Sunday, January 17, 2010

CVE-2010-0249 - Internet Explorer 6 mshtml.dll Remote Code Execution

Remote Code Execution in mshtml.dll in Internet Explorer 6


CVE-2010-0249 is a vulnerability utilized in Google targeted attack and it can be used to exploit one of the IE 6 DLL components mshtml.dll.

This post is to demonstrate the recently released Metasploit "Aurora" module that manipulate this exploit.





I am not able to post the exploit code here probably it was blocked by Google blog as the shellcode or the Javascript code is detected by them.







The shellcode  is obfuscated and I deobfuscate it using HIEW:



 

Obviously, the shellcode payload will download additional file from this URL: http://demo1.ftpaccess.cc/demo/ad.jpg and perform further malicious activities.

Reference

[1] http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js -- Wepawet analysis
[2] http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb -- ie_aurora.rb Metasploit Aurora Exploit Module

4 comments:

Anonymous said...

How did you deobfuscate with HIEW? It is not clear from post?

x9090 said...

Hello,

This can be done by:

1. Enter (swith mode to hex)
2. Put the cursor to offset 1042 (the correct offset should be obtained same as this if shellcode is generated using sandsprite shellcode_2_exe)
3. F3 > Ctl + F7, put in the instruction as shown in the screenshot. Esc to quit the instruction set screen
4. F7 to decrypt it

Mark said...

Nice, cheers for the quick response.

Billy said...

wow wow ... Good review .