Metasploit mailing list archives

PassiveX-based payloads and MS06-055

From: mmiller at hick.org (mmiller at hick.org)
Date: Wed, 14 Mar 2007 23:03:41 -0700

On Wed, Mar 14, 2007 at 11:50:58AM +0100, Angelo Dell'Aera wrote:

Il giorno Tue, 13 Mar 2007 11:40:24 -0700

...


This time (using URIPATH "uripath" and PXURI "/pxuri") I see in
framework.log the following new lines

[03/14/2007 11:32:52] [d(2)] core: PassiveX listener started on
http://192.168.33.130:8080/pxuri 
[03/14/2007 11:33:21] [e(0)] rex: [*] Handler for resource: /uripath
[03/14/2007 11:33:21] [e(0)] rex: [*] k: /uripath val:
Rex::Proto::Http::Handler::Procfalse#<Proc:0xb77101bc at ./lib/msf/core/exploit/http.rb:322>
[03/14/2007 11:33:21] [e(0)] rex: [*] Handler for resource: /uripath
[03/14/2007 11:33:21] [e(0)] rex: [*] k: /pxuri val:
Rex::Proto::Http::Handler::Procfalse#<Proc:0xb711945c at ./lib/msf/core/handler/passivex.rb:207>true
[03/14/2007 11:33:21] [e(0)] rex: [*] p:
Rex::Proto::Http::Handler::Procfalse#<Proc:0xb77101bc at ./lib/msf/core/exploit/http.rb:322>
resource: /uripath 
[03/14/2007 11:33:22] [d(2)] core: windows/meterpreter/reverse_http:
Successfully encoded with encoder x86/shikata_ga_nai (size is 483)
[03/14/2007 11:33:28] [e(0)] rex: [*] Handler for resource: /pxuri
[03/14/2007 11:33:28] [e(0)] rex: [*] k: /uripath val:
Rex::Proto::Http::Handler::Procfalse#<Proc:0xb77101bc at ./lib/msf/core/exploit/http.rb:322>
[03/14/2007 11:33:28] [e(0)] rex: [*] Handler for resource: /pxuri
[03/14/2007 11:33:28] [e(0)] rex: [*] k: /pxuri val:
Rex::Proto::Http::Handler::Procfalse#<Proc:0xb711945c at ./lib/msf/core/handler/passivex.rb:207>true
[03/14/2007 11:33:28] [e(0)] rex: [*] p:
Rex::Proto::Http::Handler::Procfalse#<Proc:0xb711945c at ./lib/msf/core/handler/passivex.rb:207>true
resource: /pxuri


Hmm, from these logs it looks like it's working.  'p' is set to a proc
that is defined in passivex.rb, which is correct.  It looks like the
text just line-wrapped.  Since it says 'Sending PassiveX...', that means
that it at least handled the initial request and sent it to the correct
page which contains the object tag.  However, it looks like the browser
didn't attempt to download the control.  Do you happen to be running
this exploit in a non-administrative account?  Internet explorer won't
download ActiveX controls as non-admin.  Alternatively, can you try
browsing to the page hosting PX in Internet Explorer, since it seems
like you're getting farther now than before?

Current thread:

PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
  - PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
    - PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
    - PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
    - PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 14)
    - PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 14)
    - PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 16)