Metasploit mailing list archives
ie_unsafe_scripting.rb exploit module
From: hdm at metasploit.com (H D Moore)
Date: Wed, 17 Dec 2008 00:12:13 -0600
Looks good, need to remove the SEH include and tweak some of the fields (Version to be $Revision:$), but would be happy to add it. A friend of mine had some suggestions for making the HTTP download more reliable as well (use up to four different objects). What are your thoughts on writing another module (or extending this one) to auto-exploit XSS in the intranet zone? Take a long, long list of hostnames and XSS methods and iterate through them all, hoping one or another hits. A really nice/easy vector could be printer administration interfaces -- there are XSS bugs in nearly all of the JetDirect/Ricoh/Xerox products and printers tend to have generic names (as do switches, backup NAS devices, etc). -HD On Tuesday 16 December 2008, natron wrote:
I've recently come across environments that have the "Initialize and script ActiveX controls not marked safe for scripting" configured to run without prompt for the 'Intranet' or 'Trusted Sites' zones. This grants access to WScript.Shell, so my first thought was to add a little code to ie_createobject, but I discovered that the unsafe scripting settings doesn't grant access to the MSXML.XMLHTTP, so a warning dialog still popped.
Current thread:
- ie_unsafe_scripting.rb exploit module natron (Dec 16)
- ie_unsafe_scripting.rb exploit module H D Moore (Dec 16)
- ie_unsafe_scripting.rb exploit module natron (Dec 17)
- ie_unsafe_scripting.rb exploit module H D Moore (Dec 17)
- ie_unsafe_scripting.rb exploit module Joshua Smith (Dec 23)
- ie_unsafe_scripting.rb exploit module natron (Dec 17)
- ie_unsafe_scripting.rb exploit module H D Moore (Dec 16)