A new Microsoft Internet Explorer 0day exploit has been found circulating in-the-wild. According to Microsoft, there are targeted attacks attempting to use this vulnerability. Microsoft published a security advisory for this vulnerability here:
Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution
The vulnerability is a use-after-free (invalid pointer reference) vulnerability within iepeers.dll and only Internet Explorer versions 6 and 7 are vulnerable. Internet Explorer 8 and 5 are not affected.
I’ve found this exploit in-the-wild on www.topix21century.com. The payload download and executes a binary file which connects back to notes.topix21century.com.
Here’s the exploit as it was found in-the-wild, a bit un-obfuscated and payload removed – ie_iepeers_wild.txt
And here’s a Metasploit exploit module for this vulnerability. Tested successfully on the following platforms:
– Microsoft Internet Explorer 7, Windows Vista SP2
– Microsoft Internet Explorer 7, Windows XP SP3
– Microsoft Internet Explorer 6, Windows XP SP3
Download ie_iepeers_pointer.rb.
Also on Metasploit.
As usual, this post will update with further references and updates when available.
Happy exploitation :-)
>> References:
CVE-2010-0806
OSVDB 62810
BID 38615
McAfee Labs Blog – Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806)
Symantec Connect – Zero-Day attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software
>> Microsoft patched this vulnerability – MS10-018.
Categories: Exploits • Metasploit
37 Comments | 
Comments RSS | 
TrackBack URL
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
[...] Recognize-Security | Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta) [...]
[...] ??????? ??? ????? ??????? . ??????? ??? ??????? ?????? Metasploit . ??????? ??? ????? ???? Microsoft . [...]
[...] reading here: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … Share and [...]
[...] is the original post: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … Earn 500$ easy with your Twitter account! View admin's Profile [...]
[...] Read more here: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … [...]
[...] The new zero-day attacks immediately used in targeted attacks.In the past few days we have captured a number of samples derived from the version published on the rec-sec website. [...]
[...] researcher Moshe Ben Abu used a clue in a Wednesday blog post by McAfee to grab an in-the-wild exploit, strip it of its [...]
[...] a step security pros said earlier would be the precursor to widespread attacks.Israeli researcher Moshe Ben Abu used a clue in a Wednesday blog post by McAfee to grab an in-the-wild exploit, strip it of its [...]
[...] researcher Moshe Ben Abu used a clue in a Wednesday blog post by security vendor McAfee Inc. to grab an in-the-wild exploit, [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Kolargol00 writes “Heise online reports the availability of an exploit (Google translation) for the yet-unpatched MSA-981374 affecting Internet Explorer 6 and 7. It has already been spotted in the wild by McAfee and integrated into the Metasploit Framework.” [...]
[...] the execution of arbitrary code that can result in a compromised system. The exploit code was published by Israeli researcher Moshe Ben Abu, who used a clue present in a blog post by McAfee to obtain an [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] See the original post: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Here is the original post: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … [...]
[...] provided by Trancer (Moshe Ben Abu) with modifications to the original that unobfusticate portions of code and remove [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] but de cette publication (en ligne ? cette adresse) est de mettre en garde contre l’exploitation possible d’une faille ? partir des [...]
[...] provided by Trancer (Moshe Ben Abu) with modifications to the original that [...]
[...] ????????3/9???IE6?IE7???????????????????????????????????????Moshe Ben Abu??????3/10???????????? [...]
[...] (in grado di mitigare l’esposizione del browser). La fonte dell’attacco ? gi? stata identificata: una semplice visita sul sito creato sfruttando il codice permette ad un malintenzionato di [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Izraelski specjalista do spraw bezpiecze?stwa, Moshe Ben Abu opublikowa? exploita na najnowsz? luk? wykryt? w IE 6 oraz 7 (Microsoft Security Advisory – 981374) o kt?rej 3 [...]
A vulnerability in IE? I’m calling BS on this one…
[...] Recognize-Security | Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta) [...]
Does this exploit function correctly on Win-98 with IE6-Sp1?
How can I take the example exploit code and turn it into a file I can use to test with?
@98 Guy
I didn’t test the exploit on Windows 98 but I think it should work fine. Maybe it needs a little fine-tuning, probably tweaking the heap spray function will resolve it.
Send me an email and we’ll figure it out.
[...] Original 0-Day: http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/ [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Veja os detalhes em http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/ [...]
[...] Original Source: http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/ [...]
[...] Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta) Post a Comment ? [...]
Another reason why I suspect I am happy with only using Chrome.
Have you thought to be including additional video clips for your websites and keep the readers more interested? I mean I just read over the article of yours and it was very fine but as I’m more of a visual learner,I discovered that to get more valuable. Just my my idea, Good luck
Fantastic site. Plenty of handy information and facts in this article. Therefore i’m mailing it to some associates ans also revealing in delicious. Not to mention, good sweat!