Thread-topic: VML Exploit vs. AV/IPS/IDS signatures
> -----Original Message-----
> From: avivra [mailto:avivra@xxxxxxxxx]
> Sent: Tuesday, September 26, 2006 6:05 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: VML Exploit vs. AV/IPS/IDS signatures
>
> The code for exploiting the unpatched VML vulnerability is in-the-wild
> for a week or so. This was enough time for Anti Virus, IPS/IDS and
> other reactive security products' vendors to create a signature for
> the in-the-wild exploit.
> So, I put my hand on one of the in-the-wild and tested it using Virus
> Total. The results were not so good. Only 10 of 27 Anti-Viruses
> detected the exploit on the malicious web page.
> Are those signatures generic enough? I've decided to check it out.
>
> I've used 5 simple methods, trying to evade being detected by
> the signature:
> 1) I've replaced the location where EIP should jump when the exploit
> is activated, with a different valid address.
> 2) I've replaced the VML element from "rect" with one of the
> other VML elements.
> 3) I've replaced the payload with a different valid shell code.
> 4) I've replaced the namespace key with a random key.
> 5) A combination of all of the above.
>
> Please note that when I changed the code using any of the methods, the
> exploit still worked.
>
> More info:
>
>
> -- Aviv.
>
