AOH :: HP Unsorted M :: VA2030.HTM

Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass -Update-



Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass -Update-
Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass -Update-



Litel Update.=0D
in the previous advisory there was some wrong report because of, the update of anti-virus product version.=0D
********************************************************************************************=0D
Multiple Vendor Anti-Virus Software Malicious WebPage Detection Bypass=0D
           [_] Discovred by : DATA_SNIPER=0D
[_] Greets to: hacker c&c Team , Arab4Services team on www.arab4services.net , AT4RE Team on www.at4re.com=0D 
           [_] Special thanks go to: Andrey Bayora and all arabian hackers specialy algerian hackers.=0D
NOTIFICATION:=0D
this exploit are based on Andrey Bayora "magic of magic byte" but with some development.=0D
This proof of concept was created for educational purposes only,Use the code it at your own risk.=0D
The author will not be responsible for any damages.=0D
*********************************************************************************************=0D
Exploit Information:=0D
    Date: 2008/19/08=0D
    Impact: Baypassing the Detection of  Malicious web page that can compromise a user's system=0D
Vulnerabled AV-Software:=0D
   ESET Smart Security Latest Version<=(the Exploit was dedicated for it)=0D
   AhnLab-V3	2008.12.4.1=0D
   AntiVir	7.9.0.36	2008.12.04=0D
   Avast	4.8.1281.0=0D
   CAT-QuickHeal	10.00=0D
   ClamAV	0.94.1=0D
   DrWeb	4.44.0.09170=0D
   Ewido	4.0=0D
   Ikarus	T3.1.1.45.0=0D
   K7AntiVirus	7.10.541=0D
   NOD32	3662=0D
   Norman	5.80.02=0D
   Panda	9.0.0.4=0D
   Prevx1	V2=0D
   Rising	21.06.31.00=0D
   SecureWeb-Gateway=0D
   Sunbelt	3.1.1832.2=0D
   TheHacker	6.3.1.2.174=0D
   TrendMicro	8.700.0.1004=0D
   ViRobot	 2008.12.4.1499=0D
the things that must be considered that the POC it's variant  from exploit to exploit(some times=0D
Kaspersky and the other famous AV Sofware can be  deceive).=0D
Proof Of Concept:=0D
as i said the exploit are based on the magic of magic byte methode we will first add the MZ Header to the HTML Exploit and  change the exstention to txt or jpg or non extension,the exploit is compatible with IE6 and IE7 because IE6&7  execute the HTML Event if it's in txt file or non extension files.=0D
so the exploit it's with corporate of IE6&7 :).=0D
virustotal result of  MS Internet Explorer 6/7 (XML Core Services)  Remote Code Execution Exploit=0D
http://www.virustotal.com/analisis/2fce2b49876e27b4144fd39be466200e=0D 
and print screen for the scann in VirusTotal.=0D
http://members.lycos.co.uk/datasniper/a.jpg=0D 
http://members.lycos.co.uk/datasniper/b.jpg=0D 
http://members.lycos.co.uk/datasniper/c.jpg=0D 
POC:=0D
1-add the MZ Header to the HTML file:=0D
MZگ =03   =04   ےے  =B8       @                                   ط   =0E=1F؛=0E =B4    ح!=B8=01Lح!This program cannot be run in DOS mode.=0D
you can put other EXE info on the HTML Body for more deception.=0D
-rename the HTML to non extension file or txt or jpg.=0D
3-upload it to webserver.=0D
http://localhost/mallpage.txt or http://localhost/mallpage extenstion>.=0D 
video POC:=0D
Simple video explain how the vulnerability can be exploited  under ESET Smart Security (arabic).=0D
------------------------------

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.