************************************************************************ ******************** Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass hackers. NOTIFICATION: this exploit are based on Andrey Bayora "magic of magic byte" but with some development. This proof of concept was created for educational purposes only,Use the code it at your own risk. The author will not be responsible for any damages. ************************************************************************ ********************* Exploit Information: Date: 2008/19/08 Impact: baypassing the Detection of Malicious web page that can compromise a user's system Vulnerabled AV-Software: ESET Smart Security latest version. <== The exploit was dedicated to it. AhnLab-V3 2008.9.13.0 AntiVir 7.8.1.28 AVG 8.0.0.161 CAT-QuickHeal 9.50 ClamAV 0.93.1 DrWeb 4.44.0.09170 eSafe 7.0.17.0 eTrust 31.6.6086 Ewido 4.0 Fortinet 3.113.0.0 Ikarus T3.1.1.34.0 K7AntiVirus 7.10.454 NOD32v2 3440 Norman 5.80.02 Panda 9.0.0.4 PCTools 4.4.2.0 Prevx1 V2 Rising 20.61.42.00 Sophos 4.33.0 Sunbelt 3.1.1633.1 Symantec 10 TheHacker 6.3.0.9.081 TrendMicro 8.700.0.1004 VBA32 3.12.8.5 ViRobot 2008.9.12.1375 VirusBuster 4.5.11.0 the things that must be considered that the POC it's variant from exploit to exploit(some times Kaspersky and the other famous AV Sofware can be deceive). Proof Of Concept: as i said the exploit are based on the magic of magic byte methode we will first add the MZ Header to the HTML Exploit and change the exstention to txt or jpg or non extension,the exploit is compatible with IE6 and IE7 because IE6&7 execute the HTML Event if it's in txt file or non extension files. so the exploit it's with corporate of IE6&7 :). virustotal result of MS Internet Explorer (VML) Remote Buffer Overflow Exploit (XP SP2). http://www.virustotal.com/fr/analisis/062ec3b8d8b88e99865f798cc08b0718 and this is a Variant one "obfuscated by this methode". http://www.virustotal.com/fr/analisis/7db1bd321a1f945b4abfa73844c36d99 POC: 1-add the MZ Header to the HTML file: MZ? ?? @ ? ? ?!L?!This program cannot be run in DOS mode. you can put other EXE info on the HTML Body for more deception "showing in the second result". -rename the HTML to non extension file or txt or jpg. 3-upload it to webserver. http://localhost/mallpage.txt or http://localhost/mallpage<non extenstion>.

References:

http://www.securityfocus.com/archive/1/archive/1/499043/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/498995/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top