Problems using metasploit over ISA proxy

[mmiller at hick.org (mmiller at hick.org)]

On Thu, Jun 15, 2006 at 01:13:52AM -0700, Ben Heinkel wrote:
> Hello,
> Have recently had some time to try and play around with the PassiveX
> payload for metasploit. Unfortunately with not too much luck.
>
> WinXP SP2 box with Winamp 5.12 installed - connecting to a linux box
> running Metasploit with the winamp_playlist_unc exploit. On a direct
> connection using the win32_reverse payload, everything works as planned.
>
> Now when I try to route traffic from the XP box through an ISA proxy - the
> returned code fails to exploit winamp successfully (Winamp comes up, but
> no playlist loaded). The type of payload used here is irrelevant I think
> (have tried with both win32_reverse and win32_passivex though), because
> the exploit does not even happen.
>
> The proxy requires authentication, which I do manually at the start of the
> connection. Have looked at the proxy logs, and have not found any errors.
>
> Would ISA somehow 'sanitize' the exploit code rendering it useless once it
> reaches the XP box ?

I wouldn't think that the ISA proxy would do anything with the responses
that would render it useless.  I'd recommend sniffing on the client-side
to see if you can distinguish a difference in behavior between
exploiting over the direct connection and exploiting through the ISA
proxy, aside from the obvious difference of the requests traversing the
ISA proxy.  This might help narrow down the problem.