Tunneling Shellcode with ActiveX

hdm writes "In the first issue of the Uninformed Journal, skape describes a method for using ActiveX as a transport mechanism for shellcode. The implementation, dubbed 'PassiveX', can be used to tunnel an interactive command shell or full VNC session over the HTTP protocol. PassiveX takes advantage of the Internet Explorer settings to pass through web proxies and escape restrictive outbound firewalls."

Old news, but nice explanation.

[TripMaster Monkey]

Tunneling other protocols through HTTP is certainly nothing new, and hackers have been using the technology to establish secure communications channels with compromised machines through firewalls as long as the technique has been around.

That being said, I was impressed with the in-depth coverage of this particular type of exploit. A fascinating read...www.uninformed.org is definitely bookmarked.

Something usefull

[ravenII]

I just went through the article and the other links. Seems a seed for a new project, albeit windows. But I need something like this for one of my management projects.THX HDM and ZONK

www.uninformed.org?

[Suppafly]

Perhaps they should change it to www.informed.org

Re:www.uninformed.org?

[sycotic]

*shakes head*

Interesting, but not all that new.

[Nonesuch]

There have been a limited number of malicious applications (keyloggers, spyware) which have been able to take advantage of the IE proxy settings and standard explorer DLL's to "phone home" in an environment where outbound access is restricted.

This paper appears to document the same basic problem, and is strictly a difference of degree, not kind.

Feature or Bug?

[Flinx_ca]

So would you call this an intended 'feature' of IE/ActiveX/Windows or an unintended 'bug'?

Is there really any need

[LP_Tux]

For another exploit? With the vulnerabilities in IE itself, in RPC, and in ActiveX, who needs another entry hole? Of course it would be better if MS didnt deny the existence of bugs for months before being bothered to fix them...