Metasploit mailing list archives
Fw: RE: ms11xxx_ie_css
From: Miguel Rios <miguelrios35 () yahoo com>
Date: Mon, 27 Dec 2010 07:06:29 -0800 (PST)
Hi David, Thanks for the info. I know about that technique and it works rather well in more static exploits. The problem with ms11xxx_ie_css is that even if you save the served html page to a local file and open it locally it won't work (so obfuscating the javascript bypasses AV but also doesn't work). The reason for it not working locally (I presume) is that the exploit calls dynamically created dll and css files. I've managed to change the uri for the dll file so that it can be called even if the html is not being served up from the server, but I've had no such luck with the css. I believe this is where the problem lies but i haven't figured it out yet. Thanks again, Miguel --- On Mon, 12/27/10, David Porcello <DPorcello () vermontmutual com> wrote: From: David Porcello <DPorcello () vermontmutual com> Subject: RE: [framework] ms11xxx_ie_css To: "'Miguel Rios'" <miguelrios35 () yahoo com> Date: Monday, December 27, 2010, 12:45 PM Miguel, I ran into this recently and here’s what worked for me: http://grep8000.blogspot.com/2010/12/javascript-obfuscation-of-metasploit.html From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of Miguel Rios Sent: Sunday, December 26, 2010 9:25 AM To: framework () spool metasploit com Subject: Re: [framework] ms11xxx_ie_css Just an update. I figured out how to reference the dll by changing the classid call in the local html file. Now I need to figure out the css and placeholder part of the module and see if there's a way to save the dynamically generated css and have it called from an offline html file. Hopefully that would be enough to trigger the exploit from a locally saved html as long as metasploit's still serving up the exploit, no? Any ideas, hints and corrections welcome --- On Sat, 12/25/10, Miguel Rios <miguelrios35 () yahoo com> wrote: From: Miguel Rios <miguelrios35 () yahoo com> Subject: [framework] ms11xxx_ie_css To: framework () spool metasploit com Date: Saturday, December 25, 2010, 8:01 PM Hi everyone and Merry Xmas, I've been messing about with the new ms11xxx_ie_css exploit and I have a few questions maybe someone here can help with. (by the way thanks jduck for such a quick job) The exploit works fairly reliably for me but unfortunately it's detected already by avira and NOD. So I decided to save the html files produced by the module to see if I could find out what part of the javascript was triggering the AVs. Anyway, I see that when I just open the html file locally the exploit fails. I presume this is because there is an URI to a dll and it's referenced locally. Is this correct? If so, where does the created dll get stored so I can reference it correctly? I wish we had jsidle already incorporated into metasploit (I recall he posted a few patches for some modules, including ie_peers I believe). It's getting tougher and tougher to bypass AVs on client sides. -----Inline Attachment Follows----- _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited. Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any loss or damage arising if such a virus or defect exists.
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- ms11xxx_ie_css Miguel Rios (Dec 25)
- Re: ms11xxx_ie_css Miguel Rios (Dec 26)
- <Possible follow-ups>
- Fw: RE: ms11xxx_ie_css Miguel Rios (Dec 27)
- Re: ms11xxx_ie_css Miguel Rios (Dec 31)
- Re: ms11xxx_ie_css Chris (Dec 31)
- Re: ms11xxx_ie_css Joshua J. Drake (Dec 31)
- Re: ms11xxx_ie_css Miguel Rios (Dec 31)