Relates to this story :
http://www.pcworld.com/article/155190/new_web_attack_exploits_unpatched_ie_flaw.html
Here is the extracted shellcode from the IE7 0day referenced above.
XOR encoded payload for analysis - compile and run it through Ollydbg.
http://secdev.zoller.lu/research/shellcode_ana1.c
The decrypted shellcode is available for download here :
http://secdev.zoller.lu/research/decrypted_asm_shellcode.txt
Update
I was not interested in posting the 0day, but somebody choose to do so on milw0rm.com, so I might aswell link there : http://milw0rm.com/sploits/2008-iesploit.tar.gz
Update2
HDmoore posted a nice analysis here : http://www.breakingpointsystems.com/community/
Update 3
11/12/2008 - 04:19
5 out of 32 scanners recognising the 0day in HTML form
http://www.virustotal.com/de/analisis/596d88d57bc91d977f037f317eb9aa99
11/12/2008 - 17:34
7 out of 38 scanners recognising the exploit
http://www.virustotal.com/en/analisis/a68e1c2813483a58cfdd6509ccd8fe5e
http://virscan.org/report/4907067f0f0aab53261348413dea9bc9.html
12/12/2008 - 17:04
11 out of 38 scanners recognising the exploit
http://www.virustotal.com/de/analisis/475269215b8379537e45a8fd94f8dc9c
http://virscan.org/report/7a00119178654949124b62e85d2a42c8.html
13/12/2008 - 17:00
12 out of 38 AV engines recognise the exploit
http://www.virustotal.com/en/analisis/286266a9e8096ef17bb1aa6f15a1a31f
14/12/2008 - 19:45
14 out of 38 AV engines recognise the exploit
http://www.virustotal.com/en/analisis/5e8909eea79dc716caac8af09f22ac3f
http://virscan.org/report/47f8b4811744eaebb7d48fcc942009cb.html
15/12/2008 - 18:25
Still 14 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/592728a9493349692fc2b33e799a6a33
16/12/2008 - 18:25
15 out of 38 AV engines recognise the exploit
http://www.virustotal.com/en/analisis/28208f37d1d2c732be026a9a2990c86e
17/12/2008 - 18:25
Still at 15 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/2fa1f88d9a1372f023844af40911c83e
19/12/2008 - 16:04
18 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/2d23479870f34a8786f3229da5db23cf
20/12/2008 - 16:04
19 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/6f21e0dffcc117b695324ed93cd7a803
21/12/2008 - 16:04
20 out of 38 AV engines recognise the exploit
http://www.virustotal.com/en/analisis/6dd28dced88f1c8982503e8547d5ef01
22/12/2008 - 16:04
21 out of 38 AV engines recognise the exploit
http://www.virustotal.com/en/analisis/37537b52f8d4584fb1d294f3ccc0b385
23/12/2008 - 16:04
21 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/e22efb9c30a1e7e911466b0194d2f279
24/12/2008 - 16:04
22 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/9ee7bf2ca2aa85b6de52a08d1e417a15
26/12/2008 - 16:04
22 out of 38 AV engines recognise the exploit (Result misses Securecomputing)
http://www.virustotal.com/de/analisis/40439a3a049d46623cfffd7e2ed05c92
27/12/2008 - 16:04
22 out of 38 AV engines - (Result misses VBA32)
http://www.virustotal.com/de/analisis/5a8e26b11632745dc8c5742d5403b8ec
28/12/2008 - 16:04
22 out of 38 AV engines - (Result misses VBA32)
http://www.virustotal.com/de/analisis/89fdc7975178090411d72b167e4420e8
30/12/2008
21 out of 38 AV engines - (CA) E-trust no longer recognises the sample, Esafe missing
http://www.virustotal.com/de/analisis/a6e158b4cdca3da09480fdd4c49e5934
Weekly Update 265
-
I had a bunch of false starts with this one. I don't know if it was just
OBS or something else, but we got there after several failed attempts and
me res...
16 hours ago
0 comments
Post a Comment