Metasploit mailing list archives
PassiveX-based payloads and MS06-055
From: mmiller at hick.org (mmiller at hick.org)
Date: Wed, 14 Mar 2007 23:03:41 -0700
On Wed, Mar 14, 2007 at 11:50:58AM +0100, Angelo Dell'Aera wrote:
Il giorno Tue, 13 Mar 2007 11:40:24 -0700
...
This time (using URIPATH "uripath" and PXURI "/pxuri") I see in framework.log the following new lines [03/14/2007 11:32:52] [d(2)] core: PassiveX listener started on http://192.168.33.130:8080/pxuri [03/14/2007 11:33:21] [e(0)] rex: [*] Handler for resource: /uripath [03/14/2007 11:33:21] [e(0)] rex: [*] k: /uripath val: Rex::Proto::Http::Handler::Procfalse#<Proc:0xb77101bc at ./lib/msf/core/exploit/http.rb:322> [03/14/2007 11:33:21] [e(0)] rex: [*] Handler for resource: /uripath [03/14/2007 11:33:21] [e(0)] rex: [*] k: /pxuri val: Rex::Proto::Http::Handler::Procfalse#<Proc:0xb711945c at ./lib/msf/core/handler/passivex.rb:207>true [03/14/2007 11:33:21] [e(0)] rex: [*] p: Rex::Proto::Http::Handler::Procfalse#<Proc:0xb77101bc at ./lib/msf/core/exploit/http.rb:322> resource: /uripath [03/14/2007 11:33:22] [d(2)] core: windows/meterpreter/reverse_http: Successfully encoded with encoder x86/shikata_ga_nai (size is 483) [03/14/2007 11:33:28] [e(0)] rex: [*] Handler for resource: /pxuri [03/14/2007 11:33:28] [e(0)] rex: [*] k: /uripath val: Rex::Proto::Http::Handler::Procfalse#<Proc:0xb77101bc at ./lib/msf/core/exploit/http.rb:322> [03/14/2007 11:33:28] [e(0)] rex: [*] Handler for resource: /pxuri [03/14/2007 11:33:28] [e(0)] rex: [*] k: /pxuri val: Rex::Proto::Http::Handler::Procfalse#<Proc:0xb711945c at ./lib/msf/core/handler/passivex.rb:207>true [03/14/2007 11:33:28] [e(0)] rex: [*] p: Rex::Proto::Http::Handler::Procfalse#<Proc:0xb711945c at ./lib/msf/core/handler/passivex.rb:207>true resource: /pxuri
Hmm, from these logs it looks like it's working. 'p' is set to a proc that is defined in passivex.rb, which is correct. It looks like the text just line-wrapped. Since it says 'Sending PassiveX...', that means that it at least handled the initial request and sent it to the correct page which contains the object tag. However, it looks like the browser didn't attempt to download the control. Do you happen to be running this exploit in a non-administrative account? Internet explorer won't download ActiveX controls as non-admin. Alternatively, can you try browsing to the page hosting PX in Internet Explorer, since it seems like you're getting farther now than before?
Current thread:
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 14)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 14)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 16)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)