4

As you may know this vulnerability was found a while ago in the wild and the exploit is available too, btw I'm having problem on understanding the obfuscated code. Is it necessary to use obfuscation and why the obfucation was used by the attacker? does attacker had specific reason to do this? the part of exploit I mean is located at line 292 of http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ie_execcommand_uaf.rb

n1kita
  • 111
  • 1
  • 4
  • I'm half asleep right now, but this looks interesting. I'll dig around in it tomorrow. In the meantime, take a look at [this previous question](http://security.stackexchange.com/q/20371/5400), in which I explain the hole. – Polynomial Oct 07 '12 at 00:14
  • I saw it before man. – n1kita Oct 07 '12 at 05:36
  • still no idea about it? – n1kita Oct 17 '12 at 18:35
  • 1
    Sorry, I've been quite busy recently and haven't got round to digging into it. However, I'm guessing that most of the data is just padding or values designed to pass sanity checks. I'll have a dig into it when I get time. – Polynomial Oct 18 '12 at 05:51

1 Answers1

2

From what I can tell, the string YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH in question is interesting. However, the use of \u0c08\u0c0c is the value of EDI after during the use after free. As for the rest of the string, it just looks like that is what was used in another person's 0-day before it was translated.

Some information was adapted from http://blog.vulnhunt.com/index.php/2012/09/17/ie-execcommand-fuction-use-after-free-vulnerability-0day_en/

sparticvs
  • 161
  • 4