Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

ie7 protected mode

From: arcsighter at gmail.com (ArcSighter Elite)
Date: Wed, 17 Dec 2008 11:24:48 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

H D Moore wrote:

On Monday 15 December 2008, reydecopas wrote:

Hi,
 I'm testing the ie_corruption_xml in VISTA ie7

Is it possible to break the protected mode in ie7? because  meterpreter
works great but with Low privilege according ProcessExplorer (
Integrity Low)


I poked around with this but have not found a good way to do it so far. 
The process can read/write to the temporary files directory, read from 
some registry keys, and potentially influence other apps/plugin by 
manipulating configuration files in the user's home directory. The .java 
directory seemed like it might be a good target, but only if java itself 
isn't similarly restricted.

Anyone know of an easy route out of the low-privileged IE7 process?

-HD

_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework



I think at uninformed.org they got a papers about escaping ie7 protected
mode. It may give some clue. It's an interesting topic, by the way.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJSSdLH+KgkfcIQ8cRApIcAKChrI73Kw7YBL0ZywBET93yTTVungCgpgUp
Yiumt+aTfxxyZILcuGyHTzc=
=UqnR
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: