2012-11-17 - Exploit Integration

CVE-2012-5076 - Massively adopted - Blackhole update to 2.0.1




CVE-2012-5076 is being adopted in a massive and fast way.
We can see the same kind of spreading as for CVE-2012-4681 at end of August 12.
---------------------------------------------------

As expected Paunch announced the integration of the new exploit in it's Blackhole with version going to 2.0.1

Paunch announcement
He wrote CVE-2012-5067... but it's the same exploit as on Cool EK so :  CVE-2012-5076


CVE-2012-5076 on BH EK 2.0 landing found on MDL

spn.jar from Blackhole Exploit Kit

Files (NB: there is one global zip at the end):
http://dl.dropbox.com/u/106864056/BHEK_CVE-2012-5076.zip

----------------------------------------------------



Sweet Orange integrated it too :

CVE-2012-5076 in SWT
CVE-2012-5076 in the jar file from SWT

Files
http://dl.dropbox.com/u/106864056/SWT_CVE-2012-5076.zip
(by the way confirmation of CVE-2011-3544 in SWT : http://dl.dropbox.com/u/106864056/SweetOrange_CVE-2011-3544.zip )
----------------------------------------------------

CVE-2012-5076 integrated to Sakura EP
CVE-2012-5076  in a jar file from Sakura EK
Files :
http://dl.dropbox.com/u/106864056/Sakura_CVE-2012-5076.zip
----------------------------------------------------



Announced.
Announcement of the update (for timestamp...oups.........yep feeling guilty....)
CVE-2012-5076 positive path on Nuclear Pack
CVE-2012-5076 in Nuclear Pack jar file
Files:
http://dl.dropbox.com/u/106864056/Nuclear_Pack_CVE-2012-5076.zip
----------------------------------------------------

"sibhost" (Have choose to stick to this name for the moment)
(exploit kit mostly spreading Urausy since months, after having pushed Reveton in june).

How do you name this ? Anyone know the real name ?

Login screen of "sibhost"


Thanks (!) Malekal for the live URL

"sibhost" spreading Urausy - Payload now included in the jar
CVE-2012-5076 in "sibhost" jar file
Files:
----------------------------------------------------


All Files :
http://dl.dropbox.com/u/106864056/CVE-2012-5076_combo.zip
http://goo.gl/cQ2oP (Mega)

Seems not incorporated in Nice Pack and CritXPack.
Didn't found SofosFO live (Emerging Threats name) but have been told (thanks C. ) that's it's CVE-2012-5076 positive.

<edit1: 21/11/12>

Redkit:
 CVE-2012-5076 Path on Redkit
Redkit jar file showing the CVE-2012-5076 implementation
Files:
http://dl.dropbox.com/u/106864056/Redkit_CVE-2012-5076.zip
</edit1>

Read more ?
A technical analysis on new Java vulnerability (CVE-2012-5076) - 15-11-2012 - Jeong Wook (Matt) Oh - MMPC