Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ms11xxx_ie_css

From: "Joshua J. Drake" <jdrake () metasploit com>
Date: Fri, 31 Dec 2010 11:48:17 -0600
On Fri, Dec 31, 2010 at 05:04:53AM -0800, Miguel Rios wrote:

Hi all,


Hi! Happy new year!


Too bad no one has really figured out how to get a proper working
static local version of this exploit yet. 


I don't think its possibe because of:

1. The CSS, HTML and .NET DLL files MUST be separate files
2. The CSS file (and html file) are UTF-16LE encoded.
3. The CSS filename uses both bytes of each UTF-16LE character.
4. The CSS file requests itself as well as making a crazy looking 
request based on a converted-to-UTF8 version of the filename.
5. Internet Explorer treats files loaded from the Local Machine Zone
as untrusted and doesn't allow active scripting by default (AFAIK).

If you manage to work around these issues and get it working, please
do let us know.


On another note, what changed recently in this module?


You can see all changes via our Redmine tracker, see here:

https://www.metasploit.com/redmine/projects/framework/repository/changes/modules/exploits/windows/browser/ms11_xxx_ie_css_import.rb


I noticed that now all my requests to the metasploit server get
rejected with the "Target machine does not have the .NET CLR
2.0.50727" message, whereas before this didn't happen.  


Since the exploit depends on a ROP stager crafted from pieces of the
.NET CLR 2.0.50727, it will not execute without it. In a normal
configuration, the browser will happily tell us whether or not it has
this version of .NET.


The target machine in this case is XP SP3 english with .NET
framework 4 installed (browser is ie8), so that should be sufficient,
no?  


No. We are not actually using .NET for its normal purpose, but rather
abusing it to pick and use addresses from within its non-ASLR aware
browser plugin (mscorie.dll).


I also tried with my win 7 machine with both ie8 and firefox (with
user agent set to ie8) and I get the same error message. A few days
ago the firefox set to IE8 user agent worked. Now I get the error
message constantly.


Append the string ".NET CLR 2.0.50727" to your User Agent and it will 
happily serve to you.


Anyone else having issues?


Not many issues have been reported. This exploit is very reliable.


Anyone else have any clues regarding the dynamic CSS file creation
and how to port it to a static local copy (the original reason for
this thread which no one has really addressed yet).


Good luck. Some bugs just dont lend themselves to this kind of
conversion...

-- 
Joshua J. Drake

Attachment: _bin
Description: 

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: