Wednesday, March 10, 2010

CVE-2010-0806 - Internet Explorer 6/7 0 day

Some notes about:

Internet Explorer 0-day targeted in spam runs
http://www.sophos.com/blogs/sophoslabs/?p=9030

Targeted Internet Explorer 0day Attack Announced

Robtex queries for the Mcafee reported URLs:

hxxxxp://topix21century.com/20100307.htm
- http://www.robtex.com/ip/68.178.232.100.html

hxxxp://as.casalemedia.com/sd?s=95331f=1 - http://www.robtex.com/dns/as.casalemedia.com.html#records

The following exploiter (retrieved from once of the URL posted by McAfee) use Base64 encoding for hiding resources:












This issue it's been detected in the "iepeers.dll". With a good ActiveX fuzzer may be trivial found more info (CLSID: 7E8BC44E-AEFF-11D1-89C2-00C04FB6BFC4). Dranzer seem good enough: try to check http://www.cert.org/blogs/vuls/2009/04/release_of_dranzer_activex_fuz.html for more details.

Metasploit module:
http://www.exploit-db.com/exploits/11683

Microsoft Internet Explorer iepeers.dll use-after-free exploit
http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/

Wednesday, March 3, 2010

Firefox 3.6.x - 0 day for document.write - yet another

from misc sources:
http://www.exploit-db.com/exploits/11617

Bugzilla Mozilla Repository:
https://bugzilla.mozilla.org/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&product=Firefox&content=crash

Misc Crash Stats for Mozilla projects:
http://crash-stats.mozilla.com/


"IE is not the only evil"

The Command Structure of the Aurora Botnet - Damballa paper

I just received the following link to a very nice analysis. IMHO, a clear example of how the analysis of this kind should be made. I will try to take it into account if I will write other analysis in the future.

The Command Structure of the Aurora Botnet
http://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_Structure.pdf