PassiveX-based payloads and MS06-055

[mmiller at hick.org (mmiller at hick.org)]

On Tue, Mar 13, 2007 at 12:35:27PM +0100, Angelo Dell'Aera wrote:
> While doing few tests I noticed a strange behavior while trying
> to exploit the VML processing vulnerability in IE referenced by the
> Microsoft Bullettin MS06-055 on Windows XP SP1.
... 
> I see this behavior...
>
>
> msf exploit(ms06_055_vml_method) > exploit
> [*] PassiveX listener started.
> [*] Using URL: http://192.168.33.130:8080/pentest3
> [*] Server started.
> [*] Exploit running as background job.
> msf exploit(ms06_055_vml_method) > 
> [*] Sending PassiveX main page to client
>
>
> and it stops here. I tried using other PassiveX-based payloads with
> the same exploit but no luck... always the same result. Other non
> PassiveX-based payloads work instead.
>
> I took a look at the registry and everything seems to work fine since 
>
> Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\Zones\3
> Values: 1004, 1200, 1201, 1001
>
> are changed to the value 0 as expected.

A few quick things to check:

1) What version of IE is installed on the machine?  I'm assuming IE 6,
but just need to be sure.

2) What happens when you manually bring up the PX site after the values
have been successfully altered?  In the previous example, you could try
browsing to:

http://192.168.33.130:10000//OPrZwdoVOupJ0PB4rCdiaWXi1wIB5e9s

There might be some additional information you can collect by doing
'setg LogLevel 3' and then taking a look at ~/.msf3/logs/framework.log.