Re: ms11xxx_ie_css

[Miguel Rios <miguelrios35 () yahoo com>]

Hi Josh.
Happy New Year to you and the rest of this list too.

Thanks so much for your thorough answers. You confirmed my suspicions and saved me from wasting any more time trying to 
do the impossible (or at least too difficult for my limited brain). But at least I learned a lot of new stuff in the 
process ;-)

I guess than the only thing left is to hope that jsidle gets fully incorporated in the framework soon. 
http://metasploit.com/redmine/issues/3163

Also, I'm thinking of removing the .NET check from the module so that it'll serve up the files to any machine with an 
IE user agent. My thinking is that sometimes user agents are manipulated, changed or stripped so a potential target may 
actually have the needed .NET and yet pass through untouched. I don't really see any downside besides potentially 
crashing the target's browser.

Thanks again guys and I hope 2011 is not the year the internetz go down (imagine what this planet would be like if some 
massive worm basically disabled the net for some days?). 
I wonder if internet withdrawal syndrome will lead to an increase in the number of suicides?

Cheers

--- On Fri, 12/31/10, Joshua J. Drake <jdrake () metasploit com> wrote:

From: Joshua J. Drake <jdrake () metasploit com>
Subject: Re: [framework] ms11xxx_ie_css
To: "Miguel Rios" <miguelrios35 () yahoo com>
Cc: framework () spool metasploit com
Date: Friday, December 31, 2010, 5:48 PM

On Fri, Dec 31, 2010 at 05:04:53AM -0800, Miguel Rios wrote:
> Hi all,

Hi! Happy new year!

> Too bad no one has really figured out how to get a proper working
> static local version of this exploit yet. 

I don't think its possibe because of:

1. The CSS, HTML and .NET DLL files MUST be separate files
2. The CSS file (and html file) are UTF-16LE encoded.
3. The CSS filename uses both bytes of each UTF-16LE character.
4. The CSS file requests itself as well as making a crazy looking 
request based on a converted-to-UTF8 version of the filename.
5. Internet Explorer treats files loaded from the Local Machine Zone
as untrusted and doesn't allow active scripting by default (AFAIK).

If you manage to work around these issues and get it working, please
do let us know.

> On another note, what changed recently in this module?

You can see all changes via our Redmine tracker, see here:

https://www.metasploit.com/redmine/projects/framework/repository/changes/modules/exploits/windows/browser/ms11_xxx_ie_css_import.rb

> I noticed that now all my requests to the metasploit server get
> rejected with the "Target machine does not have the .NET CLR
> 2.0.50727" message, whereas before this didn't happen.  

Since the exploit depends on a ROP stager crafted from pieces of the
.NET CLR 2.0.50727, it will not execute without it. In a normal
configuration, the browser will happily tell us whether or not it has
this version of .NET.

> The target machine in this case is XP SP3 english with .NET
> framework 4 installed (browser is ie8), so that should be sufficient,
> no?  

No. We are not actually using .NET for its normal purpose, but rather
abusing it to pick and use addresses from within its non-ASLR aware
browser plugin (mscorie.dll).

> I also tried with my win 7 machine with both ie8 and firefox (with
> user agent set to ie8) and I get the same error message. A few days
> ago the firefox set to IE8 user agent worked. Now I get the error
> message constantly.

Append the string ".NET CLR 2.0.50727" to your User Agent and it will 
happily serve to you.

> Anyone else having issues?

Not many issues have been reported. This exploit is very reliable.

> Anyone else have any clues regarding the dynamic CSS file creation
> and how to port it to a static local copy (the original reason for
> this thread which no one has really addressed yet).

Good luck. Some bugs just dont lend themselves to this kind of
conversion...

-- 
Joshua J. Drake



_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework