After the last zero day exploit on Java we reported some weeks ago it appears that a new 0day has been found in Internet Explorer by the same authors that created the Java one.

Yesterday, Eric Romang reported the findings of a new exploit code on the same server that the Java 0day was found some weeks ago. The new vulnerability appears to affect Internet Explorer 7 and 8 and seems to be exploitable at least on Windows XP.

The exploit code found in the server works as follow:

 

 

 

 

 

 

 

 
 
 
 
 

- The file exploit.html creates the initial vector to exploit the vulnerability and loads the flash file Moh2010.swf.

- Moh2010.swf is a flash file encrypted using DoSWF.  We’ve seen the usage of DoSWF in the exploit code of other targeted attacks such as:

- Several Targeted Attacks exploiting Adobe Flash Player (CVE-2012-0779)

The Flash file is in charge of doing the heap spray. Then it loads Protect.html

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Due to the usage of DoSWF, the malicious code is encrypted. The easiest way to obain the decrypted content is executing the file within Internet Explorer and attaching to the process once the content is decrypted. Then you can obtain the raw content when we can find the following Bytearray declared:

 

 

 
 

 

 
 

 

If we obtain the raw content of the hexadecimal string and then we apply a XOR “E2″ operation we can obtain the following bytes that contains the URL of the malicious payload.

 
 

 

 
 

  

- Protect.html checks if the system is running Internet Explorer version 7 or 8 under Windows XP. If the victim satisfies those conditions, the vulnerability is triggered and the malicious payload is executed.

 

 

 

 

 

 

 

The payload dropped is Poison Ivy as in the previous Java 0day.

https://www.virustotal.com/file/85ad20e922f5e9d497ec06ff8db5af81fbdcbb6e8e63dc426b8faf40d5cc32c6/analysis/

The C&C server configured is ie.aq1.co.uk that is currently resolving to 12.163.32.15:

 

 

 

 
 

We’ve also seen that the domain used in the previous attacks hello.icon.pk is also pointing to the new IP address.

Once executed, the payload creates the file C:\WINDOWS\system32\mspmsnsv.dll and the service WmdmPmSN is configured and started.

Here you have more details on the vulnerability being exploited.

It seems the Metasploit guys are already woking on a Metasploit module so let’s see how fast Microsoft handle the issue.

More info coming soon!

Update:

Metasploit has released a working exploit

You can download the following Yara rule to match both exploit versions.