Despite a number of delays and HDM's slave-driving schedule, The Metasploit Framework version 3.2 was officially released today. My main contributions include reliable bind, reverse, and findsock payloads for PHP script vulnerabilities and Browser Autopwn, a web client fingerprinting exploit machine.
I will post more about Browser Autopwn, including some step-by-step explanations of how I use it, in the coming days.
Wednesday, November 19, 2008
Sunday, November 09, 2008
obj.grabAnkles();
As far as I can tell, it is impossible to determine whether an ActiveX object created by classid actually works without just calling specific methods of that control and catching any exceptions. It doesn't seem to matter whether it was created with an <object> tag, or through javascript's document.createElement("object") or document.write("<object...>"). Internet Explorer turns anything with an id attribute into a property of document, and yet if you have
document.foo advertises no property or method that is not available from an object with no classid.
For those of you playing at home, yes this classid is one of the vulnerable ActiveX controls used in the MDAC / ie_createobject exploits. If the object actually got instantiated correctly and we can talk to it, typeof(document.foo.CreateObject) returns "unknown" rather than the "undefined" returned for properties that don't exist. So if we know a specific method that the ActiveX implements, we can check to make sure it worked using that. It is unfortunate, then, that there does not seem to be a standard method or property that all ActiveX objects must implement. Unless I'm missing something, because of the lack of a universal method or property, we cannot generically determine whether an ActiveX control created in this way was successfully instantiated. Thus, my "solution" for now is to save a method to test along with the classid. If this doesn't work, I just might give up on browser_autopwn's fingerprinting altogether and simply throw every single exploit at the client. And also maybe shoot myself. I really hate IE.
<object id="foo" classid="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" />
document.foo advertises no property or method that is not available from an object with no classid.
For those of you playing at home, yes this classid is one of the vulnerable ActiveX controls used in the MDAC / ie_createobject exploits. If the object actually got instantiated correctly and we can talk to it, typeof(document.foo.CreateObject) returns "unknown" rather than the "undefined" returned for properties that don't exist. So if we know a specific method that the ActiveX implements, we can check to make sure it worked using that. It is unfortunate, then, that there does not seem to be a standard method or property that all ActiveX objects must implement. Unless I'm missing something, because of the lack of a universal method or property, we cannot generically determine whether an ActiveX control created in this way was successfully instantiated. Thus, my "solution" for now is to save a method to test along with the classid. If this doesn't work, I just might give up on browser_autopwn's fingerprinting altogether and simply throw every single exploit at the client. And also maybe shoot myself. I really hate IE.
Subscribe to:
Posts (Atom)