Metasploit mailing list archives
Problems getting IE exploits to run
From: knwang at mitre.org (Wang, Kathy)
Date: Fri, 16 Jun 2006 00:53:36 -0400
Hello, I am using Metasploit 2.6 framework to do some testing as part of my honeyclient project. The framework looks great, and I appreciate you taking the time to develop a nice interface for others to test exploits with. I'm attempting to use one of the IE exploits as a baseline exploit to test the honeyclient package. I'm not picky about which one, and I'm not picky about patchlevel of the system, any one will do. I am experiencing some problems with the testing, which I was hoping you will be able to help me out with. To be honest, I am not an expert at exploit development, and am using the framework strictly as a user. Here are the issues I'm having with trying to successfully exploit a host: ----------------------------------------------------------------------- ----------------------------------------------------- Test Case 1: - Windows XP Professional version 2002 (no patches) as victim machine with IE 6.0.2600.0000 browser - Metasploit 2.6 on Gentoo Linux host - Using ie_createtextrange exploit in Metasploit framework with win32_exec payload and default options (HTTPPORT is 8080, EXITFUNC is seh) and CMD is set to "echo foo > c:\test.txt" After I launch the exploit on the framework side, and type in the url in the browser, the browser crashes, without rendering any content, and without creating the file I was hoping for. I also tried setting the EXITFUNC options to "process" and "thread", but that didn't change the results. ----------------------------------------------------------------------- -------------------------------------------------------- Test Case 2: - Same as above, except now I'm using ie_iscomponentinstalled exploit After I launch the exploit on the framework side, and type in the url in the browser, I get a message on the framework side that the client connected from ip:port. So, it looks like the connection happened successfully, but what I see on the browser is gibberish, and the file I was hoping would be created (test.txt) was not present through the Windows search utility. ----------------------------------------------------------------------- ---------------------------------------------------------- Test Case 3: - Windows XP Professional version 2002 SP2 with IE 6.0.2900.2180 browser - Using ie_createtextrange exploit with win32_exec payload, and default options, and same CMD option as above cases After I launch the exploit on the framework side, and type in the url in the browser, I get a message on the framework side that the client connected from ip:port. So, it looks like the connection happened successfully, but what I see on the browser is gibberish, and the file I was hoping would be created (test.txt) was not present through the Windows search utility. ----------------------------------------------------------------------- ----------------------------------------------------------- Is there something obvious that I'm doing wrong here? I thought for example, that ie_createtextrange worked on Windows XP SP2, but that was one of my test cases, and it didn't work in my case. If there's any additional information I can provide, please let me know. Thanks very much for your time. Kathy -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20060616/a5187dab/attachment.htm>
Current thread:
- Problems getting IE exploits to run Wang, Kathy (Jun 15)
- Problems getting IE exploits to run H D Moore (Jun 15)
- ie_createtextrange [Was: Problems getting IE exploits to run] Angelo Dell'Aera (Jun 20)