Internet Explorer Zero Day attack

[Mrpeepers310]

I ran across a few articles about the Zero Day exploit on Internet Explorer.

From what I have read, the exploit gives the ability to insert malicious code in links and advertisements.
How does this exploit work exactly?
Any articles or explanations would be gladly appreciated!

[lupin]

Its a memory corruption vulnerability that allows execution of arbitrary code.

The exploit code that I have seen uses JavaScript, and essentially if a page containing that code is opened in a vulnerable browser, the payload will execute. This is similar to all of the other browser based exploits out there.

Any method that results in the malicious web content being viewed in a vulnerable browser will trigger the exploit, so you could entice the victim to visit a malicious site, include it in a banner add, include the code via cross site scripting attacks, hack a site and modify the hosted website to load a frame with the malicious code, etc, etc.

[imported_icebreaker101010]

You could use one of ettercap filters.

[Mrpeepers310]

Very Interesting...
I'm not familiar with using javascript to inject malicious code. Would it be kind of like injecting html code into forms? Could this attack also be done using dns spoofing?

Also, What do you mean using an ettercap filter?

[lupin]

Very Interesting...
I'm not familiar with using javascript to inject malicious code. Would it be kind of like injecting html code into forms?

No not really, it actually involves exploiting the browser and causing a exception that allows the attacker to gain control of execution of the CPU and execute shellcode. A quick look over the code makes me think that its a heap overflow.

EDIT: Nope, not a heap overflow, a use after free heap corruption vulnerability.

Heres a copy of the original exploit so you can see what it looks like:
Wepawet » JavaScript Report for 1aea206aa64ebeabb07237f1e2230d0f

There is also a Metasploit module for it:
Metasploit: Reproducing the "Aurora" IE Exploit
Metasploit Framework - /modules/exploits/windows/browser/ie_aurora.rb - Metasploit Redmine Interface

And here is the CVE entry:
CVE - CVE-2010-0249 (under review)

The OSVDB entry:
61697: Microsoft IE mshtml.dll Use-After-Free Arbitrary Code Execution (Aurora)

And some more random links:
Code Used in Google Attack Now Public : programming
Praetorian Prefect | The “Aurora” IE Exploit Used Against Google in Action
http://www.thesecurityblog.com/2010/...0-day-exploit/


Edit: I have also used this exploit as the basis for one of my exploit tutorials on my blog, so if you are interested on how this exploit works at a low level of detail visit the link below.

http://grey-corner.blogspot.com/2010...-internet.html

Could this attack also be done using dns spoofing?

Sure. Spoof the DNS response for a web server that the target client is trying to visit to replace it with the address of a server thats hosting the malicious code.

Also, What do you mean using an ettercap filter?

I assume that this means use an Ettercap filter as an exploit delivery mechanism - to modify a clients HTTP traffic or DNS traffic to redirect them to the exploit.