Problems getting IE exploits to run

[knwang at mitre.org (Wang, Kathy)]

Hello,
 
I am using Metasploit 2.6 framework to do some testing as part of my
honeyclient project. The framework looks great, and I appreciate you
taking the time to develop a nice interface for others to test exploits
with.
 
I'm attempting to use one of the IE exploits as a baseline exploit to
test the honeyclient package. I'm not picky about which one, and I'm
not picky about patchlevel of the system, any one will do. I am
experiencing some problems with the testing, which I was hoping you
will be able to help me out with. To be honest, I am not an expert at
exploit development, and am using the framework strictly as a user.
 
Here are the issues I'm having with trying to successfully exploit a
host:
-----------------------------------------------------------------------
-----------------------------------------------------
Test Case 1:
- Windows XP Professional version 2002 (no patches) as victim machine
with IE 6.0.2600.0000 browser
- Metasploit 2.6 on Gentoo Linux host
- Using ie_createtextrange exploit in Metasploit framework with
win32_exec payload and default options (HTTPPORT is 8080, EXITFUNC is
seh) and CMD is set to "echo foo > c:\test.txt"
 
After I launch the exploit on the framework side, and type in the url
in the browser, the browser crashes, without rendering any content, and
without creating the file I was hoping for. I also tried setting the
EXITFUNC options to "process" and "thread", but that didn't change the
results.
-----------------------------------------------------------------------
--------------------------------------------------------
Test Case 2:
- Same as above, except now I'm using ie_iscomponentinstalled exploit
 
After I launch the exploit on the framework side, and type in the url
in the browser, I get a message on the framework side that the client
connected from ip:port. So, it looks like the connection happened
successfully, but what I see on the browser is gibberish, and the file
I was hoping would be created (test.txt) was not present through the
Windows search utility.
-----------------------------------------------------------------------
----------------------------------------------------------
Test Case 3:
- Windows XP Professional version 2002 SP2 with IE 6.0.2900.2180
browser
- Using ie_createtextrange exploit with win32_exec payload, and default
options, and same CMD option as above cases
 
After I launch the exploit on the framework side, and type in the url
in the browser, I get a message on the framework side that the client
connected from ip:port. So, it looks like the connection happened
successfully, but what I see on the browser is gibberish, and the file
I was hoping would be created (test.txt) was not present through the
Windows search utility.
-----------------------------------------------------------------------
-----------------------------------------------------------
 
Is there something obvious that I'm doing wrong here? I thought for
example, that ie_createtextrange worked on Windows XP SP2, but that was
one of my test cases, and it didn't work in my case. If there's any
additional information I can provide, please let me know.
 
Thanks very much for your time.
Kathy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060616/a5187dab/attachment.htm>