Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass -Update-

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass -Update-
From: xhakerman2006@xxxxxxxxx
Date: 9 Dec 2008 16:34:48 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Litel Update.
in the previous advisory there was some wrong report because of, the update of
anti-virus product version.
********************************************************************************************
Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass
[_] Discovred by : DATA_SNIPER
[_] Greets to: hacker c&c Team , Arab4Services team on
www.arab4services.net , AT4RE Team on www.at4re.com
[_] Special thanks go to: Andrey Bayora and all arabian hackers
specialy algerian hackers.
NOTIFICATION:
this exploit are based on Andrey Bayora "magic of magic byte" but with some
development.
This proof of concept was created for educational purposes only,Use the code it
at your own risk.
The author will not be responsible for any damages.
*********************************************************************************************
Exploit Information:
Date: 2008/19/08
Impact: Baypassing the Detection of Malicious web page that can compromise
a user's system
Vulnerabled AV-Software:
ESET Smart Security Latest Version<=(the Exploit was dedicated for it)
AhnLab-V3 2008.12.4.1
AntiVir 7.9.0.36 2008.12.04
Avast 4.8.1281.0
CAT-QuickHeal 10.00
ClamAV 0.94.1
DrWeb 4.44.0.09170
Ewido 4.0
Ikarus T3.1.1.45.0
K7AntiVirus 7.10.541
NOD32 3662
Norman 5.80.02
Panda 9.0.0.4
Prevx1 V2
Rising 21.06.31.00
SecureWeb-Gateway
Sunbelt 3.1.1832.2
TheHacker 6.3.1.2.174
TrendMicro 8.700.0.1004
ViRobot 2008.12.4.1499
the things that must be considered that the POC it's variant from exploit to
exploit(some times
Kaspersky and the other famous AV Sofware can be deceive).
Proof Of Concept:
as i said the exploit are based on the magic of magic byte methode we will
first add the MZ Header to the HTML Exploit and change the exstention to txt
or jpg or non extension,the exploit is compatible with IE6 and IE7 because
IE6&7 execute the HTML Event if it's in txt file or non extension files.
so the exploit it's with corporate of IE6&7 :).
virustotal result of MS Internet Explorer 6/7 (XML Core Services) Remote Code
Execution Exploit
http://www.virustotal.com/analisis/2fce2b49876e27b4144fd39be466200e
and print screen for the scann in VirusTotal.
http://members.lycos.co.uk/datasniper/a.jpg
http://members.lycos.co.uk/datasniper/b.jpg
http://members.lycos.co.uk/datasniper/c.jpg
POC:
1-add the MZ Header to the HTML file:
MZ&#1711; &#1746;&#1746; ¸ @
&#1591; &#1563; ´ &#1581;!¸L&#1581;!This program cannot be run in DOS
mode.
you can put other EXE info on the HTML Body for more deception.
-rename the HTML to non extension file or txt or jpg.
3-upload it to webserver.
http://localhost/mallpage.txt or http://localhost/mallpage<non extenstion>.
video POC:
Simple video explain how the vulnerability can be exploited under ESET Smart
Security (arabic).
------------------------------

Prev by Date: rPSA-2008-0332-1 kernel
Next by Date: Re: DoS attacks on MIME-capable software via complex MIME emails
Previous by thread: rPSA-2008-0332-1 kernel
Next by thread: Secunia Research: Microsoft Word RTF Polyline/Polygon Integer Overflow
Index(es):
- Date
- Thread