Metasploit mailing list archives
Re: ms11xxx_ie_css
From: Miguel Rios <miguelrios35 () yahoo com>
Date: Sat, 1 Jan 2011 06:36:44 -0800 (PST)
Hi Josh. Happy New Year to you and the rest of this list too. Thanks so much for your thorough answers. You confirmed my suspicions and saved me from wasting any more time trying to do the impossible (or at least too difficult for my limited brain). But at least I learned a lot of new stuff in the process ;-) I guess than the only thing left is to hope that jsidle gets fully incorporated in the framework soon. http://metasploit.com/redmine/issues/3163 Also, I'm thinking of removing the .NET check from the module so that it'll serve up the files to any machine with an IE user agent. My thinking is that sometimes user agents are manipulated, changed or stripped so a potential target may actually have the needed .NET and yet pass through untouched. I don't really see any downside besides potentially crashing the target's browser. Thanks again guys and I hope 2011 is not the year the internetz go down (imagine what this planet would be like if some massive worm basically disabled the net for some days?). I wonder if internet withdrawal syndrome will lead to an increase in the number of suicides? Cheers --- On Fri, 12/31/10, Joshua J. Drake <jdrake () metasploit com> wrote: From: Joshua J. Drake <jdrake () metasploit com> Subject: Re: [framework] ms11xxx_ie_css To: "Miguel Rios" <miguelrios35 () yahoo com> Cc: framework () spool metasploit com Date: Friday, December 31, 2010, 5:48 PM On Fri, Dec 31, 2010 at 05:04:53AM -0800, Miguel Rios wrote:
Hi all,
Hi! Happy new year!
Too bad no one has really figured out how to get a proper working static local version of this exploit yet.
I don't think its possibe because of: 1. The CSS, HTML and .NET DLL files MUST be separate files 2. The CSS file (and html file) are UTF-16LE encoded. 3. The CSS filename uses both bytes of each UTF-16LE character. 4. The CSS file requests itself as well as making a crazy looking request based on a converted-to-UTF8 version of the filename. 5. Internet Explorer treats files loaded from the Local Machine Zone as untrusted and doesn't allow active scripting by default (AFAIK). If you manage to work around these issues and get it working, please do let us know.
On another note, what changed recently in this module?
You can see all changes via our Redmine tracker, see here: https://www.metasploit.com/redmine/projects/framework/repository/changes/modules/exploits/windows/browser/ms11_xxx_ie_css_import.rb
I noticed that now all my requests to the metasploit server get rejected with the "Target machine does not have the .NET CLR 2.0.50727" message, whereas before this didn't happen.
Since the exploit depends on a ROP stager crafted from pieces of the .NET CLR 2.0.50727, it will not execute without it. In a normal configuration, the browser will happily tell us whether or not it has this version of .NET.
The target machine in this case is XP SP3 english with .NET framework 4 installed (browser is ie8), so that should be sufficient, no?
No. We are not actually using .NET for its normal purpose, but rather abusing it to pick and use addresses from within its non-ASLR aware browser plugin (mscorie.dll).
I also tried with my win 7 machine with both ie8 and firefox (with user agent set to ie8) and I get the same error message. A few days ago the firefox set to IE8 user agent worked. Now I get the error message constantly.
Append the string ".NET CLR 2.0.50727" to your User Agent and it will happily serve to you.
Anyone else having issues?
Not many issues have been reported. This exploit is very reliable.
Anyone else have any clues regarding the dynamic CSS file creation and how to port it to a static local copy (the original reason for this thread which no one has really addressed yet).
Good luck. Some bugs just dont lend themselves to this kind of conversion... -- Joshua J. Drake
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: ms11xxx_ie_css Miguel Rios (Jan 01)