Wednesday, July 23, 2008

Leveraging Client-Side Exploits In Your Pentests

Wrapping up a pentest this week and got to do a little "user awareness training" with the current and unpatched ActiveX Control for Microsoft Access Snapshot Viewer exploit. Fsecure has a little writeup on it as well as securityfocus with POC code.

This one is nice because its a auto download exploit. You call the ActiveX control and it downloads the file you specify to the location you specify. This is a great exploit from a user training perspective because you can make the binary as benign or dangerous as you want. I of course shoved a reverse shell out over FBP (firewall bypass protocol aka TCP 443).

Delivery is simple enough, you create an email with a link (see my metagoofil post if you need help gathering those emails) and ask politely for users with elevated permissions on the network to click on it. You embed snapshot viewer code in that page, point the download location to somewhere fun like all users/startup, and tail -f /apache/access.log to see who browses the site, who enables the activeX control (your users do know better right? or you do have your default IE settings to high right?) and who downloads your binary. If all goes well, after lunch you'll have your shell :-)

POC code from secfocus:


Anonymous said...

Post your code, or it didnt happen :)
(note, I cant get it to work the way you describe it and its giving me a headache)

CG said...

I'll probably regret this but...

whats not working?

Anonymous said...

lol, no dont regret it :) I figured it out, but I had to modify the code a little bit from the original versions I saw.

This is what worked for me:

*object classid ='clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9' id='obj'*
*script language ='javascript'*
var buf1 = ''
var buf2 = 'C:/Documents and Settings/AllUsers/Desktop/crap.exe'
obj.SnapshotPath = buf1
obj.CompressedPath = buf2

(cant use some tags, so substitute the obvious)

Apologies, I just hate NOT seeing code.

CG said...

is that working for you?
i had to add a couple extra /'s


var buf2 = 'C:/Documents and Settings/AllUsers/Desktop/crap.exe'

turned into:
"C:\\\\Documents and Settings\\\\All Users\\\\Desktop\\\\crap.exe

Anonymous said...

Strange... I tested ph4nt0m's code (the one posted here) on W2K SP4 IE6 and worked just fine. No need to modify it with extra backslashes (\).

CG said...

does it still work with them?

Anonymous said...

Yep, it worked like a cham. No need to use backslashes. Not even obj.PrintSnapshot(buf1,buf2).

Here's the code I used: