|
********************************************************************************************
Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass
hackers.
NOTIFICATION:
this exploit are based on Andrey Bayora "magic of magic byte" but with some development.
This proof of concept was created for educational purposes only,Use the code it at your own risk.
The author will not be responsible for any damages.
*********************************************************************************************
Exploit Information:
Date: 2008/19/08
Impact: baypassing the Detection of Malicious web page that can compromise a user's system
Vulnerabled AV-Software:
ESET Smart Security latest version. <== The exploit was dedicated to it.
AhnLab-V3 2008.9.13.0
AntiVir 7.8.1.28
AVG 8.0.0.161
CAT-QuickHeal 9.50
ClamAV 0.93.1
DrWeb 4.44.0.09170
eSafe 7.0.17.0
eTrust 31.6.6086
Ewido 4.0
Fortinet 3.113.0.0
Ikarus T3.1.1.34.0
K7AntiVirus 7.10.454
NOD32v2 3440
Norman 5.80.02
Panda 9.0.0.4
PCTools 4.4.2.0
Prevx1 V2
Rising 20.61.42.00
Sophos 4.33.0
Sunbelt 3.1.1633.1
Symantec 10
TheHacker 6.3.0.9.081
TrendMicro 8.700.0.1004
VBA32 3.12.8.5
ViRobot 2008.9.12.1375
VirusBuster 4.5.11.0
the things that must be considered that the POC it's variant from exploit to exploit(some times
Kaspersky and the other famous AV Sofware can be deceive).
Proof Of Concept:
as i said the exploit are based on the magic of magic byte methode we will first add the MZ Header to the HTML Exploit and change the exstention to txt or jpg or non extension,the exploit is compatible with IE6 and IE7 because IE6&7 execute the HTML Event if it's in txt file or non extension files.
so the exploit it's with corporate of IE6&7 :).
virustotal result of MS Internet Explorer (VML) Remote Buffer Overflow Exploit (XP SP2).
http://www.virustotal.com/fr/analisis/062ec3b8d8b88e99865f798cc08b0718
and this is a Variant one "obfuscated by this methode".
http://www.virustotal.com/fr/analisis/7db1bd321a1f945b4abfa73844c36d99
POC:
1-add the MZ Header to the HTML file:
MZگ ےے =B8 @ ط ؛ =B4 ح!=B8Lح!This program cannot be run in DOS mode.
you can put other EXE info on the HTML Body for more deception "showing in the second result".
-rename the HTML to non extension file or txt or jpg.
3-upload it to webserver.
http://localhost/mallpage.txt or http://localhost/mallpage