[Dailydave] GIFs of Cats

[Dave Aitel]

GIFs. We love them. And we love them giving us remote code execution
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3174>even more
than we love them showing us how to escape from jail
<http://imgur.com/gallery/40Nd2>.

The last CANVAS release (the base release, since I also consider the
VulnDisco, D2, SCADA+, etc. exploit packs  as releases!) has a working
exploit for the July Microsoft Patch Tuesday DirectShow GIF bug. (I hate
it when people refer to things as the CVE - like you have those all
memorized.)

The current exploit supports IE8 only, but on Windows 7 and XP (known in
the exploit community as the "Microsoft OS's with market share" :>). We
started this exploit thinking it would be a nice easy exercise, and then
it turned into the exploit from hell. But it is finally done! Well. An
exploit is never truly done. For example "with minor amounts of work"
this exploit can be ported over to IE9 and 10 from IE8. And then you ask
"Can it work within Silverlight? and get back "Maybe..."

So you can spend years on a simple client-side if it's worth it to you,
or simply as performance art. In this particular case, it takes a while
to figure out how to even reach the vulnerability from IE, as opposed to
from "Media Player Classic", which is what the POC runs inside.

In any case, we hope those of you with CANVAS (which is all of you,
right?) test it out and let us know how well it works for you in your
environment. Always curious to see where this kind of work gets you in
the "reach out and touch someone" sense!

-dave



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130912/f5498113/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130912/f5498113/attachment.sig>