Dailydave mailing list archives

Re: IE attack...

From: str0ke <str0ke () milw0rm com>
Date: Sat, 25 Mar 2006 10:57:07 -0600

On 3/25/06, Dave Aitel <dave () immunityinc com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So this is the IE attack various sites are owning people with...I
stumbled on it while browsing random things. It's been a pretty bad
week for IE this week. Of course, it's been a pretty bad year for IE.
Been a pretty bad time all around for IE. Motto: "Giving Host
Intrusion Prevention vendors case study after case study."

I don't know why the other lists aren't posting this. Maybe there was
a memo that went around where you try to keep people from knowing what
they're actually at risk from.

- -dave


Ya this was released on Thursday by Unl0ck Research Team, removed
comment section below.

<!--
 -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
/\
\/      Internet Explorer Remote Code Execution Exploit v 0.1
/\                by Darkeagle of Unl0ck Research Team
\/
/\      used SkyLined idea of exploitation. special tnx goes to him.
\/

Affected Software       :  Microsoft Internet Explorer 6.x, IE7 Beta 2
Severity                :  Critical
Impact          :  Remote System Access
Solution Status :  ** UNPATCHED **
Discovered by   :  Computer Terrorism (UK)
Advisory Date   :  22nd March, 2006
Tested          :  WinXP SP2 RUS IE 6.0 (full patched)

Vulnerability details:

PoC from CyberTerrorists crashes IE and overwrites EIP. EIP points to
unknown place.
In my case it points to 0x3c0474c2.
Exploit fills heap with "nops+shellcode" 'til 0x3CxxXXxx. Then IE trys
to read memory
@ 0x3c0474c2. At this time 0x3c0474c2 contains nops+shellcode. In the
end IE executes
shellcode.

Exploit needs more RAM.
Tested under 192mb RAM with 800mb of maximum page cache.

Under 512mb code was executed after 1-1.5 minutes.

Successfull exploitation will execute standart windows calculator.

Greets:
                Unl0ck Researchers,
                0x557 guys,
                ph4nt0m guys,
                sh0k, uf0,
                BlackSecurity guys,
                many otherz.

/\      http://unl0ck.net
\/      
/\      (c) 2004 - 2006
\/
 -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
 -->

Current thread:

IE attack... Dave Aitel (Mar 25)
- RE: IE attack... Anthony Aykut (Mar 25)
- Re: IE attack... Alexander Sotirov (Mar 25)
- Re: IE attack... David Barroso (Mar 25)
- Re: IE attack... str0ke (Mar 25)
- <Possible follow-ups>
- Re: IE attack... Juha-Matti Laurio (Mar 25)