Tuesday, June 26, 2012

Pwning Posion Ivy Server: Own And You Shall Be Owned

Via Gal Badishi's Security Bits Blog -

While working on Poison Ivy’s communication, one of my students approached me and asked me if the fact that an infected computer can connect to the C&C server means that the compromised host can break into the server. Well folks, it appears that it’s possible. We will now present a fully working exploit for all Windows platforms (i.e., bypassing DEP and ASLR), allowing a computer infected by Poison Ivy (or any computer, for that matter) to assume control of PI’s C&C server.


It’s important to note that the exploit data following our header never gets decrypted, so we don’t have to worry about PI ruining our values if we don’t encrypt the data.

In light of this analysis, a Metasploit module without encryption is being prepared.

No comments:

Post a Comment