Metasploit mailing list archives
Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION
From: thierry.haven at xmcopartners.com (Thierry Haven)
Date: Thu, 17 Feb 2005 14:51:30 +0100
Hi, The idea is to create and maintain a data stream between a client computer running an Internet browser and a remote management console. The generic principles are explained here: http://www.xmcopartners.com/whitepapers/intrusion-agent.pdf But we need to use an existing browser component as an "intrusion agent". Here's the deal. To get a cmd.exe shell or to create a networkbridge, you need a permanent bidirectionnal channel between the hacked computer and your management console. Thus, you need two sockets : one for the upload, the other one for the download. It's due to the way proxies handled response. (like with QuicktimeVR). The client tries to establish a communication between the local (infected) computer and your remote console through a proxy server. The idea is to create two outbound sockets from the hacked computer: one for a HTTP GET like http://you/get.jsp, and a second one with a never-ending HTTP POST. Once established, the client sends a "GET" HTTP requests via the proxy, and wait the "200 OK" from the server. It's like a big file download. Commands from the console are sent through the GET response (200 OK). When a command is received, a response (data) may be sent with "POST" channel to the remote console. Consequently, in our case here, the console behaves like an HTTP server. Depending on the actual setup, proxies and firewalls are usually bypassed with a such trick because we use a trusted component to communicate. Integrating the malicious code in a browser may be achieved by creating a browser helper object (like spywares/adwares usually do; see http://securityresponse.symantec.com/avcenter/venc/data/adware.browseraid.html) or by injecting a DLL into a network process (http://www.codeguru.com/Cpp/W-P/dll/article.php/c105/). Hard patching by modifying the IAT may also be done, but in this case, the Windows File Protection (WFP) has to be disabled or hooked. Using OLE, there is a good PoC: http://nicob.net/jab/JAB-0.5.tgz. Please refer to http://www.nicob.net/jab/Presentation-SSTIC.pdf (French) for the presentation. Another problem then comes : the proxy credentials (NTDLM, AD or Basic Authent). Nowadays, proxies needs authentification and the agent must use them. However, good antiviruses usually detect code injection & hard patching & malicious components... There are still other (less known) solutions... Best regards, _______________________________________ Thierry Haven - Xmco Partners Consultant S?curit? / Test d'intrusion tel : 33 1 53 45 28 63 web : http://www.xmcopartners.com 16 place Vendome 75001 PARIS ALLAIN Yann wrote:
Hi all, First , Thanks for your great great framework?continue ! Second, May i suggest you a new payloads : Manipulate IE in OLE AUTOMATION to create an outbound tunnel on http. Like the Setiri Troyan of SENSEPOST or the GASPER troyan from rstack group. I will try to inject DLL that manipulate IE in OLE with your marvelous Meterpreter. But could you give me your feedback of this payloads (feasibility, stability, and so one) Thanks by advance. Yann ______________________________________________________________________________________________________________________________ This email, the information contained within and any files transmitted with it (herein after referred as "the message") are confidential. It is intended solely for the addressees and access to this message by any other person is not permitted. If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized disclosure, publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is strictly prohibited. Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for this message if modified or falsified.
Current thread:
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION ALLAIN Yann (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION mmiller at hick.org (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION eip (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION mmiller at hick.org (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION eip (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION mmiller at hick.org (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION eip (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION mmiller at hick.org (Feb 16)
- Idea for a new payload : Manipulate Internet Explorer with OLE AUTOMATION mmiller at hick.org (Feb 17)