially logs out.
Thanks for reading guys.