CVE-2010-0249 is a vulnerability utilized in Google targeted attack and it can be used to exploit one of the IE 6 DLL components mshtml.dll.
This post is to demonstrate the recently released Metasploit "Aurora" module that manipulate this exploit.
I am not able to post the exploit code here probably it was blocked by Google blog as the shellcode or the Javascript code is detected by them.
The shellcode is obfuscated and I deobfuscate it using HIEW:
Obviously, the shellcode payload will download additional file from this URL: http://demo1.ftpaccess.cc/demo/ad.jpg and perform further malicious activities.
Reference
[1] http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js -- Wepawet analysis
[2] http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb -- ie_aurora.rb Metasploit Aurora Exploit Module
4 comments:
How did you deobfuscate with HIEW? It is not clear from post?
Hello,
This can be done by:
1. Enter (swith mode to hex)
2. Put the cursor to offset 1042 (the correct offset should be obtained same as this if shellcode is generated using sandsprite shellcode_2_exe)
3. F3 > Ctl + F7, put in the instruction as shown in the screenshot. Esc to quit the instruction set screen
4. F7 to decrypt it
Nice, cheers for the quick response.
wow wow ... Good review .
Post a Comment