<<< Date Index >>>     <<< Thread Index >>>

Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass -Update-



Litel Update.
in the previous advisory there was some wrong report because of, the update of 
anti-virus product version.
********************************************************************************************
Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass
           [_] Discovred by : DATA_SNIPER
           [_] Greets to:  hacker c&c Team , Arab4Services team on 
www.arab4services.net , AT4RE Team on www.at4re.com
           [_] Special thanks go to: Andrey Bayora and all arabian hackers 
specialy algerian hackers.
NOTIFICATION:
this exploit are based on Andrey Bayora "magic of magic byte" but with some 
development.
This proof of concept was created for educational purposes only,Use the code it 
at your own risk.
The author will not be responsible for any damages.
*********************************************************************************************
Exploit Information:
    Date: 2008/19/08
    Impact: Baypassing the Detection of  Malicious web page that can compromise 
a user's system
Vulnerabled AV-Software:
   ESET Smart Security Latest Version<=(the Exploit was dedicated for it)
   AhnLab-V3    2008.12.4.1
   AntiVir      7.9.0.36        2008.12.04
   Avast        4.8.1281.0
   CAT-QuickHeal        10.00
   ClamAV       0.94.1
   DrWeb        4.44.0.09170
   Ewido        4.0
   Ikarus       T3.1.1.45.0
   K7AntiVirus  7.10.541
   NOD32        3662
   Norman       5.80.02
   Panda        9.0.0.4
   Prevx1       V2
   Rising       21.06.31.00
   SecureWeb-Gateway
   Sunbelt      3.1.1832.2
   TheHacker    6.3.1.2.174
   TrendMicro   8.700.0.1004
   ViRobot       2008.12.4.1499
the things that must be considered that the POC it's variant  from exploit to 
exploit(some times
Kaspersky and the other famous AV Sofware can be  deceive).
Proof Of Concept:
as i said the exploit are based on the magic of magic byte methode we will 
first add the MZ Header to the HTML Exploit and  change the exstention to txt 
or jpg or non extension,the exploit is compatible with IE6 and IE7 because 
IE6&7  execute the HTML Event if it's in txt file or non extension files.
so the exploit it's with corporate of IE6&7 :).
virustotal result of  MS Internet Explorer 6/7 (XML Core Services)  Remote Code 
Execution Exploit
http://www.virustotal.com/analisis/2fce2b49876e27b4144fd39be466200e
and print screen for the scann in VirusTotal.
http://members.lycos.co.uk/datasniper/a.jpg
http://members.lycos.co.uk/datasniper/b.jpg
http://members.lycos.co.uk/datasniper/c.jpg
POC:
1-add the MZ Header to the HTML file:
MZ&#1711;       &#1746;&#1746;  ¸       @                                   
&#1591;   &#1563; ´    &#1581;!¸L&#1581;!This program cannot be run in DOS 
mode.
you can put other EXE info on the HTML Body for more deception.
-rename the HTML to non extension file or txt or jpg.
3-upload it to webserver.
    http://localhost/mallpage.txt or http://localhost/mallpage<non extenstion>.
video POC:
Simple video explain how the vulnerability can be exploited  under ESET Smart 
Security (arabic).
------------------------------