+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Forum Related (/forumdisplay.php?fid=37)
+--- Forum: General Security (/forumdisplay.php?fid=21)
+--- Thread: Exploit for unpatched IE vuln fuels hacker fears (/showthread.php?tid=578)
Exploit for unpatched IE vuln fuels hacker fears - Kye-U - Aug. 19, 2005 08:59 PM
http://securityfocus.com/news/11289
A filter for this exploit has been included in v4.37 of my Browser Security Pack. If you would like a standalone filter, here it is
Code:
[Patterns]
Name = "IE: Msdds.dll Class ID Exploit Remover [Kye-U]"
Active = TRUE
URL = "(^$TYPE(css))"
Limit = 64
Match = "clsid:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"
Replace = "$ALERT(Msdds.dll Class ID Exploit Removed on:\n\n\u)"- sidki3003 - Aug. 19, 2005 09:17 PM
Thanks, i'll also add it to my ClassIDs list.
Did you come across a testcase?
sidki
- Kye-U - Aug. 19, 2005 09:38 PM
http://isc.sans.org/diary.php?date=2005-08-18
Look in the section: "How do I recognize a web page which contains exploit code?"
Their example is incorrect.
Here is a correct example:
Code:
[object classid="clsid:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"][/object](change the square brackets to pointy brackets)
Their example is missing the "clsid:" portion.
Here is a proper PoC:
http://www.securitytracker.com/alerts/2005/Aug/1014727.html
- sidki3003 - Aug. 20, 2005 09:35 AM
The Perl script from your last link worked fine! The compiled page also grabs a huge amount of memory in my browsers btw.
Anyway, for those using the ClassIDs list, here is the new entry for its "Exploits" section:
Code:
# http://www.securitytracker.com/alerts/2005/Aug/1014727.html
# -----------------------------------------------------------------------------
EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F $SET(9=DDS Library Shape Control)sidki