Tuesday, February 10, 2009

Exploiting vulnerabilities through SWF

One of the formats used to massively exploit the weaknesses of the teams are the Small Web Format files .swf. Usually, they're often subjected to the injection of the exploit code to undermine a particular bug.

The same wave file attacks using malicious JavaScript that had been mentioned in the post of vulnerabilities through files .js, was combined with other alternatives such as this.

In this case, it exploits a vulnerability in Adobe Flash Player described in CVE-2007-0071 by which through a file .swf manipulated maliciously causes a Buffer Overflow allows code execution by a remote attacker.

This means that if the user accesses, for example, the URL http://www.710sese .cn/a1 / (59.34.197.115) the file is executed f16.swf (MD5: 95EC9202FBE74D508205442C49825C08) that according to the report VirusTotal , is detected by antivirus 18 of 39 for which the sample scanning. The insert in the exploit .swf exploit the vulnerability if you have installed the application and be vulnerable.

Some of the URLs used to spread the exploit are:

http://www.710sese .cn/a1/f16 .swf
http://www.710sese .cn/a1/f28 .swf

http://www.710sese .cn/a1/f45 .swf

http://www.710sese .cn/a1/f47 .swf

http://www.710sese .cn/a1/f64 .swf

http://www.710sese .cn/a1/f115 .swf

http://www.710sese .cn/a1/i28 .swf

http://www.710sese .cn/a1/i16 .swf

http://www.710sese .cn/a1/i45 .swf

http://www.baomaaa .cn/a279/f16 .swf

http://www.baomaaa .cn/a279/f28 .swf

http://www.baomaaa .cn/a279/f45 .swf

http://www.baomaaa .cn/a279/f47 .swf

http://www.baomaaa .cn/a279/f64 .swf

http://www.baomaaa .cn/a279/f115 .swf

http://www.baomaaa .cn/a279/i28 .swf

http://www.baomaaa .cn/a279/i16 .swf

http://www.baomaaa .cn/a279/i45 .swf

http://000.2011wyt .com/versionff .swf

http://000.2011wyt .com/versionie .swf

http://sss.2010wyt .net/versionie .swf


http://sss.2010wyt .net/versionff .swf
http://www.misss360 .cn/versionff .swf

http://www.misss360 .cn/versionie .swf

http://daoye.sh .cn/a08_1272/m16 .swf

http://daoye.sh .cn/a08_1272/m28 .swf

http://daoye.sh .cn/a08_1272/m45 .swf

http://ccsskkk .cn/new7/fl/f16 .swf

http://ccsskkk .cn/new7/fl/f28 .swf

http://ccsskkk .cn/new7/fl/f45 .swf

http://ccsskkk .cn/new7/fl/f47 .swf

http://ccsskkk .cn/new7/fl/f64 .swf

http://1.ganbobo .com/template/kankan/js/4.0/curtain .swf

http://1.ganbobo .com/template/kankan/js/4.0/playerctrl .swf


Once it explodes in your computer, download the binary a1.css from http://d.aidws .com new, a malicious code which we have already mentioned in other post.

Related information:
Exploitation of vulnerabilities through JS

# Jorge Mieres

No comments: