Using the PassiveX payload

[mmiller at hick.org (mmiller at hick.org)]

On Thu, May 04, 2006 at 05:02:55PM +0200, Feature Meister wrote:
> Hi all,
>
> I am desperately looking for the PassiveX payload to work. I already saw
> some earlier postings on this list regarding this topic and also read the
> theory on "uninformed".
> What I'm trying is the following setup:
>
> attackers machine (A):
> OS: WinXP SP2 (de), no additional patches
> Metasploit Framework 2.5
> Exploit: ie_xp_pfv_metafile
> Payload: win32_passivex_meterpreter (also win32_passivex_*)
>
> victims machine (V):
> OS: WinXP SP2 (en-US), no additional patches
>
> Scenario:
> When connecting to the HTTP-port provided by metasploit the victims machine
> downloads and executes the exploit. It works since the IE zone settings are
> changed as described. After that the exploit launches the hidden IE which
> then downloads the passivex dll. (I verified this by sniffing the
> connections)
> But then nothing else happens. I would have expected the meterpreter console
> coming up - but there's no more communication between A and V.
> Any hints, suggestions, ideas?

The only thing I can think of that would lead to this scenario is the
ActiveX control not properly registering after it is downloaded.  Can
you confirm that the PassiveX.PassiveX (may be CPassiveX...) 
class is getting registered?  You can check in in the registry under
HKEY_CLASSES_ROOT.  If it is getting registered, then it seems like
perhaps the PXHTTPHOST/PORT is not getting set properly, though that
seems unlikely.

Can you include the data portion of the HTTP response that the
metasploit webserver sends to the client when it requests the root page?
I'm mainly interested in seeing the parameters that are sent in the
object.