CVE-2012-1875 Internet Explorer 8 exploit has been publicly available from various sources for a few days.
I am adding it here for reference.
I am adding it here for reference.
For analysis info, see the AlienVault link below and the Metasploit module and demo.
P.S. In case you wonder, I
have not stopped doing malware analysis, I still do, but as as a longer
term offline project combined with studying/reading. I pause what I am
doing to share samples that come along and better be posted sooner - as
is, as I do not want to wait until I write up something more expanded. Since most
people prefer doing analysis on their own and I add reference links, I
don't think it is a huge disappointment :) ~ Mila
Links and Information
Exploit download
File: CVE-2012-0185
Size: 9943
MD5: 92FB87804413B1E3D2BFB128B00FEF0F
File: CVE-2012-0185
Size: 11341
MD5: 0398139DC9E451270DF282253959DAF6
Size: 11341
MD5: 0398139DC9E451270DF282253959DAF6
you can also the exploit code without any passwords
- here http://pastebin.com/sFqxs4qx
- or here http://jsunpack.jeek.org/?report=9cbda787fbd4d858890a4111d6b440bf28c0e513
- or Metasploit - here is metasploit demo by Eric Romang
CVE #
Microsoft Internet Explorer 8 does not properly handle objects in
memory, which allows remote attackers to execute arbitrary code by
accessing a deleted object, aka "Same ID Property Remote Code
Execution Vulnerability."
Automatic scans
https://www.virustotal.com/file/95855c20085476a5c1dff2f355d34891849d9c53265ee427b584fcf24073e726/analysis/
SHA256: 95855c20085476a5c1dff2f355d34891849d9c53265ee427b584fcf24073e726
SHA1: d23d64af356a715b44128e778f15c12cdcb5a69b
MD5: 0398139dc9e451270df282253959daf6
File size: 11.1 KB ( 11341 bytes )
File name: file-4097895_htm_
File type: HTML
Detection ratio: 16 / 42
Analysis date: 2012-06-14 00:23:41 UTC ( 1 day, 3 hours ago )
AVG Exploit 20120613
BitDefender Trojan.JS.Agent.GHI 20120614
Comodo UnclassifiedMalware 20120614
DrWeb SCRIPT.Virus 20120614
Emsisoft Exploit!IK 20120614
F-Secure Trojan.JS.Agent.GHI 20120614
GData Trojan.JS.Agent.GHI 20120614
Kaspersky Exploit.JS.CVE-2012-1875.a 20120614
McAfee Exploit-CVE-2012-1875 20120614
McAfee-GW-Edition Heuristic.BehavesLike.JS.Unwanted Microsoft Exploit:JS/ShellCode.AV 20120613
nProtect Trojan.JS.Agent.GHI 20120613
PCTools HeurEngine.MaliciousExploit 20120614
Sophos Exp/20121875-A 20120614
Symantec Bloodhound.Exploit.466 20120613
ssdeep
192:lgkRh0Qccnp61uNN6rMH4QduoDhw0Wf+3EfB1ygKhvH7O5Erima+Gu1Np:lzdXwPf+3EaTa+ZB
TrID
HyperText Markup Language (100.0%)
F-Prot packer identifier
eval
ExifTool
MIMEType.................: text/html
FileType.................: HTML
ContentType..............: text/html; charset=Windows-1252
Title....................: Under Construction
https://www.virustotal.com/file/34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934/analysis/
SHA256: 34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934
SHA1: 8749adcf73267c9eb1b464ee6250249ca1eee8f4
MD5: 92fb87804413b1e3d2bfb128b00fef0f
File size: 9.7 KB ( 9943 bytes )
File name: 34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934
File type: HTML
Detection ratio: 18 / 42
Analysis date: 2012-06-14 11:01:11 UTC ( 17 hours, 10 minutes ago )
Antiy-AVL Trojan/win32.agent 20120614
BitDefender Exploit.JS.Agent.EJ 20120614
ClamAV - 20120614
Comodo UnclassifiedMalware 20120614
DrWeb SCRIPT.Virus 20120614
Emsisoft Exploit!IK 20120614
F-Secure Exploit.JS.Agent.EJ 20120614
GData Exploit.JS.Agent.EJ 20120614
Kaspersky Exploit.JS.CVE-2012-1875.a 20120614
McAfee Exploit-CVE-2012-1875 20120614
McAfee-GW-Edition Heuristic.BehavesLike.JS.Unwanted
Microsoft Exploit:JS/ShellCode.AV 20120614
nProtect Exploit.JS.Agent.EJ 20120614
Panda - 20120613
PCTools HeurEngine.MaliciousExploit 20120614
Sophos Exp/20121875-A 20120614
SUPERAntiSpyware - 20120614
Symantec Bloodhound.Exploit.466 20120614
TrendMicro JS_LOADER.HVN 20120614
Comments
Votes
Additional information
ssdeep
192:IkRh0Qccnp61uNN6rMH4QduoDhw0Wf+3EWB1ygKhAH7O5ErCmN:LdXwPf+3EQXN
TrID
HyperText Markup Language (100.0%)
F-Prot packer identifier
eval
ExifTool
MIMEType.................: text/html
FileType.................: HTML
First seen by VirusTotal
2012-05-28 10:34:40 UTC ( 2 weeks, 3 days ago )
Last seen by VirusTotal
2012-06-14 11:01:11 UTC ( 17 hours, 10 minutes ago )
File names (max. 25)
xp.html
adederim.bm
ie_cve2.html
file-4098066_
34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934
SHA256: 95855c20085476a5c1dff2f355d34891849d9c53265ee427b584fcf24073e726
SHA1: d23d64af356a715b44128e778f15c12cdcb5a69b
MD5: 0398139dc9e451270df282253959daf6
File size: 11.1 KB ( 11341 bytes )
File name: file-4097895_htm_
File type: HTML
Detection ratio: 16 / 42
Analysis date: 2012-06-14 00:23:41 UTC ( 1 day, 3 hours ago )
AVG Exploit 20120613
BitDefender Trojan.JS.Agent.GHI 20120614
Comodo UnclassifiedMalware 20120614
DrWeb SCRIPT.Virus 20120614
Emsisoft Exploit!IK 20120614
F-Secure Trojan.JS.Agent.GHI 20120614
GData Trojan.JS.Agent.GHI 20120614
Kaspersky Exploit.JS.CVE-2012-1875.a 20120614
McAfee Exploit-CVE-2012-1875 20120614
McAfee-GW-Edition Heuristic.BehavesLike.JS.Unwanted Microsoft Exploit:JS/ShellCode.AV 20120613
nProtect Trojan.JS.Agent.GHI 20120613
PCTools HeurEngine.MaliciousExploit 20120614
Sophos Exp/20121875-A 20120614
Symantec Bloodhound.Exploit.466 20120613
ssdeep
192:lgkRh0Qccnp61uNN6rMH4QduoDhw0Wf+3EfB1ygKhvH7O5Erima+Gu1Np:lzdXwPf+3EaTa+ZB
TrID
HyperText Markup Language (100.0%)
F-Prot packer identifier
eval
ExifTool
MIMEType.................: text/html
FileType.................: HTML
ContentType..............: text/html; charset=Windows-1252
Title....................: Under Construction
https://www.virustotal.com/file/34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934/analysis/
SHA256: 34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934
SHA1: 8749adcf73267c9eb1b464ee6250249ca1eee8f4
MD5: 92fb87804413b1e3d2bfb128b00fef0f
File size: 9.7 KB ( 9943 bytes )
File name: 34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934
File type: HTML
Detection ratio: 18 / 42
Analysis date: 2012-06-14 11:01:11 UTC ( 17 hours, 10 minutes ago )
Antiy-AVL Trojan/win32.agent 20120614
BitDefender Exploit.JS.Agent.EJ 20120614
ClamAV - 20120614
Comodo UnclassifiedMalware 20120614
DrWeb SCRIPT.Virus 20120614
Emsisoft Exploit!IK 20120614
F-Secure Exploit.JS.Agent.EJ 20120614
GData Exploit.JS.Agent.EJ 20120614
Kaspersky Exploit.JS.CVE-2012-1875.a 20120614
McAfee Exploit-CVE-2012-1875 20120614
McAfee-GW-Edition Heuristic.BehavesLike.JS.Unwanted
Microsoft Exploit:JS/ShellCode.AV 20120614
nProtect Exploit.JS.Agent.EJ 20120614
Panda - 20120613
PCTools HeurEngine.MaliciousExploit 20120614
Sophos Exp/20121875-A 20120614
SUPERAntiSpyware - 20120614
Symantec Bloodhound.Exploit.466 20120614
TrendMicro JS_LOADER.HVN 20120614
Comments
Votes
Additional information
ssdeep
192:IkRh0Qccnp61uNN6rMH4QduoDhw0Wf+3EWB1ygKhAH7O5ErCmN:LdXwPf+3EQXN
TrID
HyperText Markup Language (100.0%)
F-Prot packer identifier
eval
ExifTool
MIMEType.................: text/html
FileType.................: HTML
First seen by VirusTotal
2012-05-28 10:34:40 UTC ( 2 weeks, 3 days ago )
Last seen by VirusTotal
2012-06-14 11:01:11 UTC ( 17 hours, 10 minutes ago )
File names (max. 25)
xp.html
adederim.bm
ie_cve2.html
file-4098066_
34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934
Thanks Mila, really appreciate your time and sharing.
ReplyDelete