Internet Explorer CMshtmlEd::Exec() 0day

Posted: September 17th, 2012 | Author: | Filed under: IT Related | 3 Comments »

As discussed [1] [2] [3] in Twitter couple of hours ago,without any delay, Metasploit team did very well in their part to release the working version of the exploit and port it to their framework. Awesome work guys! Some workarounds are available in MyCERT’s writeup

$ yara -r newIE0daymshtmlExec.yar /tmp/0dayIE/
newIE0daymshtmlExec /tmp/0dayIE//CVE-IE8 0day/2a2e2efffa382663ba10c492f407dda8a686a777858692d073712d1cc9c5f265_Protect.html
newIE0daymshtmlExec /tmp/0dayIE//CVE-IE8 0day/9d66323794d493a1deaab66e36d36a820d814ee4dd50d64cddf039c2a06463a5_exploit.html
newIE0daymshtmlExec /tmp/0dayIE//Niuya.html
newIE0daymshtmlExec /tmp/0dayIE//nJcfzl.html

And.. I’m ready with the detection “rule” and as mention in previous entry, it will only be share with several private group. If you need to get the feeds, kindly drop me an email at adnan.shukor @ G!

Thanks

 

Reference:

  1. http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/
  2. http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day/
  3. http://labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/
  4. http://www.mycert.org.my/en/services/advisories/mycert/2012/main/detail/908/index.html

 

Updated

Metasploit detection rate: