Metasploit mailing list archives
Re: ms11xxx_ie_css
From: Chris <mexirican50 () hotmail com>
Date: Fri, 31 Dec 2010 09:39:55 -0800
Hi Miguel,I noticed the .NET errors yesterday as well and found that after I installed .NET 2.0 I didn't get the error. I think if you changed the UA string, that would be sufficient.
Chris On 12/31/2010 5:04 AM, Miguel Rios wrote:
Hi all,Too bad no one has really figured out how to get a proper working static local version of this exploit yet. On another note, what changed recently in this module? I noticed that now all my requests to the metasploit server get rejected with the "Target machine does not have the .NET CLR 2.0.50727" message, whereas before this didn't happen. The target machine in this case is XP SP3 english with .NET framework 4 installed (browser is ie8), so that should be sufficient, no? I also tried with my win 7 machine with both ie8 and firefox (with user agent set to ie8) and I get the same error message. A few days ago the firefox set to IE8 user agent worked. Now I get the error message constantly. Anyone else having issues? Anyone else have any clues regarding the dynamic CSS file creation and how to port it to a static local copy (the original reason for this thread which no one has really addressed yet).thanks --- On *Mon, 12/27/10, Miguel Rios /<miguelrios35 () yahoo com>/* wrote: From: Miguel Rios <miguelrios35 () yahoo com> Subject: [framework] Fw: RE: ms11xxx_ie_css To: framework () spool metasploit com Date: Monday, December 27, 2010, 3:06 PM Hi David, Thanks for the info. I know about that technique and it works rather well in more static exploits. The problem with ms11xxx_ie_css is that even if you save the served html page to a local file and open it locally it won't work (so obfuscating the javascript bypasses AV but also doesn't work). The reason for it not working locally (I presume) is that the exploit calls dynamically created dll and css files. I've managed to change the uri for the dll file so that it can be called even if the html is not being served up from the server, but I've had no such luck with the css. I believe this is where the problem lies but i haven't figured it out yet. Thanks again, Miguel --- On *Mon, 12/27/10, David Porcello /<DPorcello () vermontmutual com>/* wrote: From: David Porcello <DPorcello () vermontmutual com> Subject: RE: [framework] ms11xxx_ie_css To: "'Miguel Rios'" <miguelrios35 () yahoo com> Date: Monday, December 27, 2010, 12:45 PM Miguel, I ran into this recently and here’s what worked for me: http://grep8000.blogspot.com/2010/12/javascript-obfuscation-of-metasploit.html *From:*framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] *On Behalf Of *Miguel Rios *Sent:* Sunday, December 26, 2010 9:25 AM *To:* framework () spool metasploit com *Subject:* Re: [framework] ms11xxx_ie_css Just an update. I figured out how to reference the dll by changing the classid call in the local html file. Now I need to figure out the css and placeholder part of the module and see if there's a way to save the dynamically generated css and have it called from an offline html file. Hopefully that would be enough to trigger the exploit from a locally saved html as long as metasploit's still serving up the exploit, no? Any ideas, hints and corrections welcome --- On *Sat, 12/25/10, Miguel Rios /<miguelrios35 () yahoo com>/* wrote: From: Miguel Rios <miguelrios35 () yahoo com> Subject: [framework] ms11xxx_ie_css To: framework () spool metasploit com Date: Saturday, December 25, 2010, 8:01 PM Hi everyone and Merry Xmas, I've been messing about with the new ms11xxx_ie_css exploit and I have a few questions maybe someone here can help with. (by the way thanks jduck for such a quick job) The exploit works fairly reliably for me but unfortunately it's detected already by avira and NOD. So I decided to save the html files produced by the module to see if I could find out what part of the javascript was triggering the AVs. Anyway, I see that when I just open the html file locally the exploit fails. I presume this is because there is an URI to a dll and it's referenced locally. Is this correct? If so, where does the created dll get stored so I can reference it correctly? I wish we had jsidle already incorporated into metasploit (I recall he posted a few patches for some modules, including ie_peers I believe). It's getting tougher and tougher to bypass AVs on client sides. -----Inline Attachment Follows----- _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework ------------------------------------------------------------------------ NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited. Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any loss or damage arising if such a virus or defect exists. -----Inline Attachment Follows----- _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- ms11xxx_ie_css Miguel Rios (Dec 25)
- Re: ms11xxx_ie_css Miguel Rios (Dec 26)
- <Possible follow-ups>
- Fw: RE: ms11xxx_ie_css Miguel Rios (Dec 27)
- Re: ms11xxx_ie_css Miguel Rios (Dec 31)
- Re: ms11xxx_ie_css Chris (Dec 31)
- Re: ms11xxx_ie_css Joshua J. Drake (Dec 31)
- Re: ms11xxx_ie_css Miguel Rios (Dec 31)