Re: ms11xxx_ie_css

[Miguel Rios <miguelrios35 () yahoo com>]

Hi all,
Too bad no one has really figured out how to get a proper working static local version of this exploit yet.
On another note, what changed recently in this module? I noticed that now all my requests to the metasploit server get 
rejected with the "Target machine does not have the .NET CLR 2.0.50727" message, whereas before this didn't happen. The 
target machine in this case is XP SP3 english with .NET framework 4 installed (browser is ie8), so that should be 
sufficient, no? I also tried with my win 7 machine with both ie8 and firefox (with user agent set to ie8) and I get the 
same error message. A few days ago the firefox set to IE8 user agent worked. Now I get the error message constantly.
Anyone else having issues? Anyone else have any clues regarding the dynamic CSS file creation and how to port it to a 
static local copy (the original reason for this thread which no one has really addressed yet).

thanks 

--- On Mon, 12/27/10, Miguel Rios <miguelrios35 () yahoo com> wrote:

From: Miguel Rios <miguelrios35 () yahoo com>
Subject: [framework] Fw: RE:  ms11xxx_ie_css
To: framework () spool metasploit com
Date: Monday, December 27, 2010, 3:06 PM



Hi David,

Thanks for the info. I know about that technique and it works rather well in more static exploits.
The problem with ms11xxx_ie_css is that even if you save the served html page to a local file and open it locally it 
won't work (so obfuscating the javascript bypasses AV but also doesn't work). The reason for it not working locally (I 
presume) is that the exploit calls dynamically created dll and css files. I've managed to change the uri for the dll 
file so that it can be called even if the html is not being served up from the server, but I've had no such luck with 
the css. I believe this is where the problem lies
 but i haven't figured it out yet.

Thanks again,
Miguel

--- On Mon, 12/27/10, David Porcello <DPorcello () vermontmutual com> wrote:

From: David Porcello <DPorcello () vermontmutual com>
Subject: RE: [framework] ms11xxx_ie_css
To: "'Miguel Rios'" <miguelrios35 () yahoo com>
Date: Monday, December 27, 2010, 12:45 PM



 
 


Miguel, I ran into this recently and here’s what worked for me: 
http://grep8000.blogspot.com/2010/12/javascript-obfuscation-of-metasploit.html 
   

From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com]
On Behalf Of Miguel Rios

Sent: Sunday, December 26, 2010 9:25 AM

To: framework () spool metasploit com

Subject: Re: [framework] ms11xxx_ie_css 

   




Just an update. I figured out how to reference the dll by changing the classid call in the local html file. Now I need 
to figure out the css and placeholder part of the module and see if there's a way to save the dynamically generated css
 and have it called from an offline html file. Hopefully that would be enough to trigger the exploit from a locally 
saved html as long as metasploit's still serving up the exploit, no?



Any ideas, hints and corrections welcome



--- On Sat, 12/25/10, Miguel Rios <miguelrios35 () yahoo com> wrote: 


From: Miguel Rios <miguelrios35 () yahoo com>

Subject: [framework] ms11xxx_ie_css

To: framework () spool metasploit com

Date: Saturday, December 25, 2010, 8:01 PM 





Hi everyone and Merry Xmas,



I've been messing about with the new ms11xxx_ie_css exploit and I have a few questions maybe someone here can help 
with. (by the way thanks jduck for such a quick job)



The exploit works fairly reliably for me but unfortunately it's detected already by avira and NOD. So I decided to save 
the html files produced by the module to see if I could find out what part of the javascript was triggering the AVs. 
Anyway, I see that when
 I just open the html file locally the exploit fails. I presume this is because there is an URI to a dll and it's 
referenced locally. Is this correct? If so, where does the created dll get stored so I can reference it correctly?



I wish we had jsidle already incorporated into metasploit (I recall he posted a few patches for some modules, including 
ie_peers I believe). It's getting tougher and tougher to bypass AVs on client sides. 




   



-----Inline Attachment Follows----- 

_______________________________________________

https://mail.metasploit.com/mailman/listinfo/framework 





   




NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named 
above, and may be confidential and legally privileged. If you received this e-mail in error, please notify
 the sender immediately by return e-mail and delete the original message and any copy of it from your computer system. 
If you are not the intended recipient, you are hereby notified that any review, disclosure, retransmission, 
dissemination, distribution, copying,
 or other use of this e-mail, or any of its contents, is strictly prohibited.



Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the 
responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any 
loss or damage arising if such
 a virus or defect exists.


 



      


      
-----Inline Attachment Follows-----

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework