ie_unsafe_scripting.rb exploit module

[hdm at metasploit.com (H D Moore)]

Looks good, need to remove the SEH include and tweak some of the fields 
(Version to be $Revision:$), but would be happy to add it. A friend of 
mine had some suggestions for making the HTTP download more reliable as 
well (use up to four different objects).

What are your thoughts on writing another module (or extending this one) 
to auto-exploit XSS in the intranet zone? Take a long, long list of 
hostnames and XSS methods and iterate through them all, hoping one or 
another hits. A really nice/easy vector could be printer administration 
interfaces -- there are XSS bugs in nearly all of the 
JetDirect/Ricoh/Xerox products and printers tend to have generic names (as 
do switches, backup NAS devices, etc).

-HD

On Tuesday 16 December 2008, natron wrote:
> I've recently come across environments that have the "Initialize and
> script ActiveX controls not marked safe for scripting" configured to
> run without prompt for the 'Intranet' or 'Trusted Sites' zones.  This
> grants access to WScript.Shell, so my first thought was to add a
> little code to ie_createobject, but I discovered that the unsafe
> scripting settings doesn't grant access to the MSXML.XMLHTTP, so a
> warning dialog still popped.