Metasploit mailing list archives
ie_unsafe_scripting.rb exploit module
From: egypt at metasploit.com (egypt at metasploit.com)
Date: Wed, 28 Jan 2009 08:58:59 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 natron, What would you think about modifying this so it would wrap the javascript in the required html to make it work standalone if the users set a URIPATH that didn't end in ".js"? - --egypt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: http://getfiregpg.org iEYEARECAAYFAkmAgMMACgkQABHabZqEWJ2hAACfUGDC0putkiOewfgenMsehzDx ebgAn1NhuqS4TTOIrnl15QZNp5Eket0d =nHyL -----END PGP SIGNATURE----- On Tue, Jan 27, 2009 at 10:51 PM, natron <natron at invisibledenizen.org> wrote:
Updated version to do away with the xmlhttp stuff and just write the binary directly to disk; still no XSS scanning implemented: http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html n 2008/12/23 Joshua Smith <lazydj98 at yahoo.com>:Might add #for intranet sites usually <orgName>web<suffix> #e.g. metasploitweb <orgAcronym>web<suffix> #e.g. msfweb (no pun intended) <orgName>www<suffix> #metasploitwww <orgAcronym>www<suffix> #msfwww also exchange exchangeserver some additionaly possible recon vectors: -some places are starting to use the google suggest feature on their intranet pages, any way to abuse? (I guess you could sniff the letters that are "suggested" but that wouldn't tell you the intranet host) -most corporate users' start page is usually set to intranet page, any way of discovering? Since you also seem to have access to the wscript.shell, you could read the homepage value using vbs & wmi, send the result to the payload to use as the first query (if not external): On Error Resume Next Const HKEY_CURRENT_USER = &H80000001 strComputer = "." Set objReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Internet Explorer\Main" ValueName = "Start Page" objReg.GetStringValue HKEY_CURRENT_USER, strKeyPath, ValueName, strValue If IsNull(strValue) Then Wscript.Echo "The value is either Null or could not be found in the registry." Else Wscript.Echo strValue End If On Error Resume Next -Josh H D Moore wrote: server<suffix> webserver<suffix> mailserver<suffix> client<suffix> user<suffix> printer<suffix> backup<suffix> mail<suffix> web<suffix> www<suffix> intranet hr<suffix> With the suffix being something like: 0-9, 00-99, A-Z, AA-ZZ, -old, -new, etc ________________________________ From: H D Moore <hdm at metasploit.com> To: framework at spool.metasploit.com Sent: Wednesday, December 17, 2008 2:39:06 PM Subject: Re: [framework] ie_unsafe_scripting.rb exploit module On Wednesday 17 December 2008, natron wrote:So you have to know the server name. What are our options? 1) Just scan localhost for default apps running on default ports and ignore external servers. (Think workstation management apps, virus scan consoles, stuff like that.)I agree that localhost should be included in every test, regardless of how we do this next part.2) Discover through unknown external methods (like identifying their naming scheme through some webserver information disclosure, then generating a list of permutations... or a compromised DNS server) and have the mod import a file.Makes sense, lets punt this to the user and let them specify a file containing a list of hosts to try.3) Pre-populate a list of guessed naming schemes.I think we should include a default file with common server names.How do you propose we do 3)? That doesn't sound easy or very successful. In most environments I see, the naming schemes are all over the map.A few naming schemes seem really common and its something to start with at least. To get the ball rolling, I would suggest using a few base names and then permuting them based on common naming conventions: server<suffix> webserver<suffix> mailserver<suffix> client<suffix> user<suffix> printer<suffix> backup<suffix> mail<suffix> web<suffix> www<suffix> intranet hr<suffix> With the suffix being something like: 0-9, 00-99, A-Z, AA-ZZ, -old, -new, etc So the question becomes, at what number of permutations does that list become infeasible? -HD _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework_______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
Current thread:
- ie_unsafe_scripting.rb exploit module natron (Jan 27)
- ie_unsafe_scripting.rb exploit module egypt at metasploit.com (Jan 28)