Payload windows/meterpreter/reverse_htpp does not work (anymore ?) on a Vista/SP2 victim

[Bak <bak0un1n3 () live com>]

First, I'm not even sure that should be a feature.

Though not explicitly mentioned (the windows/meterpreter/reverse_htpp 
payload's info states that it "Tunnels communication over HTTP using IE 
6"), the payload works like a charm using an XP(SP3)/IE8 victim.

But using a Vista/IE8 victim:
1) Attacker side stucks at "Sending PassiveX DLL (125952 bytes)".
2) Victim browser complains with a "Your security level settings puts 
your computer at risk" warning.
Note that the above behaviors are both observed by natron in his (old) 
post (see bellow).


So far, I've come to:

- This thread (http://seclists.org/metasploit/2009/q1/235) seems 
related, but
- natron has posted 
(http://blog.invisibledenizen.org/2009/02/updating-passivex-handler-to-work-with.html) 
in 2009 a workaround compatible with IE 7; unfortunately the article 
didn't specify the tested OS (XP,Vista,7,...)
- and his fix has already been merged into passivex.rb in the Metasploit 
SVN trunk, and source code states that it should also work with IE8 
(though still not mentions the targeted OS).

- The issue  #291 (http://dev.metasploit.com/redmine/issues/291) may 
also be relevant, but that would be a regression, as the ticket is now 
closed for one year.

- The issue #3093 (http://dev.metasploit.com/redmine/issues/3093) also 
came to me, but the proposed fix is again already merged to passivex.rb 
(though the ticket is still New).

I've tried the tip proposed by natron to reveal the second 
iexplore.exe's window (http://seclists.org/metasploit/2009/q1/287) in 
the hope of getting more info, but the window's remain invisible (though 
the process actually exists).

I've spent the night to hide my test malware behavior within steps in a 
Tower of Hanoi recursive solution, and now gracefully evades Kaspersky, 
I'm just missing it working on Vista to have some rest.
[note: the way I hide the payload setup and activation should not impact 
its proper behavior]

I've also tested with windows/meterpreter/reverse_tcp, which is too 
undetected by all my targeted AVs (using my stupid Tower of Hanoi 
thing),  but sometimes triggers  "This application is trying to connect 
to Internet ...!". Going through an IE instance, as does 
windows/meterpreter/reverse_http, bypasses this limitation: generally 
the AV automatically adds a rule for us.

Any thought, advices, pointers, or encouragement welcome.
Thanks.

Bak.




_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework