Hack Like a Pro: How to Exploit IE8 to Get Root Access When People Visit Your Website

This is good only if the victim is on the same net,but how to make exploit so that cant be not internal ip adres of my comp but external ip adres.Please cant you help me andrstend???

Don't take my word on it, because I haven't tried it yet, but I do believe you could do this off of your wifi. It would be possible if you were to port forward and set local IP as your IPv4 address.

What exploit do you suggest that will work on Windows 8 with someone using Chrome? I assume this exploit will only work on Internet Explorer. The PDF option won't work because Windows 8 has its own PDF viewer.

Beachbum:

Every exploit is specific to every application and operating system. Off the top of my head, I would suggest attacking Word 2010.

Windows 8 is still very new and there are not many exploits developed for it. It takes awhile to find an operating systems holes.

OTW

If they are trusting enough to open any file you send them, is there a way to just embed the meterpreter into an exe or zip file?

Hi, I have a doubt about this.

When I execute the web page with the malicious code inside, metasploit show me this lines:

* 192.168.1.50 ieunsafescripting - Request received for /QvLMsq
* 192.168.1.50 ieunsafescripting - Encoding payload into vbs/javascript/html...
* 192.168.1.50 ieunsafescripting - Sending exploit html/javascript

* 192.168.1.50 ieunsafescripting - Exe will be eJxrYg.exe and must be manually removed from the %TEMP% directory on the target.

and then stays there, this is correct or should show me the metepreter prompt?, I went to the path of TEMP folders but i don't find anything with the name "eJxrYg.exe" as it says in the last line above, what's this exe?, what can i do whith this?

I'm doing this right or maybe I'm doing something wrong? I appreciate you clarify me this doubt.

Brian.

Brian:

First, are you trying this on a IE8?

OTW

Yes, I tried it on IE6 in XP and on IE8 in W7.

Brian.

Did you get the same results in both?

Yes, i get the same results, there is a screenshot of what it shows me when i execute the web page with the code inside.

I'm curious about that "exe" that is generated.

The .exe is the meterpreter on the victim machine.

Brian:

It looks like the message you received is consistent with the meterpreter being sent to the target. If you now go to the target, you should have a IE security warning in IE. If you click allow, the meterpreter will launch and connect to your machine.

Hope this helps.

OTW

Yes I received the security warning which I accept but nothing happens, I will keep trying this.

Thank for the kind help.

I encounter the same question. Could you tell me how to solve the problem? Thanks

Thank you OTW for this tutorial.. I came across this question and would like to hear your feed backs.

Describe any two language defects that a hacker can use to create an exploit. For example, SQL";", binary HTML/XML injection, late-bound substitution, C string buffer overflow, binary fuzzing, .. etc.

Jacob:

C buffer overflows and SQL injection are the two most common type of exploits.

OTW

can this work for windows eight? and if not what method would of getting root access would be for windows eight users

Jack:

Exploits are very specific to OS, apps, services, ports, and even language. Since Windows 8 is fairly new, few exploits have yet been developed for it. In addition, Windows 8 is a client OS. Hackers want servers because that is where the money is, so exploits are developed for those first.

OTW

okay . by any chance have you done something for windows 7 and google chrome ? or know anything about it

Jack;

There are numerous hacks for Windows 7. I'll be doing a series on Windows 7 hacks soon. Most client side hacks will work in 7.

OTW

sweet will be looking forward to them

It gives me the this error:
Failed to load modeule: /exploit/windows/browser/i.e.unsafescripting

PD: When I search for the exploit metasploit doesn't find so I supose that for some reason I don't have it.

Thanks,

Cesar:

From the Metasploit prompt, type;

msf > search i.e._unsafe_scripting

That should locate it.

OTW

I didn't find it. It only leaves a space and then nothing.

Are using Kali or BT?

Just try

msf > search unsafe

OTW

Thanks, I found it

Good.

Everything goes right until I send the link. The browser hangs in Internet Explorer but nothing happens on my end. Anyway to fix this so that it connects to their machine?

Jared:

What is the OS of the target?

OTW

It's running Windows 7

What version of IE?

Ahh, I just realized that it's IE 11. Do you have any tutorials on that? Because the target is never going to download a malicious Microsoft Office or Adobe Acrobat file. So the only way is to send them the malicious link.

Jared:

I don't have any up yet for IE11 but I will soon.

I have to disagree with you regarding the malicious Office or Adobe files. Although MOST people wont download them, people do every day and then compromise the entire network. Some of the greatest hacks in history were done this way.

OTW

If I use that method, will they have to keep the document open? Or at least on their computer? I may be able to get them to download it, but I'm not sure if they will leave the file open or keep it on their PC.

Jared;

They just need to click on it once and then you have them!

OTW

Okay, thanks I'll check back once I try that. Thanks for all of the help!

Hey OTW,

I don't know much about IP's yet, but I do know that my Local Host is off, and I know that everything is changed in a text document so maybe I have to change it in one of those files? First question, what is a Local Loopback compared to Ethernet? I get two IPs: 10.0.2.15 and 127.0.0.1, which one should I be using? And this brings me to the second question, when I tried doing the IE8 exploit, I never got a connection back in my interpreter, I made sure it was Internet Explorer 8 running on windows 7, does it have something to do with my IP adress? if so how do I change it to be usable? By the way, I am using Kali in Virtual Box.

Thank you in Adance

-Anon

Macro:

This is really material for a whole new tutorial. Maybe, I'll do a tutorial "networking for aspiring hackers".

First, the loopback address 127.0.0.1 is only for internal to your machine use. It does not appear to the outside world. You should be using the 10.0.2.15 address.

The failure of this exploit could be due to many things. Of course, the correct IP address is the first thing to check. Do you have connectivity between the victim and your computer?

OTW

I am running Kali in a VM on my Victim windows 7 host, is that good enough?

Perhaps it can go under the linux for aspiring hackers series. Under I don't know, part 6 because we clearly don't have one of those....

Ex1s7:

Do you think I should start a "networking fundamentals" series? I value your opinion.

OTW

Honestly master, i believe it is something that people should be interested in BEFORE they start trying to learn how to hack...... Plus there are others on Null Byte from Allen Freeman, Alex Long, perhaps if those were gathered up and put in a section by themselves you could just gloss over the top and cover anything that is missed in them. Would save you writing a whole 'nother series.

I agree with you, but from the questions I have been getting, I am considering a whole "nother series".

That is entirely up to you, but that list must be getting quite long, and its going to take time away from other series'. Perhaps you could delegate this one out.

Good point.

Should be, but I can't say for certain.

Can they ping each other? Are they on the same subnet?

Whenever i try to use an exploit i get:
"failed to load module: ieunsafescripting"

i'm inside, msf, tried using other exploits but error reproduces, i must be doing smt wrong. reboot didn't help. Where should i be troubleshooting?

Thx for the tutorials OTW, they're great.

WYGUF:

What exactly are you typing into your msfconsole?

Your command should be "use exploit/windows/browser/ie_unsafe_scripting" with out the quotes. Remember its always use and then the path to the exploit

"use /exploit/windows/browser/i.e.unsafescripting" is what i'm typing but errors, failed to load... Even when i cd into Pentest/exploits/framework/modules/exploits/windows/browser, which is my path to the unsafe scripting exploit,

and then type use i.e.unsafescripting it errors. I guess it's smt else than a wrong path..

ignore the funny spacing in that response too. I don't know why WHT has done that...

I've been caught out heaps by putting
"use exploit windows/browser..." or
"use /exploit/windows/browser..."
both of these will bring up the failed to load module error

I must be typing smt wrong but I just can't find it, tried a lot more than these:

When in top folder msf:
use /exploit/windows/browser/i.e.unsafescripting
use/pentest/exploits/framework/modules/exploits/windows/browser/ieunsafescripting
use pentest/exploits/framework/modules/exploits/windows/browser/ieunsafescripting

when inside the browser folder:
use ieunsafescripting
use ieunsafescripting.rb

Wyguf:

Are you in the Metasploit console?

OTW

yes OTW, i'm inside msfconsole
lines begin with msf >

Weird that when im inside the folder pentest/exploits/framework/modules/exploits/windows/browser (I can look at the ie_unsafe_scripting.rb exploit) and type use ie_unsafe_scripting, error reproduces 'failed to load module'. maybe msf is expecting a module instead of exploit?

Wyguf:

From the msfconsole, type "search ie_unsafe_scripting". It should find the exploit and then you can simply copy and paste.

OTW

Don't know what i did wrong previously, prob typo
but that did it, thanks OTW
I guess LHOST parameter should be replaced with own server IP to make it real life operational for testing right?

Wyguf;

Glad to hear you have it loaded.

LHOST is your attack server IP.

OTW

Hey OTW, can you please do a tutorial on using browser autopwn over WAN?

I have it on my agenda.

Does this work on MS Server 2012???

This is a client side hack not a server hack.

Hello! Im Access Granted or AG and I just recently joined null byte but I have been looking at it for a couple of days. Anyways, ill get straight to the point. Im trying to establish a meterpreter connection to another computer (running IE 8) I go through all the steps and finally when I go to type in the ip and letters on the other computer (I have physical access to the victim computer) it comes up with nothing. So I go back to my attacking computer and also see nothing in my console. So, to try something out I typed in the address on the same computer I'm attacking from and it says a couple of thing in the console about how someone reached the site and it was uploading the meterpreter or whatever but then it never comes up with a meterpreter prompt. Ive tried everything within my knowledge and I finally gave up and came here. Thanks in advance

AG

i did this and it says
"sending exploit"
and then stops
what do i do know !?

First, Welcome to Null Byte!

Second, do you have connectivity to the target? Can you ping it?

Third, does the target system have IE8?

There are many reasons that this could have failed. More information is helpful. Can you send screenshots?

OTW

1. thanks!
2. how do you ping a target?
3. ie7
4. not at the moment

target and attacker

pinging the system and attacking

THE ANNOYING BUG HAPPENING TO ALL OF MY EXPLOITS!!!!
im kidding =, but im wondering why its happening
Thanks!

Have you done Step #7???

It doesn't look like you did.

I thought you could send the link directly!!! I will try this tomorrow?!

All you have done so far, it set up a malicious web server with the exploit. The victim must now click on the link.

The victim has. You can see this by the ip 192.168.43.216 request recieved

Although this is happening with many of my other attempts at exploiting. What should I do?

I think it might be meterpreter. Do I have to turn it on or set it up???

Every exploit is specific to every application and operating system. Off the top of my head, I would suggest attacking Word 2014.

Windows 8 is still very new and there are not many exploits developed for it. It takes awhile to find an operating systems holes.

More sources go to
http://www.ladyfashiondress.com

i dont understand step 7 . after done till step 6, how to add frame tag or send the link to victim directly

Unmai:

You can just send the URL in an email or add that iframe to your website.

OTW

i dont know any details about the victim except we are on the same wifi network. is there any way to install meterpreter in victim computer. also i have router control

Unmai:

You need to do reconnaissance using nmap, xprobe2, or hping. Check out my tutorials on these tools.

OTW

why is this only a client side exploit?
this limits the use of this a lot if you have to be on the same network.

You don't have to be on the same network.

Hello, is a static ip address necessary ?

Hello,

I created the link and send it to the victim pc and when the link is clicked

i see these 2 lines
192.168.1.105 ieunsafescripting - Request received for /5zop1N
192.168.1.105 ieunsafescripting - Sending exploit html/javascript

after that nothing happens the meterpreter does not show up what i m doing wrong here...

Thanks,

Is the victim using IE8 as described in the tutorial?

No its IE 11.. But it was upgraded from ie8 to ie 11.. so this should work is it...

No.

As the tutorial states, it will only work with IE8 and earlier.

Where did you get the crazy idea that because it was upgraded from IE8, it will work? Why do you think that software developers upgrade their products?

Follow my instructions and the hack will work.

what information is required to hack out of lan...........?

This hack will work in or out of the LAN.

Is it possible to hack without sending a malacious media, software or link?

yes

Ït's keep saying failed to load module.

Good jod thank. but if victim don't run file?

Hi, i love how do you explain.. few answers:

1 - will this work in 2018 (with advanced versions of IE)?

2 - victim's firewall/antivirus will not detect any anomaly?

3 - in case, how to encrypt payloads?

4 - to get a session, the victim just need to load the page that host the iframe or have to click on the iframe link itself?

5 - which way to save sessions for future working (persistence)?

Many thanks!

hi there,
I am new to null byte. I followed all the steps. I have attached an image and I'm stucked there. Can anyone help me out please?