Starting with the 2.4 release, the Metasploit Framework can be used to load arbitrary ActiveX controls into a target process. This feature works by patching the registry of the target system and causing the exploited process to launch internet explorer with a URL pointing back to the Framework. The Framework starts up a simple web server that accepts the request and sends back a web page instructing it to load an ActiveX component. The exploited system then downloads, registers, and executes the ActiveX.
The basic PassiveX payload, win32_passivex, supports any custom ActiveX that you develop. In addition to the base payload, three other PassiveX modules are included in the Framework. These can be used to execute a command shell, load the Meterpreter, or inject a VNC service. When any of these three payloads are used, the PassiveX object will emulate a TCP connection through HTTP GET and POST requests. This allows you to interact with a command shell, VNC, or the Meterpreter using nothing but standard HTTP traffic.
Since PassiveX uses the Internet Explorer browser to load the ActiveX component, it will pass right through an outbound web proxy, using whatever system and authentication settings that have already been configured. The PassiveX system included in 2.4 will only work when the target system has Internet Explorer 6.0 or newer installed. Future versions may work around this limitation. For more information about PassiveX, please see the Uninformed Journal article titled "Post-Exploitation on Windows using ActiveX Controls", located online at:
http://www.uninformed.org/?v=1&a=3&t=pdf