Metasploit mailing list archives
ie_createobject exploit
From: hdm at metasploit.com (H D Moore)
Date: Sun, 10 Dec 2006 13:07:25 -0600
On Thursday 30 November 2006 09:01, G Portokalidis wrote:
When i try the ie_createobject exploit everything seems to be working fine, a file is downloaded in c:\windows\prefetch, but an error occurs when trying to execute that file, which i assume actually contains the payload.
Sounds like some kind of anti-virus or security software at work.
What i am more interested is how does this exploit work. I've been browsing the net, but all i could find is "unspecified vulnerability" that allows to execute arbitrary code.
This module exploits three "known" vulnerabilities, each with the same underlying problem. The exploit works by using a "safe" COM object to create an instance of an unsafe object. The RDS bug is patched, the WMI issue is still unpatched (affects anyone who installed the WMI SDK), and the Outlook.Application bug only affects older versions of Office. I sprinkled some other "bad" but usually unsafe COM objects into the target list, just in case the victim's security settings have already been abused by another piece of malware.
Does anyone have any additional information? Is it an overflow(stack, heap), or a design flow that simply allows remote users to save and execute code?
These are all design flaws.
This is of special interest to me, since i am trying to figure out why does this evades detection from the Argos emulator (www.few.vu.nl/argos).
Ninjaness++
Is it possible that the windows version i am using is not vulnerable
If the file is being downloaded at all, it is vulnerable.
I am running MDAC v 2.81.1117. MS says Windows XP SP2 with MDAC v2.8 is vulnerable, i am not sure whether mine falls into that category.
Sounds like some third-party software is interfering with the exploit. -HD
Current thread:
- ie_createobject exploit G Portokalidis (Nov 30)
- ie_createobject exploit H D Moore (Dec 10)
- problem of Metasploit 3.0 Automated Exploitation zouq (Dec 11)
- problem of Metasploit 3.0 Automated Exploitation H D Moore (Dec 12)
- problem of Metasploit 3.0 Automated Exploitation zouq (Dec 12)
- problem of Metasploit 3.0 Automated Exploitation Jerome Athias (Dec 12)
- problem of Metasploit 3.0 Automated Exploitation zouq (Dec 12)
- problem of Metasploit 3.0 Automated Exploitation zouq (Dec 11)
- ie_createobject exploit H D Moore (Dec 10)