ie_unsafe_scripting.rb exploit module

[egypt at metasploit.com (egypt at metasploit.com)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

natron,

What would you think about modifying this so it would wrap the
javascript in the required html to make it work standalone if the
users set a URIPATH that didn't end in ".js"?

- --egypt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: http://getfiregpg.org

iEYEARECAAYFAkmAgMMACgkQABHabZqEWJ2hAACfUGDC0putkiOewfgenMsehzDx
ebgAn1NhuqS4TTOIrnl15QZNp5Eket0d
=nHyL
-----END PGP SIGNATURE-----

On Tue, Jan 27, 2009 at 10:51 PM, natron <natron at invisibledenizen.org> wrote:
> Updated version to do away with the xmlhttp stuff and just write the
> binary directly to disk; still no XSS scanning implemented:
>
> http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html
>
> n
>
> 2008/12/23 Joshua Smith <lazydj98 at yahoo.com>:
> > Might add
> > #for intranet sites usually
> > <orgName>web<suffix>           #e.g. metasploitweb
> > <orgAcronym>web<suffix>      #e.g. msfweb (no pun intended)
> > <orgName>www<suffix>         #metasploitwww
> > <orgAcronym>www<suffix>    #msfwww
> > also
> > exchange
> > exchangeserver
> >
> > some additionaly possible recon vectors:
> > -some places are starting to use the google suggest feature on their
> > intranet pages, any way to abuse? (I guess you could sniff the letters that
> > are "suggested" but that wouldn't tell you the intranet host)
> > -most corporate users' start page is usually set to intranet page, any way
> > of discovering?  Since you also seem to have access to the wscript.shell,
> > you could read the homepage value using vbs & wmi, send the result to the
> > payload to use as the first query (if not external):
> >
> > On Error Resume Next
> >
> > Const HKEY_CURRENT_USER = &H80000001
> >
> > strComputer = "."
> > Set objReg = GetObject("winmgmts:\\" & strComputer &
> > "\root\default:StdRegProv")
> > strKeyPath = "SOFTWARE\Microsoft\Internet Explorer\Main"
> > ValueName = "Start Page"
> >     objReg.GetStringValue HKEY_CURRENT_USER, strKeyPath, ValueName, strValue
> >
> > If IsNull(strValue) Then
> >     Wscript.Echo "The value is either Null or could not be found in the
> > registry."
> > Else
> >     Wscript.Echo strValue
> > End If
> > On Error Resume Next
> >
> > -Josh
> >
> > H D Moore wrote:
> > server<suffix>
> > webserver<suffix>
> > mailserver<suffix>
> > client<suffix>
> > user<suffix>
> > printer<suffix>
> > backup<suffix>
> > mail<suffix>
> > web<suffix>
> > www<suffix>
> > intranet
> > hr<suffix>
> >
> > With the suffix being something like:
> > 0-9, 00-99, A-Z, AA-ZZ, -old, -new, etc
> > ________________________________
> > From: H D Moore <hdm at metasploit.com>
> > To: framework at spool.metasploit.com
> > Sent: Wednesday, December 17, 2008 2:39:06 PM
> > Subject: Re: [framework] ie_unsafe_scripting.rb exploit module
> >
> > On Wednesday 17 December 2008, natron wrote:
> > > So you have to know the server name.  What are our options?
> > >
> > > 1) Just scan localhost for default apps running on default ports and
> > > ignore external servers.  (Think workstation management apps, virus
> > > scan consoles, stuff like that.)
> >
> > I agree that localhost should be included in every test, regardless of how
> > we do this next part.
> >
> > > 2) Discover through unknown external methods (like identifying their
> > > naming scheme through some webserver information disclosure, then
> > > generating a list of permutations... or a compromised DNS server) and
> > > have the mod import a file.
> >
> > Makes sense, lets punt this to the user and let them specify a file
> > containing a list of hosts to try.
> >
> > > 3) Pre-populate a list of guessed naming schemes.
> >
> > I think we should include a default file with common server names.
> >
> > > How do you propose we do 3)?  That doesn't sound easy or very
> > > successful.  In most environments I see, the naming schemes are all
> > > over the map.
> >
> > A few naming schemes seem really common and its something to start with at
> > least. To get the ball rolling, I would suggest using a few base names and
> > then permuting them based on common naming conventions:
> >
> > server<suffix>
> > webserver<suffix>
> > mailserver<suffix>
> > client<suffix>
> > user<suffix>
> > printer<suffix>
> > backup<suffix>
> > mail<suffix>
> > web<suffix>
> > www<suffix>
> > intranet
> > hr<suffix>
> >
> > With the suffix being something like:
> > 0-9, 00-99, A-Z, AA-ZZ, -old, -new, etc
> >
> > So the question becomes, at what number of permutations does that list
> > become infeasible?
> >
> > -HD
> >
> >
> >
> >
> > _______________________________________________
> > http://spool.metasploit.com/mailman/listinfo/framework
> >
> >
> > _______________________________________________
> > http://spool.metasploit.com/mailman/listinfo/framework
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework