Relates to this story :
http://www.pcworld.com/article/155190/new_web_attack_exploits_unpatched_ie_flaw.html
Here is the extracted shellcode from the IE7 0day referenced above.
XOR encoded payload for analysis - compile and run it through Ollydbg.
http://secdev.zoller.lu/research/shellcode_ana1.c
The decrypted shellcode is available for download here :
http://secdev.zoller.lu/research/decrypted_asm_shellcode.txt
Update
I was not interested in posting the 0day, but somebody choose to do so on milw0rm.com, so I might aswell link there : http://milw0rm.com/sploits/2008-iesploit.tar.gz
Update2
HDmoore posted a nice analysis here : http://www.breakingpointsystems.com/community/
Update 3
11/12/2008 - 04:19
5 out of 32 scanners recognising the 0day in HTML form
http://www.virustotal.com/de/analisis/596d88d57bc91d977f037f317eb9aa99
11/12/2008 - 17:34
7 out of 38 scanners recognising the exploit
http://www.virustotal.com/en/analisis/a68e1c2813483a58cfdd6509ccd8fe5e
http://virscan.org/report/4907067f0f0aab53261348413dea9bc9.html
12/12/2008 - 17:04
11 out of 38 scanners recognising the exploit
http://www.virustotal.com/de/analisis/475269215b8379537e45a8fd94f8dc9c
http://virscan.org/report/7a00119178654949124b62e85d2a42c8.html
13/12/2008 - 17:00
12 out of 38 AV engines recognise the exploit
http://www.virustotal.com/en/analisis/286266a9e8096ef17bb1aa6f15a1a31f
14/12/2008 - 19:45
14 out of 38 AV engines recognise the exploit
http://www.virustotal.com/en/analisis/5e8909eea79dc716caac8af09f22ac3f
http://virscan.org/report/47f8b4811744eaebb7d48fcc942009cb.html
15/12/2008 - 18:25
Still 14 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/592728a9493349692fc2b33e799a6a33
16/12/2008 - 18:25
15 out of 38 AV engines recognise the exploit
http://www.virustotal.com/en/analisis/28208f37d1d2c732be026a9a2990c86e
17/12/2008 - 18:25
Still at 15 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/2fa1f88d9a1372f023844af40911c83e
19/12/2008 - 16:04
18 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/2d23479870f34a8786f3229da5db23cf
20/12/2008 - 16:04
19 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/6f21e0dffcc117b695324ed93cd7a803
21/12/2008 - 16:04
20 out of 38 AV engines recognise the exploit
http://www.virustotal.com/en/analisis/6dd28dced88f1c8982503e8547d5ef01
22/12/2008 - 16:04
21 out of 38 AV engines recognise the exploit
http://www.virustotal.com/en/analisis/37537b52f8d4584fb1d294f3ccc0b385
23/12/2008 - 16:04
21 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/e22efb9c30a1e7e911466b0194d2f279
24/12/2008 - 16:04
22 out of 38 AV engines recognise the exploit
http://www.virustotal.com/de/analisis/9ee7bf2ca2aa85b6de52a08d1e417a15
26/12/2008 - 16:04
22 out of 38 AV engines recognise the exploit (Result misses Securecomputing)
http://www.virustotal.com/de/analisis/40439a3a049d46623cfffd7e2ed05c92
27/12/2008 - 16:04
22 out of 38 AV engines - (Result misses VBA32)
http://www.virustotal.com/de/analisis/5a8e26b11632745dc8c5742d5403b8ec
28/12/2008 - 16:04
22 out of 38 AV engines - (Result misses VBA32)
http://www.virustotal.com/de/analisis/89fdc7975178090411d72b167e4420e8
30/12/2008
21 out of 38 AV engines - (CA) E-trust no longer recognises the sample, Esafe missing
http://www.virustotal.com/de/analisis/a6e158b4cdca3da09480fdd4c49e5934
Friday Squid Blogging: Gonate Squid Video
-
This is the first ever video of the Antarctic Gonate Squid.
As usual, you can also use this squid post to talk about the security
stories in the news tha...
13 hours ago
0 comments
Post a Comment