Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

[Jelmer <jkuperus () planet nl>]

Just when I though it was save to once more use internet explorer I received
an email bringing my attention to this webpage
http://216.130.188.219/ei2/installer.htm   that according to him used an
exploit that affected fully patched internet explorer 6 browsers. Being
rather skeptical I carelessly clicked on the link only to witness how it
automatically installed addware on my pc!!!
 
Now there had been reports about 0day exploits making rounds for quite some
time like for instance this post
 
http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 
 
However I hadn't seen any evidence to support this up until now
Thor Larholm as usual added to the confusion by deliberately spreading
disinformation as seen in this post
 
http://seclists.org/lists/bugtraq/2004/May/0153.html
 
Attributing it to and I quote "just one of the remaining IE vulnerabilities
that are not yet patched"

I’ve attempted to write up an analysis that will show that there are at
least 2 new and AFAIK unpublished vulnerabilities (feel free to proof me
wrong) out there in the wild, one being fairly sophisticated 

You can view it at:

http://62.131.86.111/analysis.htm

Additionally you can view a harmless demonstration of the vulnerabilities at

http://62.131.86.111/security/idiots/repro/installer.htm

Finally I also attached the source files to this message

Attachment: exploit.zip
Description: