What is the God Mode? This concept is came from yuange, it means if we turn on this God Mode, we can do anything we what. And What the God Mode really is? We know if we want to execute the script code in the browser to create a object like Shell.Application, the script engine will check the SafeMode. if this is set, it will block the code. That is the God Mode. Yuange also call this is DVE(Data Virtual Execution), This is just execute the script, not the binary code. So the ASLR,DEP,EMET,CFI all of the defense technology will be fail. What we are going to do is to clear the SafeMode flag. (Notice: All the following code is …..
Thanks ga1ois give us a very excellent lecture about the Art of Leaks in the consecwest. He found this way can read/write any memory of the process. Cool! And I upload the ppt here!The+Art+of+Leaks+-+read+version+-+Yoyo also you can download the ppt from his github. https://github.com/ga1ois/CanSecWest2014/blob/master/The Art of Leaks – read version – Yoyo.pdf Now I write some demo codes here
Yesterday, fireeye has posted a blog about a new 0day attack. (http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html) (http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html). This 0day is affected IE 10, and has been assigned as CVE-2014-0322, and it can be used to ATP attack. We can find the sample here: http://jsunpack.jeek.org/?report=a7d85dd462456a816b1ebc8306550e0c9b61c75e
Last month, Fireeye catch a 0day attack which the MS assigned CVE-2013-3918 to. Basically, this 0day may be in the wild more than one year. We can find the sample in here http://jsunpack.jeek.org/?report=0fe86b1a6fc27dbd4134d96e68b9153682cc6831. And Metasploit also release a module which can work on winxp+ie8. Now I will give a deeply analysis for this vulnerability.