Foreword

Abstract: When exploiting software vulnerabilities it is sometimes impossible to build direct communication channels between a target machine and an attacker's machine due to restrictive outbound filters that may be in place on the target machine's network. Bypassing these filters involves creating a post-exploitation payload that is capable of masquerading as normal user traffic from within the context of a trusted process. One method of accomplishing this is to create a payload that enables ActiveX controls by modifying Internet Explorer's zone restrictions. With ActiveX controls enabled, the payload can then launch a hidden instance of Internet Explorer that is pointed at a URL with an embedded ActiveX control. The end result is the ability for an attacker to run custom code in the form of a DLL on a target machine by using a trusted process that uses one or more trusted communication protocols, such as HTTP or DNS.

Thanks: The author would like to thank H D Moore, spoonm, vlad902, thief, warlord, optyx, johnycsh, trew, jhind, and all the other people who continue to research new and interesting things for their own satisfaction and enjoyment. The author would also like to thank the Metasploit Framework mailing list for the discussion on HTTP tunneling which served as the impetus for implementing and integrating PassiveX.

The source code to the ActiveX Injection Payload and ActiveX control described in this document can be found as an update to the Metasploit Framework version 2.3 which can be downloaded from http://www.metasploit.com. PassiveX was tested with ZoneAlarm version 5.5.062.011.