IE 0-day exploit

ok, so the supposedly IE7  vulnerability is also applicable to other versions.

Check out MS advisory 961051

Other domains that are also exploiting this vulnerability are listed in shadowserver.

Notice that the shellcode of 17gamo.com IE7 exploit is encrypted.

ie7 exploit encrypted shellcode

ie7 exploit encrypted shellcode

Disassembly of the shellcode shows that each byte is xored with 21h.

To decrypt the shellcode, a simple perl script can be applied to the unicode

s/\%u(..)(..)/(chr(hex($2))^chr(hex(21))).(chr(hex($1))^chr(hex(21)))/ge

A hexdump of the decrypted shellcode shows where it will retrieve the malware:

de-gamo

Advertisements

One Response to “IE 0-day exploit”

  1. The patch to the IE vulnerability is already released – http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

    If you are still procrastinating, maybe this report about IE exploit via Word doc may change your mind – http://www.avertlabs.com/research/blog/index.php/2008/12/17/ie-7-exploit-reloaded-the-new-face-of-drive-by-attacks-using-doc-files/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: