Metasploit mailing list archives
ie7 protected mode
From: arcsighter at gmail.com (ArcSighter Elite)
Date: Wed, 17 Dec 2008 11:24:48 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 H D Moore wrote:
On Monday 15 December 2008, reydecopas wrote:Hi, I'm testing the ie_corruption_xml in VISTA ie7 Is it possible to break the protected mode in ie7? because meterpreter works great but with Low privilege according ProcessExplorer ( Integrity Low)I poked around with this but have not found a good way to do it so far. The process can read/write to the temporary files directory, read from some registry keys, and potentially influence other apps/plugin by manipulating configuration files in the user's home directory. The .java directory seemed like it might be a good target, but only if java itself isn't similarly restricted. Anyone know of an easy route out of the low-privileged IE7 process? -HD _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
I think at uninformed.org they got a papers about escaping ie7 protected mode. It may give some clue. It's an interesting topic, by the way. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJSSdLH+KgkfcIQ8cRApIcAKChrI73Kw7YBL0ZywBET93yTTVungCgpgUp Yiumt+aTfxxyZILcuGyHTzc= =UqnR -----END PGP SIGNATURE-----
Current thread:
- ie7 protected mode reydecopas (Dec 15)
- ie7 protected mode H D Moore (Dec 16)
- ie7 protected mode ArcSighter Elite (Dec 17)
- ie7 protected mode H D Moore (Dec 16)