Post-Exploitation on Windows using
ActiveX Controls
skape
mmiller@hick.org
Last modified: 03/18/2005
Contents
1 Foreword
2
2 Introduction
3
3 Implementation: PassiveX
6
3.1 The ActiveX Injection Payload . . . . . . . . . . . . . . . . . . .
9
3.2 HTTP Tunneling ActiveX Control
. . . . . . . . . . . . . . . . .
16
4 Potential Uses and Enhancements
22
4.1 Automation with Scripting
. . . . . . . . . . . . . . . . . . . . .
22
4.2 Passive Information Gathering
. . . . . . . . . . . . . . . . . . .
23
4.3 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . .
23
4.4 Worm Propagation . . . . . . . . . . . . . . . . . . . . . . . . . .
24
5 Methods of Prevention
25
5.1 Heuristic based filtering . . . . . . . . . . . . . . . . . . . . . . .
25
5.2
Improving application-based filters . . . . . . . . . . . . . . . . .
26
6 Conclusion
27
1
Chapter 1
Foreword
Abstract: When exploiting software vulnerabilities it is sometimes impossi-
ble to build direct communication channels between a target machine and an
attacker’s machine due to restrictive outbound filters that may be in place on
the target machine’s network. Bypassing these filters involves creating a post-
exploitation payload that is capable of masquerading as normal user traffic from
within the context of a trusted process. One method of accomplishing this is
to create a payload that enables ActiveX controls by modifying Internet Ex-
plorer’s zone restrictions. With ActiveX controls enabled, the payload can then
launch a hidden instance of Internet Explorer that is pointed at a URL with
an embedded ActiveX control. The end result is the ability for an attacker to
run custom code in the form of a DLL on a target machine by using a trusted
process that uses one or more trusted communication protocols, such as HTTP
or DNS.
Thanks: The author would like to thank H D Moore, spoonm, vlad902, thief,
warlord, optyx, johnycsh, trew, jhind, and all the other people who continue to
research new and interesting things for their own satisfaction and enjoyment.
T