Re: COM Server-Based Binary Planting ProofOfConcept

[yati sagade <yati.sagade () gmail com>]

Hi,
Nice revelations here. what we need to understand here is that the majority
of Windows users there *will* fall for the remote exploit because of their
inherent casualness(some actually think that 7 is the nicest OS ever made).
I appreciate the efforts taken in finding these exploits, especially on such
a closed, undocumented system. Additionally , thanks for those amusing
tricks with special folders.

keep up the good job.

regards,

yati

On Thu, Jun 2, 2011 at 9:51 PM, Mitja Kolsek <mitja.kolsek () acros si> wrote:

> Thor, the "Online Proof of Concept" section of the blog post points you to
> a *remote*
> exploit (without any warning) but let me repeat the link here:
>
> http://www.binaryplanting.com/demo/XP_2-click/test.html
>
> Visit this with IE8 on 32-bit Windows XP.
>
> Please find further information here:
>
>
> http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html
>
> http://blog.acrossecurity.com/2011/05/silently-pwning-protected-mode-ie9-and.html
>
> In general there are two types of remote binary planting exploits: SMB and
> WebDAV.
> The former works inside (local) networks where firewalls block outbound SMB
> traffic.
> WebDAV attacks work through firewalls too since many firewalls allow
> outbound WebDAV
> traffic and Windows silently fall back to WebDAV if SMB doesn't work. If
> our online
> remote exploit doesn't work for you, you can download the PoC locally and
> test it in
> your local network.
>
> I'll be happy to explain it to you further if need be.
>
> Thanks,
> Mitja
>
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor () hammerofgod com]
> > Sent: Thursday, June 02, 2011 6:00 PM
> > To: security () acrossecurity com; 'Dan Kaminsky'
> > Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com
> > Subject: RE: [Full-disclosure] COM Server-Based Binary
> > Planting ProofOfConcept
> >
> > But it *is* worth mentioning that you have to create the
> > malicious dll file, copy it to the system, create folders
> > etc, and all the other mumbo jumbo to "exploit" this in the
> > "default configuration."   So, the answer to Dan's question
> > is actually, "no, you can't."  Which brings into question the
> > actual "worth" of mentioning this in the first place. :)
> >
> > t
> >
> > > -----Original Message-----
> > > From: full-disclosure-bounces () lists grok org uk
> > > [mailto:full-disclosure- bounces () lists grok org uk] On
> > Behalf Of ACROS
> > > Security Lists
> > > Sent: Thursday, June 02, 2011 8:42 AM
> > > To: 'Dan Kaminsky'; security () acrossecurity com
> > > Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com
> > > Subject: Re: [Full-disclosure] COM Server-Based Binary
> > Planting Proof
> > > OfConcept
> > >
> > > It would hardly be worth mentioning otherwise.
> > >
> > > Cheers,
> > > Mitja
> > >
> > > > -----Original Message-----
> > > > From: full-disclosure-bounces () lists grok org uk
> > > > [mailto:full-disclosure-bounces () lists grok org uk] On
> > Behalf Of Dan
> > > > Kaminsky
> > > > Sent: Thursday, June 02, 2011 5:36 PM
> > > > To: security () acrossecurity com
> > > > Cc: si-cert () arnes si; full-disclosure () lists grok org uk;
> > > > bugtraq () securityfocus com; cert () cert org
> > > > Subject: Re: [Full-disclosure] COM Server-Based Binary Planting
> > > > Proof OfConcept
> > > >
> > > > Does this run code without prompting, on a reasonably default
> > > > configuration?
> > > >
> > > > On Thu, Jun 2, 2011 at 7:52 AM, ACROS Security Lists
> > > > <lists () acros si>
> > > > wrote:
> > > > > We published a remote/local proof of concept for the COM
> > > > Server-Based
> > > > > Binary Planting exploit presented at the Hack in the Box
> > > > conference in Amsterdam.
> > > > > Feel free to try it out online if WebDAV works through your
> > > > firewall,
> > > > > or download it and test it in your local network or simply
> > > > on your computer.
> > > > >
> > http://blog.acrossecurity.com/2011/06/com-server-based-binary-planti
> > > > ng
> > > > > -proof.html
> > > > > or
> > > > > http://bit.ly/iSxHKO
> > > > >
> > > > > Best regards,
> > > > >
> > > > > Mitja Kolsek
> > > > > CEO&CTO
> > > > >
> > > > > ACROS, d.o.o.
> > > > > Makedonska ulica 113
> > > > > SI - 2000 Maribor, Slovenia
> > > > > tel: +386 2 3000 280
> > > > > fax: +386 2 3000 282
> > > > > web: http://www.acrossecurity.com
> > > > >
> > > > > ACROS Security: Finding Your Digital Vulnerabilities Before
> > > > Others Do
> > > > > _______________________________________________
> > > > > Full-Disclosure - We believe in it.
> > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/