Metasploit mailing list archives
Re: ms11xxx_ie_css
From: "Joshua J. Drake" <jdrake () metasploit com>
Date: Fri, 31 Dec 2010 11:48:17 -0600
On Fri, Dec 31, 2010 at 05:04:53AM -0800, Miguel Rios wrote:
Hi all,
Hi! Happy new year!
Too bad no one has really figured out how to get a proper working static local version of this exploit yet.
I don't think its possibe because of: 1. The CSS, HTML and .NET DLL files MUST be separate files 2. The CSS file (and html file) are UTF-16LE encoded. 3. The CSS filename uses both bytes of each UTF-16LE character. 4. The CSS file requests itself as well as making a crazy looking request based on a converted-to-UTF8 version of the filename. 5. Internet Explorer treats files loaded from the Local Machine Zone as untrusted and doesn't allow active scripting by default (AFAIK). If you manage to work around these issues and get it working, please do let us know.
On another note, what changed recently in this module?
You can see all changes via our Redmine tracker, see here: https://www.metasploit.com/redmine/projects/framework/repository/changes/modules/exploits/windows/browser/ms11_xxx_ie_css_import.rb
I noticed that now all my requests to the metasploit server get rejected with the "Target machine does not have the .NET CLR 2.0.50727" message, whereas before this didn't happen.
Since the exploit depends on a ROP stager crafted from pieces of the .NET CLR 2.0.50727, it will not execute without it. In a normal configuration, the browser will happily tell us whether or not it has this version of .NET.
The target machine in this case is XP SP3 english with .NET framework 4 installed (browser is ie8), so that should be sufficient, no?
No. We are not actually using .NET for its normal purpose, but rather abusing it to pick and use addresses from within its non-ASLR aware browser plugin (mscorie.dll).
I also tried with my win 7 machine with both ie8 and firefox (with user agent set to ie8) and I get the same error message. A few days ago the firefox set to IE8 user agent worked. Now I get the error message constantly.
Append the string ".NET CLR 2.0.50727" to your User Agent and it will happily serve to you.
Anyone else having issues?
Not many issues have been reported. This exploit is very reliable.
Anyone else have any clues regarding the dynamic CSS file creation and how to port it to a static local copy (the original reason for this thread which no one has really addressed yet).
Good luck. Some bugs just dont lend themselves to this kind of conversion... -- Joshua J. Drake
Attachment:
_bin
Description:
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- ms11xxx_ie_css Miguel Rios (Dec 25)
- Re: ms11xxx_ie_css Miguel Rios (Dec 26)
- <Possible follow-ups>
- Fw: RE: ms11xxx_ie_css Miguel Rios (Dec 27)
- Re: ms11xxx_ie_css Miguel Rios (Dec 31)
- Re: ms11xxx_ie_css Chris (Dec 31)
- Re: ms11xxx_ie_css Joshua J. Drake (Dec 31)
- Re: ms11xxx_ie_css Miguel Rios (Dec 31)