Archive for December, 2008

www.wmpd.ru/style.js and www.mtno.ru/style.js

Posted in sql injection on December 19, 2008 by s3cu

Style.js embeds an iframe to http://79.135.168.18
The index.html page of the iframe contains another obfuscation method.
Continue reading

vip.4s3w.cn/vip/I7.htm

Posted in sql injection on December 14, 2008 by s3cu

another IE exploit, but this evasion technique is so cute, take a look:
Continue reading

IE 0-day exploit

Posted in sql injection on December 12, 2008 by s3cu

ok, so the supposedly IE7  vulnerability is also applicable to other versions.

Check out MS advisory 961051

Other domains that are also exploiting this vulnerability are listed in shadowserver.

Notice that the shellcode of 17gamo.com IE7 exploit is encrypted.

ie7 exploit encrypted shellcode

ie7 exploit encrypted shellcode

Disassembly of the shellcode shows that each byte is xored with 21h.

To decrypt the shellcode, a simple perl script can be applied to the unicode

s/\%u(..)(..)/(chr(hex($2))^chr(hex(21))).(chr(hex($1))^chr(hex(21)))/ge

A hexdump of the decrypted shellcode shows where it will retrieve the malware:

de-gamo

17gamo.com/1.js

Posted in sql injection on December 10, 2008 by s3cu

A new sql-injected URL.

1.js contains iframe src to http://www.17gamo.com/co/index.htm

The index.htm contains several exploits, one of which is the latest ie7 0-day exploit.

The ie7 exploit is at http://www.17gamo.com/co/ie7.htm