Scribd
Upload
173 views

Exploits

Exploit:JS/CVE-2011-1345 targets a vulnerability in Internet Explorer that allows remote attackers to execute arbitrary code through crafted JavaScript that triggers a memory corruption when handling objects. Successful exploitation could allow attackers to run malicious code on the user's computer within the user's permissions and download additional malware. The vulnerability is related to how Internet Explorer handles memory objects when executing the OnPropertyChange function.

Uploaded by

abhineet_ayan
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
173 views

Exploits

Exploit:JS/CVE-2011-1345 targets a vulnerability in Internet Explorer that allows remote attackers to execute arbitrary code through crafted JavaScript that triggers a memory corruption when handling objects. Successful exploitation could allow attackers to run malicious code on the user's computer within the user's permissions and download additional malware. The vulnerability is related to how Internet Explorer handles memory objects when executing the OnPropertyChange function.

Uploaded by

abhineet_ayan
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

1.

When a user browses a folder that contains the malicious shortcut using an ap plication that displays shortcut icons, the malware runs instead. An example of an application that displays shortcut icons is Windows Explorer. N o further user interaction is required, in most cases. In the case of Win32/Stux net, Exploit:Win32/CplLnk.A points to the malware stored on a USB device using t he device descriptor, as in this pseudo-example: \\.\Storage\Volume\USBStor\{CLSID value}\~WTR4141.tmp Successful exploitation results in the malware running with the privileges of th e logged-on user. ----------------------------------------------------------------------------------------------------------------------2.Targets a software vulnerability in Adobe Acrobat and Adobe Reader referenced by Common Vulnerabilities and Exposures (CVE) Identifier CVE-2010-0188. The mali cious PDF files contain an embedded JavaScript that, when loaded (as when the fi les are opened in a vulnerable version of Adobe Acrobat or Adobe Reader), execut es shellcode that exploits the above mentioned vulnerability. The shellcode may perform any action, such as downloading and running other malware. Exploit:Win32/Pidief.BN usually arrives in the system as a file attachment to an email message or when the user visits a web page that contains the malicious PD F file. ----------------------------------------------------------------------------------------------------------------------3. JS/Pdfjsc.JU Downloads arbitrary files The malicious script first checks the version of the Adobe Reader and Acrobat so ftware installed and calls the exploit function if deemed vulnerable. Successful exploitation of a vulnerable computer by Exploit:JS/Pdfjsc.JU could result down loading arbitrary files. The vulnerabilities it attempts to exploit are the following: CVE-2009-4324 - the Doc.media.newPlayer method CVE 2008-2992 - the util.printf method ----------------------------------------------------------------------------------------------------------------------4. Exploit:Win32/Pdfjsc.YP is known to be part of the "Blackhole" malware distri bution kit. The PDF file contains malicious JavaScript that checks if it is run on a compute r with a vulnerable version of Adobe Acrobat or Adobe Reader. If this is true, E xploit:Win32/Pdfjsc.YP connects to a remote server to download a file, which may be malicious. The file is then saved in the computer as "wpbt0.dll". ----------------------------------------------------------------------------------------------------------------------5. CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 a nd earlier ("Collab.collectEmailInfo") CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 ("Collab.getIcon") CVE-2009-4324 - Adobe Reader and Adobe Acrobat "util.printd" Vulnerability ----------------------------------------------------------------------------------------------------------------------6. Exploit:Win32/Pdfjsc.FO is the detection for a malicious PDF file that, when opened with a certain version of Adobe Acrobat or Reader, tries to execute a mal icious batch script.

When opened, it tries to execute a malicious batch script that reads and dumps f rom the PDF file's body an encrypted PE file as "exe.exe" in the current folder. This file is detected as Trojan:Win32/Alureon.DA. In the wild Exploit:Win32/Pdfjsc.FO may arrive on a user's computer as the attac hment to a spammed e-mail message. ----------------------------------------------------------------------------------------------------------------------7. Execution of arbitrary code The exploit attempts to take advantage of an uninitialized memory corruption vul nerability that allows the execution of arbitrary code. One example of the explo it attempts to initialize shellcode to download other malware from the domain "x 3.cndlq.com". ----------------------------------------------------------------------------------------------------------------------8. Use-after-free vulnerability in Microsoft Internet Explorer 6, 7, and 8 allow s remote attackers to execute arbitrary code via vectors related to Cascading St yle Sheets (CSS) token sequences and the clip attribute, aka an "invalid flag re ference" issue or "Uninitialized Memory Corruption Vulnerability," ----------------------------------------------------------------------------------------------------------------------9. Exploit:Java/CVE-2010-0840.BS is the detection for a malicious Java applet tr ojan that exploits the vulnerability described in CVE-2010-0840. It may arrive in the computer using the file name "SuspendedInvocationException. class". When run in a computer running a vulnerable version of Java, it checks if a file named "equilibrium" exists. If it doesn't exist, it continues with its maliciou s process and downloads and executes arbitrary files from a specific website wit h the privileges of the currently logged-on user. The downloaded files are store d in the %TEMP% folder with a random file name. ----------------------------------------------------------------------------------------------------------------------10. Workstation Service Memory Corruption Vulnerability - CVE-2006-4691: A remote code execution vulnerability exists in the Workstation service that cou ld allow an attacker who successfully exploited this vulnerability to take compl ete control of the affected system. Prevention: Block TCP ports 139 and 445 ----------------------------------------------------------------------------------------------------------------------11. Stack-based buffer overflow in the CComVariant::ReadFromStream function in t he Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX contro l in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows r emote attackers to execute arbitrary code via a crafted web page ----------------------------------------------------------------------------------------------------------------------12. Exploit:JS/CVE-2011-1345 The vulnerability is based on the memory corruption that occurs during the handl ing of a memory object (creating or deleting) by an IE JavaScript engine, when e xecuting the OnPropertyChange function. Successful exploitation of the vulnerabi lity can lead to execution of arbitrary code on an affected computer within a us er's security context. ----------------------------------------------------------------------------------------------------------------------13.

You might also like