[framework] ie_createobject exploit

[H D Moore]

On Thursday 30 November 2006 09:01, G Portokalidis wrote:
> When i try the ie_createobject exploit everything seems to be working
> fine, a file is downloaded in c:\windows\prefetch, but an error occurs
> when trying to execute that file, which i assume actually contains the
> payload.

Sounds like some kind of anti-virus or security software at work.

> What i am more interested is how does this exploit work. I've been
> browsing the net, but all i could find is "unspecified vulnerability"
> that allows to execute arbitrary code.

This module exploits three "known" vulnerabilities, each with the same 
underlying problem. The exploit works by using a "safe" COM object to 
create an instance of an unsafe object. The RDS bug is patched, the WMI 
issue is still unpatched (affects anyone who installed the WMI SDK), and 
the Outlook.Application bug only affects older versions of Office. I 
sprinkled some other "bad" but usually unsafe COM objects into the target 
list, just in case the victim's security settings have already been 
abused by another piece of malware.

> Does anyone have any additional information?
> Is it an overflow(stack, heap), or a design flow that simply allows
> remote users to save and execute code?

These are all design flaws.

> This is of special interest to me, since i am trying to figure out why
> does this evades detection from the Argos emulator
> (www.few.vu.nl/argos).

Ninjaness++

> Is it possible that the windows version i am using is not vulnerable

If the file is being downloaded at all, it is vulnerable.

> I am running MDAC v 2.81.1117. MS says Windows XP SP2 with MDAC v2.8
> is vulnerable, i am not sure whether mine falls into that category.

Sounds like some third-party software is interfering with the exploit.

-HD