Dailydave mailing list archives
Re: IE attack...
From: str0ke <str0ke () milw0rm com>
Date: Sat, 25 Mar 2006 10:57:07 -0600
On 3/25/06, Dave Aitel <dave () immunityinc com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So this is the IE attack various sites are owning people with...I stumbled on it while browsing random things. It's been a pretty bad week for IE this week. Of course, it's been a pretty bad year for IE. Been a pretty bad time all around for IE. Motto: "Giving Host Intrusion Prevention vendors case study after case study." I don't know why the other lists aren't posting this. Maybe there was a memo that went around where you try to keep people from knowing what they're actually at risk from. - -dave
Ya this was released on Thursday by Unl0ck Research Team, removed comment section below. <!-- -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ /\ \/ Internet Explorer Remote Code Execution Exploit v 0.1 /\ by Darkeagle of Unl0ck Research Team \/ /\ used SkyLined idea of exploitation. special tnx goes to him. \/ Affected Software : Microsoft Internet Explorer 6.x, IE7 Beta 2 Severity : Critical Impact : Remote System Access Solution Status : ** UNPATCHED ** Discovered by : Computer Terrorism (UK) Advisory Date : 22nd March, 2006 Tested : WinXP SP2 RUS IE 6.0 (full patched) Vulnerability details: PoC from CyberTerrorists crashes IE and overwrites EIP. EIP points to unknown place. In my case it points to 0x3c0474c2. Exploit fills heap with "nops+shellcode" 'til 0x3CxxXXxx. Then IE trys to read memory @ 0x3c0474c2. At this time 0x3c0474c2 contains nops+shellcode. In the end IE executes shellcode. Exploit needs more RAM. Tested under 192mb RAM with 800mb of maximum page cache. Under 512mb code was executed after 1-1.5 minutes. Successfull exploitation will execute standart windows calculator. Greets: Unl0ck Researchers, 0x557 guys, ph4nt0m guys, sh0k, uf0, BlackSecurity guys, many otherz. /\ http://unl0ck.net \/ /\ (c) 2004 - 2006 \/ -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ -->
Current thread:
- IE attack... Dave Aitel (Mar 25)
- RE: IE attack... Anthony Aykut (Mar 25)
- Re: IE attack... Alexander Sotirov (Mar 25)
- Re: IE attack... David Barroso (Mar 25)
- Re: IE attack... str0ke (Mar 25)
- <Possible follow-ups>
- Re: IE attack... Juha-Matti Laurio (Mar 25)