A new Microsoft Internet Explorer 0day exploit has been found circulating in-the-wild. According to Microsoft, there are targeted attacks attempting to use this vulnerability. Microsoft published a security advisory for this vulnerability here:
Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution
The vulnerability is a use-after-free (invalid pointer reference) vulnerability within iepeers.dll and only Internet Explorer versions 6 and 7 are vulnerable. Internet Explorer 8 and 5 are not affected.
I’ve found this exploit in-the-wild on www.topix21century.com. The payload download and executes a binary file which connects back to notes.topix21century.com.
Here’s the exploit as it was found in-the-wild, a bit un-obfuscated and payload removed – ie_iepeers_wild.txt
And here’s a Metasploit exploit module for this vulnerability. Tested successfully on the following platforms:
– Microsoft Internet Explorer 7, Windows Vista SP2
– Microsoft Internet Explorer 7, Windows XP SP3
– Microsoft Internet Explorer 6, Windows XP SP3
Download ie_iepeers_pointer.rb.
Also on Metasploit.
As usual, this post will update with further references and updates when available.
Happy exploitation :-)
>> References:
CVE-2010-0806
OSVDB 62810
BID 38615
McAfee Labs Blog – Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806)
Symantec Connect – Zero-Day attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software
>> Microsoft patched this vulnerability – MS10-018.
Categories: Exploits • Metasploit
36 Comments | 
Comments RSS | 
TrackBack URL
RSS 2.0
ATOM 1.0
RDF 1.0
Links OPML
OpenSearch
[...] Recognize-Security | Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta) [...]
[...] ??????? ??? ????? ??????? . ??????? ??? ??????? ?????? Metasploit . ??????? ??? ????? ???? Microsoft . [...]
[...] reading here: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … Share and [...]
[...] is the original post: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … Earn 500$ easy with your Twitter account! View admin's Profile [...]
[...] Read more here: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … [...]
[...] The new zero-day attacks immediately used in targeted attacks.In the past few days we have captured a number of samples derived from the version published on the rec-sec website. [...]
[...] researcher Moshe Ben Abu used a clue in a Wednesday blog post by McAfee to grab an in-the-wild exploit, strip it of its [...]
[...] a step security pros said earlier would be the precursor to widespread attacks.Israeli researcher Moshe Ben Abu used a clue in a Wednesday blog post by McAfee to grab an in-the-wild exploit, strip it of its [...]
[...] researcher Moshe Ben Abu used a clue in a Wednesday blog post by security vendor McAfee Inc. to grab an in-the-wild exploit, [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Kolargol00 writes “Heise online reports the availability of an exploit (Google translation) for the yet-unpatched MSA-981374 affecting Internet Explorer 6 and 7. It has already been spotted in the wild by McAfee and integrated into the Metasploit Framework.” [...]
[...] the execution of arbitrary code that can result in a compromised system. The exploit code was published by Israeli researcher Moshe Ben Abu, who used a clue present in a blog post by McAfee to obtain an [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] See the original post: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Here is the original post: Recognize-Security | Microsoft Internet Explorer iepeers.dll use … [...]
[...] provided by Trancer (Moshe Ben Abu) with modifications to the original that unobfusticate portions of code and remove [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] but de cette publication (en ligne ? cette adresse) est de mettre en garde contre l’exploitation possible d’une faille ? partir des [...]
[...] provided by Trancer (Moshe Ben Abu) with modifications to the original that [...]
[...] ????????3/9???IE6?IE7???????????????????????????????????????Moshe Ben Abu??????3/10???????????? [...]
[...] (in grado di mitigare l’esposizione del browser). La fonte dell’attacco ? gi? stata identificata: una semplice visita sul sito creato sfruttando il codice permette ad un malintenzionato di [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Izraelski specjalista do spraw bezpiecze?stwa, Moshe Ben Abu opublikowa? exploita na najnowsz? luk? wykryt? w IE 6 oraz 7 (Microsoft Security Advisory – 981374) o kt?rej 3 [...]
A vulnerability in IE? I’m calling BS on this one…
[...] Recognize-Security | Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta) [...]
Does this exploit function correctly on Win-98 with IE6-Sp1?
How can I take the example exploit code and turn it into a file I can use to test with?
@98 Guy
I didn’t test the exploit on Windows 98 but I think it should work fine. Maybe it needs a little fine-tuning, probably tweaking the heap spray function will resolve it.
Send me an email and we’ll figure it out.
[...] Original 0-Day: http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/ [...]
[...] Moshe Ben Abu announced his work in a blog post on Wednesday and said it was being included in the open-source Metasploit exploit [...]
[...] Veja os detalhes em http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/ [...]
[...] Original Source: http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/ [...]
[...] Microsoft Internet Explorer iepeers.dll use-after-free exploit (meta) Post a Comment ? [...]
Another reason why I suspect I am happy with only using Chrome.
Have you thought to be including additional video clips for your websites and keep the readers more interested? I mean I just read over the article of yours and it was very fine but as I’m more of a visual learner,I discovered that to get more valuable. Just my my idea, Good luck