A new Microsoft Internet Explorer 0day exploit has been found circulating in-the-wild. According to Microsoft, there are targeted attacks attempting to use this vulnerability. Microsoft published a security advisory for this vulnerability here:
Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution
The vulnerability is a use-after-free (invalid pointer reference) vulnerability within iepeers.dll and only Internet Explorer versions 6 and 7 are vulnerable. Internet Explorer 8 and 5 are not affected.
I’ve found this exploit in-the-wild on www.topix21century.com. The payload download and executes a binary file which connects back to notes.topix21century.com.
Here’s the exploit as it was found in-the-wild, a bit un-obfuscated and payload removed – ie_iepeers_wild.txt
And here’s a Metasploit exploit module for this vulnerability. Tested successfully on the following platforms:
– Microsoft Internet Explorer 7, Windows Vista SP2
– Microsoft Internet Explorer 7, Windows XP SP3
– Microsoft Internet Explorer 6, Windows XP SP3
Download ie_iepeers_pointer.rb.
Also on Metasploit.
As usual, this post will update with further references and updates when available.
Happy exploitation :-)
>> References:
CVE-2010-0806
OSVDB 62810
BID 38615
McAfee Labs Blog – Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806)
Symantec Connect – Zero-Day attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software
Categories: Exploits, Metasploit
37 Comments | 
Comments RSS | 
TrackBack URL
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
[...] Recognize-Security | Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta) [...]
[...] ??????? ??? ????? ??????? . ??????? ??? ??????? ?????? Metasploit . ??????? ??? ????? ???? Microsoft . [...]
[...] reading here: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … Share and [...]
[...] is the original post: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … Earn 500$ easy with your Twitter account! View admin's Profile [...]
[...] Read more here: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … [...]
[...] The new zero-day attacks immediately used in targeted attacks.In the past few days we have captured a number of samples derived from the version published on the rec-sec website. [...]
[...] researcher Moshe Ben Abu used a clue in a Wednesday blog post by McAfee to grab an in-the-wild exploit, strip it of its [...]
[...] a step security pros said earlier would be the precursor to widespread attacks.Israeli researcher Moshe Ben Abu used a clue in a Wednesday blog post by McAfee to grab an in-the-wild exploit, strip it of its [...]
[...] researcher Moshe Ben Abu used a clue in a Wednesday blog post by security vendor McAfee Inc. to grab an in-the-wild exploit, [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Kolargol00 writes “Heise online reports the availability of an exploit (Google translation) for the yet-unpatched MSA-981374 affecting Internet Explorer 6 and 7. It has already been spotted in the wild by McAfee and integrated into the Metasploit Framework.” [...]
[...] the execution of arbitrary code that can result in a compromised system. The exploit code was published by Israeli researcher Moshe Ben Abu, who used a clue present in a blog post by McAfee to obtain an [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] See the original post: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Here is the original post: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … [...]
[...] provided by Trancer (Moshe Ben Abu) with modifications to the original that unobfusticate portions of code and remove [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] but de cette publication (en ligne ? cette adresse) est de mettre en garde contre l’exploitation possible d’une faille ? partir des [...]
[...] provided by Trancer (Moshe Ben Abu) with modifications to the original that [...]
[...] ????????3/9???IE6?IE7???????????????????????????????????????Moshe Ben Abu??????3/10???????????? [...]
[...] (in grado di mitigare l’esposizione del browser). La fonte dell’attacco ? gi? stata identificata: una semplice visita sul sito creato sfruttando il codice permette ad un malintenzionato di [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Izraelski specjalista do spraw bezpiecze?stwa, Moshe Ben Abu opublikowa? exploita na najnowsz? luk? wykryt? w IE 6 oraz 7 (Microsoft Security Advisory – 981374) o kt?rej 3 [...]
A vulnerability in IE? I’m calling BS on this one…
[...] Recognize-Security | Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta) [...]
Does this exploit function correctly on Win-98 with IE6-Sp1?
How can I take the example exploit code and turn it into a file I can use to test with?
@98 Guy
I didn’t test the exploit on Windows 98 but I think it should work fine. Maybe it needs a little fine-tuning, probably tweaking the heap spray function will resolve it.
Send me an email and we’ll figure it out.
[...] Original 0-Day: http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/ [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Veja os detalhes em http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/ [...]
[...] Original Source: http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/ [...]
[...] Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta) Post a Comment ? [...]
Great site!!! Bookmarked.
Nice exploit! Especially nice that you can exploit it from JS…
?????? ????
???????????? ? ?????? ? ??????? ?? ????
???????????? ????????? ?????????? ???????????, ?????? ?????? ? ???????? ????????? ? ?????? ??????? ?? ????, ????????? ????????? ? ??????? ??? ???? ??????????, ??? ?????????? ??????????? ??? ????????????? ? ?????? ????????? ????????????? ?????. ???????????, ??? ???????? ??????????????. ??????????? ??? ?????? ????? ???? ??? ????????? ????? ???????? ????????? ?????? ?? ????, ??????????????? ????????? ??????????? ?????. ? ???????????? ? ??????? ?????????????? ??????, ?????????? ??????????? ?????????? ????????? ?? 30% ?????????? ???????? ?????????? ?????? ??????? ?????? ?? ????, ?? ????? 20% ????????? ???????? ? 14% ????????? ? ??????????? ??????????????? ???????, ?????????? ? ??????? ?? ????.
? ????????? ??? ???? ????