Posted by Trancer on Mar 10 2010
A new Microsoft Internet Explorer 0day exploit has been found circulating in-the-wild. According to Microsoft, there are targeted attacks attempting to use this vulnerability. Microsoft published a security advisory for this vulnerability here:
Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution
The vulnerability is a use-after-free (invalid pointer reference) vulnerability within iepeers.dll and only Internet Explorer versions 6 and 7 are vulnerable. Internet Explorer 8 and 5 are not affected.
I’ve found this exploit in-the-wild on www.topix21century.com. The payload download and executes a binary file which connects back to notes.topix21century.com.
Here’s the exploit as it was found in-the-wild, a bit un-obfuscated and payload removed – ie_iepeers_wild.txt
And here’s a Metasploit exploit module for this vulnerability. Tested successfully on the following platforms:
– Microsoft Internet Explorer 7, Windows Vista SP2
– Microsoft Internet Explorer 7, Windows XP SP3
– Microsoft Internet Explorer 6, Windows XP SP3
Download ie_iepeers_pointer.rb.
Also on Metasploit.
As usual, this post will update with further references and updates when available.
Happy exploitation :-)
>> References:
CVE-2010-0806
OSVDB 62810
BID 38615
McAfee Labs Blog – Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806)
Symantec Connect – Zero-Day attack on IE6 – JS.Sykipot Doesn’t Spare Retired Software
>> Microsoft patched this vulnerability – MS10-018.
Categories: Exploits • Metasploit

36 Comments | Comments RSS | TrackBack URL
Posted by Trancer on Jan 25 2010
Wrote a new Metaspoit exploit module for the AOL 9.5 Phobos.Playlist ActiveX control Import() stack-based buffer overflow vulnerability.
This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to ‘Import()’, an attacker can overrun a buffer and execute arbitrary code.
This vulnerability was found by Hellcode Research and was published recently by Dz_attacker. Still no patch from AOL, if you want to test it you can get the vulnerable package from the AOL 9.5 page.
The exploit was successfully tested on the following platforms:
– AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3
Phobos.dll version tested:
– File Version: 9.5.0.1
– ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C
– RegKey Safe for Script: False
– RegKey Safe for Init: False
– Implements IObjectSafety: False
– KillBitSet: False
Due to the safe for initialization and safe for scripting settings of this ActiveX control, exploitation is possible only from Local Machine Zone, which means the victim must run the generated exploit file locally.
Download aol_phobos_bof.rb.
Also on Metasploit and exploit-db.
References:
OSVDB 61964
exploit-db 11204
Categories: Exploits • Metasploit

0 Comments | Comments RSS | TrackBack URL
Posted by Trancer on Nov 01 2009
Hello readers. If you didn’t heard about it already, on October 21st, 2009, the hackers favorite exploitation framework – the Metasploit Project was acquired by Rapid7, a vulnerability management, compliance, and penetration testing company. Yep, a commercial company.
The Metasploit Project creator, HD Moore, and one of the developers, Egypt, now got a full time job working on and developing the Metasploit Project. HD in the position of Chief Architect of Metasploit and Egypt as a core developer of Metasploit at Rapid7.
If you read this blog often you probably noticed that I’m a big supporter of the Metasploit Project. I use it on a daily basis, preforming penetration tests and exploit development while at work or at home for fun. As you may guess, my feelings about the acquisition are mixed. On one side this is a good thing, this is a big step for the Metasploit Project. Now it’ll grow and develop faster and rapidly and us, the users, will get a better, faster, more advanced and less buggy program, and I believe we’ll start seeing faster release cycles. But on the other side, now the Metasploit Project which was a free, open source, community driven project, is managed by a commercial company. I think the worst case scenario will be if Rapid7 decide to make Metasploit a commercial product, which will be a sad thing. This won’t be the first time it’ll happen to a good security product. The best example here is the Nessus vulnerability scanner which was acquired by Tenable Network Security back in 2005.
I hope the fate of the Metasploit Project won’t be the same as Nessus. HD Moore stated on the Metasploit blog that the project will remain free and open source. So, if that’s the case and long as the Metasploit Project will stay that way I think the users should be happy about it. I will continue to support the Metasploit Project and develop exploits and other modules for it and contribute in every way I can.
I guess all there’s left to say is congratulations to HD Moore and Egypt for the acquisition, keep on rocking.
References:
>> Metasploit Rising – HD Moore write about the acquisition on the Metasploit blog.
>> Rapid7 Acquires Metasploit – The Metasploit acquisition by Rapid7 CEO.
>> Rapid7 Acquisition FAQ – Questions and answers about the acquisition.
>> Metasploit + Rapid7 shakes up pen-test landscape – Ryan Naraine write about the penetration testing market changes followed by the acquisition.
Categories: Metasploit • Security News

2 Comments | Comments RSS | TrackBack URL
Posted by Trancer on Jul 06 2009
The CSIS Security Group found (credit correction – see the update below) a 0day exploit in-the-wild that exploit a vulnerability within Microsoft DirectShow (msvidctl.dll) in the way it handles MPEG-2 files.
The exploit found is used to preform drive-by attacks via compromised Chinese web sites.
Original exploit (as it is in-the-wild) can be found here (shellcode changed to execute calc.exe) – aa.rar.
You can read the translated post here or read this post from ISC diary.
Here’s a Metasploit exploit module I wrote that exploit this vulnerability.
Tested successfully on the following platforms (fully patched 06/07/09):
– Internet Explorer 6, Windows XP SP2
– Internet Explorer 7, Windows XP SP3
Download msvidctl_mpeg2.rb.
Also on Metasploit.
Also, if you want to test this vulnerability manually, here’s a little Ruby script I wrote that build GIF files to trigger the vulnerability:
Download msvidctl_gif.rb.
This is the second exploit found in-the-wild in the past month that exploit a vulnerability in Microsoft DirectShow. In June, an exploit was found in-the-wild that exploit a vulnerability in DirectShow QuickTime Movie Parser Filter (quartz.dll). Liam O Murchu of Symantec wrote an analysis for this exploit here:
DirectShow Exploit In the Wild
DirectShow Exploit In the Wild, Part II
This post will update with additional updates about this vulnerability.
Updates:
>> It seems that CSIS Security Group wasn’t the first to discover this exploit in-the-wild, KingSoft from China was the first to spot this exploit – KingSoft blog (translated).
Thank to Carsten Eiram for pointing it out.
>> References:
CVE-2008-0015
OSVDB 55651
BID 35558
Microsoft Security Advisory (972890)
SA35683
>> Blog posts and news:
Microsoft Security Research & Defense blog
ZDNet Zero Day blog
Symantec Connect blog
>> SANS ISC Handler’s Diary have posted a blog post that will update frequently with list of domains that is actively exploiting this vulnerability. Note that the vast majority of the domains is up for only a short period of time – IE 0day exploit domains (updating).
>> As the CVE number implies (early 2008), it turns out that Microsoft was aware of this vulnerability for a long time. In the security advisory, Microsoft thanks Ryan Smith and Alex Wheeler of Hustle Labs of ISS X-Force for initially reporting this vulnerability. Well, I guess that’s what happens when you wait too long to patch a vulnerability, eventually someone else will discover it and wont chose the path of responsible disclosure.
>> Guido Landi details the vulnerability in his blog – PornoSecurity.
>> In their security advisory, Microsoft recommends setting the kill bit for 44 classid’s. With some of them it is possible to reproduce the bug. Check out I)ruid’s update for the Metasploit exploit.
>> Microsoft Video ActiveX control 0day technical details blog post by TippingPoint DVLabs.
>> Interesting post regarding this vulnerability by Halvar Flake – Poking around MSVIDCTL.DLL.
>> Microsoft fix the msvidctl.dll memory corruption vulnerability in MS09-032. The “patch” does NOT fix the vulnerability, only setting a kill bit to all the vulnerable Video ActiveX controls.
>> Microsoft fix the source of the msvidctl.dll memory corruption vulnerability in MS09-037.
Categories: Exploits • Metasploit

4 Comments | Comments RSS | TrackBack URL
Older Posts » |