Posted by Trancer on Sep 28 2010
 What can I say about the Stuxnet worm that hasn’t been said yet… It is one of the most media covered (read hyped) Malware\attack recently. The Stuxnet worm is by far the most sophisticated Malware ever seen.
Here are some of the highlights of the Stuxnet worm:
- Discovered in June 2010 by VirusBlokAda, a Belarus based Anti-Virus vendor.
- Targets Supervisory Control And Data Acquisition (SCADA) systems, specifically Siemens SIMATIC WinCC and PCS 7.
- Programmable Logic Controllers (PLCs) reprogram capability.
- Using three deferent vulnerabilities to spread itself, CVE-2010-2568 CPLINK vulnerability (MS10-046), CVE-2010-2729 Printer Spooler vulnerability (MS10-061) and CVE-2008-4250 Windows Server Service RPC Handling vulnerability (MS08-067) which was used by the Conficker worm. The first two were 0days.
- Two more zero-day exploits which are still unpatched, both of them exploit privilege escalation vulnerabilities, one for Windows XP/2000 (via Keyboard layout file) and the second for Windows Vista/7 (via Task Scheduler).
- Using a zero-day vulnerability in Siemens WinCC which abuses hard-coded credentials (uid=WinCCConnect;pwd=2WSXcder) and allows local users to access a back-end database and gain privileges (CVE-2010-2772)
- Payloads are digitally signed by two stolen certificates of JMicron Technology Corporation and Realtek Semiconductor Corp (MrxCls.sys and MrxNet.sys)
Yeah, I know. That is one crazy worm.
Because of its complexity and sophistication, the knowledge it requires for attacking industrial infrastructure and the use of four deferent zero-day exploits, it is believed that the Stuxnet worm is a nation funded attack. Israel, the United States and NATO are the most speculated origins and the Bushehr Nuclear Power Plant or the Natanz nuclear facility are the most speculated targets. Whoever built it left almost no clues (b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb). But in my opinion, with the amount of sophistication put in this attack, we’ll probably never get answers for these questions.
For further information and technical analysis of the Stuxnet worm I recommend reading:
– ESET analysis of the Stuxnet worm and compression to Operation Aurora – Stuxnet Under the Microscope or online on Google Docs.
– Symantec wrote some very detailed posts on Stuxnet – Symantec Connect.
– Langner security analysis of Stuxnet – Stuxnet is a directed attack — ‘hack of the century’.
– Securelist blog on Stuxnet.
– Stuxnet Questions and Answers by F-Secure.
– Symantec released a technical analysis white paper – W32.Stuxnet Dossier or online on Google Docs.
Update:
For anyone interested, here’s a sample of Win32/Stuxnet.A provided by Abysssec for educational purposes only – Stuxnet_stub_Unpacked.zip (password: abysssec).
Categories: Malware
        
7 Comments |  Comments RSS |  TrackBack URL
Posted by Trancer on Mar 10 2010
 A new Microsoft Internet Explorer 0day exploit has been found circulating in-the-wild. According to Microsoft, there are targeted attacks attempting to use this vulnerability. Microsoft published a security advisory for this vulnerability here:
Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution
The vulnerability is a use-after-free (invalid pointer reference) vulnerability within iepeers.dll and only Internet Explorer versions 6 and 7 are vulnerable. Internet Explorer 8 and 5 are not affected.
I’ve found this exploit in-the-wild on www.topix21century.com. The payload download and executes a binary file which connects back to notes.topix21century.com.
Here’s the exploit as it was found in-the-wild, a bit un-obfuscated and payload removed – ie_iepeers_wild.txt
And here’s a Metasploit exploit module for this vulnerability. Tested successfully on the following platforms:
– Microsoft Internet Explorer 7, Windows Vista SP2
– Microsoft Internet Explorer 7, Windows XP SP3
– Microsoft Internet Explorer 6, Windows XP SP3
Download ie_iepeers_pointer.rb.
Also on Metasploit.
As usual, this post will update with further references and updates when available.
Happy exploitation :-)
>> References:
CVE-2010-0806
OSVDB 62810
BID 38615
McAfee Labs Blog – Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806)
Symantec Connect – Zero-Day attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software
>> Microsoft patched this vulnerability – MS10-018.
Categories: Exploits • Metasploit
36 Comments | Comments RSS | TrackBack URL
Posted by Trancer on Jan 25 2010
 Wrote a new Metaspoit exploit module for the AOL 9.5 Phobos.Playlist ActiveX control Import() stack-based buffer overflow vulnerability.
This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to ‘Import()’, an attacker can overrun a buffer and execute arbitrary code.
This vulnerability was found by Hellcode Research and was published recently by Dz_attacker. Still no patch from AOL, if you want to test it you can get the vulnerable package from the AOL 9.5 page.
The exploit was successfully tested on the following platforms:
– AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3
Phobos.dll version tested:
– File Version: 9.5.0.1
– ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C
– RegKey Safe for Script: False
– RegKey Safe for Init: False
– Implements IObjectSafety: False
– KillBitSet: False
Due to the safe for initialization and safe for scripting settings of this ActiveX control, exploitation is possible only from Local Machine Zone, which means the victim must run the generated exploit file locally.
Download aol_phobos_bof.rb.
Also on Metasploit and exploit-db.
References:
OSVDB 61964
exploit-db 11204
Categories: Exploits • Metasploit
0 Comments | Comments RSS | TrackBack URL
Older Posts » |
Here’s a Metasploit exploit module I wrote for the Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() remote code execution vulnerability.
Here’s a vulnerability I’ve found in 
And yet another Metasploit exploit module for Novell iPrint, this time for the Novell iPrint Client ActiveX control ‘debug’ stack-based buffer overflow vulnerability.
In the 
Here’s a local privilege escalation exploit I wrote, as a Metasploit Meterpreter script, for the 
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
