Results 1 to 5 of 5

Thread: Internet Explorer Zero Day attack

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    4

    Default Internet Explorer Zero Day attack

    I ran across a few articles about the Zero Day exploit on Internet Explorer.

    From what I have read, the exploit gives the ability to insert malicious code in links and advertisements.
    How does this exploit work exactly?
    Any articles or explanations would be gladly appreciated!

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Its a memory corruption vulnerability that allows execution of arbitrary code.

    The exploit code that I have seen uses JavaScript, and essentially if a page containing that code is opened in a vulnerable browser, the payload will execute. This is similar to all of the other browser based exploits out there.

    Any method that results in the malicious web content being viewed in a vulnerable browser will trigger the exploit, so you could entice the victim to visit a malicious site, include it in a banner add, include the code via cross site scripting attacks, hack a site and modify the hosted website to load a frame with the malicious code, etc, etc.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Just burned his ISO
    Join Date
    May 2009
    Posts
    6

    Default IE zero day exploit

    You could use one of ettercap filters.

  4. #4
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    4

    Default

    Very Interesting...
    I'm not familiar with using javascript to inject malicious code. Would it be kind of like injecting html code into forms? Could this attack also be done using dns spoofing?

    Also, What do you mean using an ettercap filter?

  5. #5
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by Mrpeepers310 View Post
    Very Interesting...
    I'm not familiar with using javascript to inject malicious code. Would it be kind of like injecting html code into forms?
    No not really, it actually involves exploiting the browser and causing a exception that allows the attacker to gain control of execution of the CPU and execute shellcode. A quick look over the code makes me think that its a heap overflow.

    EDIT: Nope, not a heap overflow, a use after free heap corruption vulnerability.

    Heres a copy of the original exploit so you can see what it looks like:
    Wepawet » JavaScript Report for 1aea206aa64ebeabb07237f1e2230d0f

    There is also a Metasploit module for it:
    Metasploit: Reproducing the "Aurora" IE Exploit
    Metasploit Framework - /modules/exploits/windows/browser/ie_aurora.rb - Metasploit Redmine Interface

    And here is the CVE entry:
    CVE - CVE-2010-0249 (under review)

    The OSVDB entry:
    61697: Microsoft IE mshtml.dll Use-After-Free Arbitrary Code Execution (Aurora)

    And some more random links:
    Code Used in Google Attack Now Public : programming
    Praetorian Prefect | The “Aurora” IE Exploit Used Against Google in Action
    http://www.thesecurityblog.com/2010/...0-day-exploit/


    Edit: I have also used this exploit as the basis for one of my exploit tutorials on my blog, so if you are interested on how this exploit works at a low level of detail visit the link below.

    http://grey-corner.blogspot.com/2010...-internet.html




    Quote Originally Posted by Mrpeepers310 View Post
    Could this attack also be done using dns spoofing?
    Sure. Spoof the DNS response for a web server that the target client is trying to visit to replace it with the address of a server thats hosting the malicious code.

    Quote Originally Posted by Mrpeepers310 View Post
    Also, What do you mean using an ettercap filter?
    I assume that this means use an Ettercap filter as an exploit delivery mechanism - to modify a clients HTTP traffic or DNS traffic to redirect them to the exploit.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •