Re: ms11xxx_ie_css

[Miguel Rios <miguelrios35 () yahoo com>]

Just an update. I figured out how to reference the dll by changing the classid call in the local html file. Now I need 
to figure out the css and placeholder part of the module and see if there's a way to save the dynamically generated css 
and have it called from an offline html file. Hopefully that would be enough to trigger the exploit from a locally 
saved html as long as metasploit's still serving up the exploit, no?

Any ideas, hints and corrections welcome

--- On Sat, 12/25/10, Miguel Rios <miguelrios35 () yahoo com> wrote:

From: Miguel Rios <miguelrios35 () yahoo com>
Subject: [framework] ms11xxx_ie_css
To: framework () spool metasploit com
Date: Saturday, December 25, 2010, 8:01 PM

Hi everyone and Merry Xmas,

I've been messing about with the new ms11xxx_ie_css exploit and I have a few questions maybe someone here can help 
with. (by the way thanks jduck for such a quick job)

The exploit works fairly reliably for me but unfortunately it's detected already by avira and NOD. So I decided to save 
the html files produced by the module to see if I could find out what part of the javascript was triggering the AVs. 
Anyway, I see that when I just open the html file locally the exploit fails. I presume this is because there is an URI 
to a dll and it's referenced locally. Is this correct? If so, where does the created dll get stored so I can reference 
it correctly?

I wish we had jsidle already incorporated into metasploit (I recall he posted a few patches for some modules, including 
ie_peers I believe). It's getting tougher and
 tougher to bypass AVs on client sides.



      
-----Inline Attachment Follows-----

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework