Rapid7 Vulnerability & Exploit Database

Microsoft Internet Explorer Unsafe Scripting Misconfiguration

Back to Search

Microsoft Internet Explorer Unsafe Scripting Misconfiguration



This exploit takes advantage of the "Initialize and script ActiveX controls not marked safe for scripting" setting within Internet Explorer. When this option is set, IE allows access to the WScript.Shell ActiveX control, which allows javascript to interact with the file system and run commands. This security flaw is not uncommon in corporate environments for the 'Intranet' or 'Trusted Site' zones. When set via domain policy, the most common registry entry to modify is HKLM\ Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201, which if set to '0' forces ActiveX controls not marked safe for scripting to be enabled for the Intranet zone. This module creates a javascript/html hybrid that will render correctly either via a direct GET http://msf-server/ or as a javascript include, such as in: http://intranet-server/xss.asp?id="> . IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from an x64 iexplore.exe. By default, this module will not attempt to fire against IEs that come with Protected Mode enabled by default, because it can trigger a security prompt. However, if you are feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT datastore option to true.


  • natron <natron@metasploit.com>
  • Ben Campbell <eat_meatballs@hotmail.co.uk>






Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/ie_unsafe_scripting
msf exploit(ie_unsafe_scripting) > show targets
msf exploit(ie_unsafe_scripting) > set TARGET < target-id >
msf exploit(ie_unsafe_scripting) > show options
    ...show and set options...
msf exploit(ie_unsafe_scripting) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security