module
Microsoft Internet Explorer Unsafe Scripting Misconfiguration
| Disclosed | Created |
|---|---|
| 2010-09-20 | 2018-05-30 |
Disclosed
2010-09-20
Created
2018-05-30
Description
This exploit takes advantage of the "Initialize and script ActiveX controls not
marked safe for scripting" setting within Internet Explorer. When this option is set,
IE allows access to the WScript.Shell ActiveX control, which allows javascript to
interact with the file system and run commands. This security flaw is not uncommon
in corporate environments for the 'Intranet' or 'Trusted Site' zones.
When set via domain policy, the most common registry entry to modify is HKLM\
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201,
which if set to '0' forces ActiveX controls not marked safe for scripting to be
enabled for the Intranet zone.
This module creates a javascript/html hybrid that will render correctly either
via a direct GET http://msf-server/ or as a javascript include, such as in:
http://intranet-server/xss.asp?id=">
.
IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from
an x64 iexplore.exe.
By default, this module will not attempt to fire against IEs that come with Protected
Mode enabled by default, because it can trigger a security prompt. However, if you are
feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT
datastore option to true.
marked safe for scripting" setting within Internet Explorer. When this option is set,
IE allows access to the WScript.Shell ActiveX control, which allows javascript to
interact with the file system and run commands. This security flaw is not uncommon
in corporate environments for the 'Intranet' or 'Trusted Site' zones.
When set via domain policy, the most common registry entry to modify is HKLM\
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201,
which if set to '0' forces ActiveX controls not marked safe for scripting to be
enabled for the Intranet zone.
This module creates a javascript/html hybrid that will render correctly either
via a direct GET http://msf-server/ or as a javascript include, such as in:
http://intranet-server/xss.asp?id=">
.
IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from
an x64 iexplore.exe.
By default, this module will not attempt to fire against IEs that come with Protected
Mode enabled by default, because it can trigger a security prompt. However, if you are
feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT
datastore option to true.
Authors
natron natron@metasploit.com
Ben Campbell eat_meatballs@hotmail.co.uk
Ben Campbell eat_meatballs@hotmail.co.uk
Platform
Windows
Architectures
x86
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.