Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass -Update-

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Litel Update.
in the previous advisory there was some wrong report because of, the update of anti-virus product version.
********************************************************************************************
Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass
           [_] Discovred by : DATA_SNIPER
           [_] Greets to:  hacker c&c Team , Arab4Services team on www.arab4services.net , AT4RE Team on www.at4re.com
           [_] Special thanks go to: Andrey Bayora and all arabian hackers specialy algerian hackers.
NOTIFICATION:
this exploit are based on Andrey Bayora "magic of magic byte" but with some development.
This proof of concept was created for educational purposes only,Use the code it at your own risk.
The author will not be responsible for any damages.
*********************************************************************************************
Exploit Information:
    Date: 2008/19/08
    Impact: Baypassing the Detection of  Malicious web page that can compromise a user's system
Vulnerabled AV-Software:
   ESET Smart Security Latest Version<=(the Exploit was dedicated for it)
   AhnLab-V3	2008.12.4.1
   AntiVir	7.9.0.36	2008.12.04
   Avast	4.8.1281.0
   CAT-QuickHeal	10.00
   ClamAV	0.94.1
   DrWeb	4.44.0.09170
   Ewido	4.0
   Ikarus	T3.1.1.45.0
   K7AntiVirus	7.10.541
   NOD32	3662
   Norman	5.80.02
   Panda	9.0.0.4
   Prevx1	V2
   Rising	21.06.31.00
   SecureWeb-Gateway
   Sunbelt	3.1.1832.2
   TheHacker	6.3.1.2.174
   TrendMicro	8.700.0.1004
   ViRobot	 2008.12.4.1499
the things that must be considered that the POC it's variant  from exploit to exploit(some times
Kaspersky and the other famous AV Sofware can be  deceive).
Proof Of Concept:
as i said the exploit are based on the magic of magic byte methode we will first add the MZ Header to the HTML Exploit and  change the exstention to txt or jpg or non extension,the exploit is compatible with IE6 and IE7 because IE6&7  execute the HTML Event if it's in txt file or non extension files.
so the exploit it's with corporate of IE6&7 :).
virustotal result of  MS Internet Explorer 6/7 (XML Core Services)  Remote Code Execution Exploit
http://www.virustotal.com/analisis/2fce2b49876e27b4144fd39be466200e
and print screen for the scann in VirusTotal.
http://members.lycos.co.uk/datasniper/a.jpg
http://members.lycos.co.uk/datasniper/b.jpg
http://members.lycos.co.uk/datasniper/c.jpg
POC:
1-add the MZ Header to the HTML file:
MZ&#1711;       &#1746;&#1746;  ¸       @                                   &#1591;   &#1563; ´    &#1581;!¸L&#1581;!This program cannot be run in DOS mode.
you can put other EXE info on the HTML Body for more deception.
-rename the HTML to non extension file or txt or jpg.
3-upload it to webserver.
    http://localhost/mallpage.txt or http://localhost/mallpage<non extenstion>.
video POC:
Simple video explain how the vulnerability can be exploited  under ESET Smart Security (arabic).
------------------------------
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux