Friday, June 15, 2012

CVE-2012-1875 links and samples





CVE-2012-1875 Internet Explorer 8 exploit has been publicly available from various sources for a few days.
I am adding it here for reference.
For analysis info, see the AlienVault link below and the Metasploit module and demo.

P.S. In case you wonder, I have not stopped doing malware analysis, I still do,  but as as a longer term offline project combined with studying/reading. I pause what I am doing to share samples that come along and better be posted sooner - as is, as I do not want to wait until I write up something more expanded. Since most people prefer doing analysis on their own and I add reference links, I don't think it is a huge disappointment :)  ~ Mila


Links and Information






Download



 Exploit download
  1. Contagio mediafire = 2 variants are here  (email me if you need the password)

File: CVE-2012-0185
Size: 9943
MD5:  92FB87804413B1E3D2BFB128B00FEF0F

File: CVE-2012-0185
Size: 11341
MD5:  0398139DC9E451270DF282253959DAF6

you can also the exploit code without any passwords 
  1. here http://pastebin.com/sFqxs4qx
  2. or here http://jsunpack.jeek.org/?report=9cbda787fbd4d858890a4111d6b440bf28c0e513
  3. or Metasploit - here is metasploit demo by Eric Romang

  


CVE #
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability." 


Automatic scans
https://www.virustotal.com/file/95855c20085476a5c1dff2f355d34891849d9c53265ee427b584fcf24073e726/analysis/
SHA256:     95855c20085476a5c1dff2f355d34891849d9c53265ee427b584fcf24073e726
SHA1:     d23d64af356a715b44128e778f15c12cdcb5a69b
MD5:     0398139dc9e451270df282253959daf6
File size:     11.1 KB ( 11341 bytes )
File name:     file-4097895_htm_
File type:     HTML
Detection ratio:     16 / 42
Analysis date:     2012-06-14 00:23:41 UTC ( 1 day, 3 hours ago )
AVG     Exploit     20120613
BitDefender     Trojan.JS.Agent.GHI     20120614
Comodo     UnclassifiedMalware     20120614
DrWeb     SCRIPT.Virus     20120614
Emsisoft     Exploit!IK     20120614
F-Secure     Trojan.JS.Agent.GHI     20120614
GData     Trojan.JS.Agent.GHI     20120614
Kaspersky     Exploit.JS.CVE-2012-1875.a     20120614
McAfee     Exploit-CVE-2012-1875     20120614
McAfee-GW-Edition     Heuristic.BehavesLike.JS.Unwanted     Microsoft     Exploit:JS/ShellCode.AV     20120613
nProtect     Trojan.JS.Agent.GHI     20120613
PCTools     HeurEngine.MaliciousExploit     20120614
Sophos     Exp/20121875-A     20120614
Symantec     Bloodhound.Exploit.466     20120613

 ssdeep
192:lgkRh0Qccnp61uNN6rMH4QduoDhw0Wf+3EfB1ygKhvH7O5Erima+Gu1Np:lzdXwPf+3EaTa+ZB
TrID
HyperText Markup Language (100.0%)
F-Prot packer identifier
eval
ExifTool

MIMEType.................: text/html
FileType.................: HTML
ContentType..............: text/html; charset=Windows-1252
Title....................: Under Construction

 https://www.virustotal.com/file/34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934/analysis/
SHA256:     34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934
SHA1:     8749adcf73267c9eb1b464ee6250249ca1eee8f4
MD5:     92fb87804413b1e3d2bfb128b00fef0f
File size:     9.7 KB ( 9943 bytes )
File name:     34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934
File type:     HTML
Detection ratio:     18 / 42
Analysis date:     2012-06-14 11:01:11 UTC ( 17 hours, 10 minutes ago )
Antiy-AVL     Trojan/win32.agent     20120614
BitDefender     Exploit.JS.Agent.EJ     20120614
ClamAV     -     20120614
Comodo     UnclassifiedMalware     20120614
DrWeb     SCRIPT.Virus     20120614
Emsisoft     Exploit!IK     20120614
F-Secure     Exploit.JS.Agent.EJ     20120614
GData     Exploit.JS.Agent.EJ     20120614
Kaspersky     Exploit.JS.CVE-2012-1875.a     20120614
McAfee     Exploit-CVE-2012-1875     20120614
McAfee-GW-Edition     Heuristic.BehavesLike.JS.Unwanted    
Microsoft     Exploit:JS/ShellCode.AV     20120614
nProtect     Exploit.JS.Agent.EJ     20120614
Panda     -     20120613
PCTools     HeurEngine.MaliciousExploit     20120614
Sophos     Exp/20121875-A     20120614
SUPERAntiSpyware     -     20120614
Symantec     Bloodhound.Exploit.466     20120614
TrendMicro     JS_LOADER.HVN     20120614

    Comments
    Votes
    Additional information

ssdeep
192:IkRh0Qccnp61uNN6rMH4QduoDhw0Wf+3EWB1ygKhAH7O5ErCmN:LdXwPf+3EQXN
TrID
HyperText Markup Language (100.0%)
F-Prot packer identifier
eval
ExifTool

MIMEType.................: text/html
FileType.................: HTML

First seen by VirusTotal
2012-05-28 10:34:40 UTC ( 2 weeks, 3 days ago )
Last seen by VirusTotal
2012-06-14 11:01:11 UTC ( 17 hours, 10 minutes ago )
File names (max. 25)

    xp.html
    adederim.bm
    ie_cve2.html
    file-4098066_
    34ea070fa3a6d27dd4b261e7b396ce69cfdec81d6ac3bf4f9b44469da8c63934

1 comment:

  1. Thanks Mila, really appreciate your time and sharing.

    ReplyDelete