Metasploit mailing list archives
PassiveX-based payloads and MS06-055
From: mmiller at hick.org (mmiller at hick.org)
Date: Tue, 13 Mar 2007 09:42:32 -0700
On Tue, Mar 13, 2007 at 12:35:27PM +0100, Angelo Dell'Aera wrote:
While doing few tests I noticed a strange behavior while trying to exploit the VML processing vulnerability in IE referenced by the Microsoft Bullettin MS06-055 on Windows XP SP1.
...
I see this behavior... msf exploit(ms06_055_vml_method) > exploit [*] PassiveX listener started. [*] Using URL: http://192.168.33.130:8080/pentest3 [*] Server started. [*] Exploit running as background job. msf exploit(ms06_055_vml_method) > [*] Sending PassiveX main page to client and it stops here. I tried using other PassiveX-based payloads with the same exploit but no luck... always the same result. Other non PassiveX-based payloads work instead. I took a look at the registry and everything seems to work fine since Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Values: 1004, 1200, 1201, 1001 are changed to the value 0 as expected.
A few quick things to check: 1) What version of IE is installed on the machine? I'm assuming IE 6, but just need to be sure. 2) What happens when you manually bring up the PX site after the values have been successfully altered? In the previous example, you could try browsing to: http://192.168.33.130:10000//OPrZwdoVOupJ0PB4rCdiaWXi1wIB5e9s There might be some additional information you can collect by doing 'setg LogLevel 3' and then taking a look at ~/.msf3/logs/framework.log.
Current thread:
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 14)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 14)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 16)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)