Pages

Wednesday, September 19, 2012

CVE-2012-4969 Internet explorer 0day samples


The Internet Explorer 0day aka now CVE-2012-4969, have been used in a "small number of targeted attacks". The new Internet Explorer Zero day technical details came out (eromang.zataz.com), the Metasploit module is out now too and the number will increase exponentially as soon as exploit pack authors add it to their arsenal, which will happen very soon. This seems to be repeating the story of Java CVE-2012-4681. See CVE-2012-4681 samples Original (APT) and Blackhole 2.0 (crime)

There are a few mitigation workarounds you can use for now, the best is to upgrade your browser, however
Read more at http://technet.microsoft.com/en-us/security/advisory/2757760



CVE #

CVE-2012-4969
Use-after-free vulnerability in the CMshtmlEd::Exec function in mshtml.dll in Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in September 2012.


Download

Here are all the files mentioned by Jaime Blasco here
http://labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/

111.exe          baabd0b871095138269cf2c53b517927
111.exe_out 7173d9b331275b8be69a4e698c9ec68f
Decoded SWF  e7ced808b16692f57229a2e21c476be8
exploit.html  4f1dfed17cf7d1a1d9f61e1ad2c03624
Moh2010.swf  eb62e0051ad4ab3f626d148472dfa891
Protect.html  f4537fe00e40b5bc01d9826dc3e0c2e8


Automatic scans


https://www.virustotal.com/file/2a2e2efffa382663ba10c492f407dda8a686a777858692d073712d1cc9c5f265/analysis/

https://www.virustotal.com/file/a6086c16136ea752fc49bc987b8cc9e494384f372ddfdca85c2a5b7d43daa812/analysis/

https://www.virustotal.com/file/dd41efa629c7f7f876362c5ca6d570be6b83728a2ce8ecbef65bdb89cb402b0f/analysis/

https://www.virustotal.com/file/9d66323794d493a1deaab66e36d36a820d814ee4dd50d64cddf039c2a06463a5/analysis/

https://www.virustotal.com/file/70f6a2c2976248221c251d9965ff2313bc0ed0aebb098513d76de6d8396a7125/analysis/

https://www.virustotal.com/file/a5a04f661781d48df3cbe81f56ea1daae6ba3301c914723b0bb6369a5d2505d9/analysis/

https://www.virustotal.com/file/70f6a2c2976248221c251d9965ff2313bc0ed0aebb098513d76de6d8396a7125/analysis/1348057714/

11 comments:

  1. Hi, Whats the password to this archive?

    Cheers

    ReplyDelete
  2. Download all files above (email me if you need the password)

    ReplyDelete
    Replies
    1. Hello, I asked the password but I have not received response...

      Delete
    2. Not sure why. Can you email again, i don't see your message. Thank you

      Delete
  3. dropped you an email

    ReplyDelete
  4. Sorry! Can you provide snort signatures alerted about the threat arrival? Thank You!

    ReplyDelete
  5. The 111.exe_out above is decrypted incorrectly from 111.exe. He made a mistake with the decryption. The correctly decrypted file from baabd0b871095138269cf2c53b517927 is:
    https://www.virustotal.com/file/85ad20e922f5e9d497ec06ff8db5af81fbdcbb6e8e63dc426b8faf40d5cc32c6/analysis/

    with md5 ee0fdb5a752afea044c4e4fe4534ef5a23f6.

    ReplyDelete
    Replies
    1. I pasted the wrong md5, the correct one is 8d326300a6f4dfe93a456c4c185bf2a8. The VT link is correct.

      Delete
  6. In witch emails to write you for password?

    ReplyDelete