<<< Date Index >>>     <<< Thread Index >>>

Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass



********************************************************************************************
Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass
         hackers.
NOTIFICATION:
this exploit are based on Andrey Bayora "magic of magic byte" but with some 
development.
This proof of concept was created for educational purposes only,Use the code it 
at your own risk.
The author will not be responsible for any damages.
*********************************************************************************************
Exploit Information:
    Date: 2008/19/08
    Impact: baypassing the Detection of  Malicious web page that can compromise 
a user's system
Vulnerabled AV-Software:
        ESET Smart Security latest version. <== The exploit was dedicated to it.
        AhnLab-V3 2008.9.13.0
        AntiVir 7.8.1.28
        AVG 8.0.0.161
        CAT-QuickHeal 9.50
        ClamAV 0.93.1
        DrWeb 4.44.0.09170
        eSafe 7.0.17.0
        eTrust 31.6.6086
        Ewido 4.0
        Fortinet 3.113.0.0
        Ikarus T3.1.1.34.0
        K7AntiVirus 7.10.454
        NOD32v2 3440
        Norman 5.80.02
        Panda 9.0.0.4
        PCTools 4.4.2.0
        Prevx1 V2
        Rising 20.61.42.00
        Sophos 4.33.0
        Sunbelt 3.1.1633.1
        Symantec 10
        TheHacker 6.3.0.9.081
        TrendMicro 8.700.0.1004
        VBA32 3.12.8.5
        ViRobot 2008.9.12.1375
        VirusBuster 4.5.11.0
the things that must be considered that the POC it's variant  from exploit to 
exploit(some times
Kaspersky and the other famous AV Sofware can be  deceive).
Proof Of Concept:
as i said the exploit are based on the magic of magic byte methode we will 
first add the MZ Header to the HTML Exploit and  change the exstention to txt 
or jpg or non extension,the exploit is compatible with IE6 and IE7 because 
IE6&7  execute the HTML Event if it's in txt file or non extension files.
so the exploit it's with corporate of IE6&7 :).
virustotal result of MS Internet Explorer (VML) Remote Buffer Overflow Exploit 
(XP SP2).
http://www.virustotal.com/fr/analisis/062ec3b8d8b88e99865f798cc08b0718
and this is a Variant one "obfuscated by this methode".
http://www.virustotal.com/fr/analisis/7db1bd321a1f945b4abfa73844c36d99
POC:
1-add the MZ Header to the HTML file:
MZ&#1711;       &#1746;&#1746;  ¸       @                                   
&#1591;   &#1563; ´    &#1581;!¸L&#1581;!This program cannot be run in DOS mode.
you can put other EXE info on the HTML Body for more deception "showing in the 
second result".
-rename the HTML to non extension file or txt or jpg.
3-upload it to webserver.
    http://localhost/mallpage.txt or http://localhost/mallpage<non extenstion>.