2014-03-24 - Exploit Integration
CVE-2014-0322 integrating Exploit Kits
It took more times than I thought, but here we are : CVE-2014-0322 is now in Exploit Kit. Seems to be first in
Infinity EK :
Thanks Timo Hirvonen for fixing my ugly approach to that one.
Successful pass in Win7 with Flash and ante kb2925418 2014-03-24 |
GET http://saarbangers-metal-festival .de/201403/br/573133020.htm
200 OK (text/html)
Piece of Encoded CVE-2014-0322 and call for helper http://pastebin.com/4dYArqEH |
CVE-2014-0322 after deobfus http://pastebin.com/VzHCR56A |
GET http://saarbangers-metal-festival .de/swf.swf
200 OK (application/x-shockwave-flash) e8693573caecf1cab91aa578e1d62ab0 Swt Helper
GET http://saarbangers-metal-festival .de/6084.swf
200 OK (application/x-shockwave-flash) CVE-2013-0634
GET http://saarbangers-metal-festival .de/6084.swf
200 OK (application/x-shockwave-flash)
GET http://saarbangers-metal-festival .de/9073.mp3?rnd=75091
200 OK (application/x-msdownload)
GET http://saarbangers-metal-festival .de/9073.mp3?rnd=60183
200 OK (application/x-msdownload)
Files : 2 fiddlers (OwnCloud)
You'll find a pcap too on the nice Traffic Malware Analysis.
Fiesta :
2014-03-25 - Thanks EKWatcher for Referer.Fiesta : Successful pass in Win7 IE10 with Flash and ante kb2925418 2014-03-25 |
GET http://bgpjterlrw.no-ip .info/mycxql2/counter.php?id=2
301 Redirect to http://bgpjterlrw.no-ip.info/mycxql2/?2
GET http://bgpjterlrw.no-ip .info/mycxql2/?2
200 OK (text/html) http://pastebin.com/mxWFtG83
GET http://bgpjterlrw.no-ip .info/mycxql2/?1723d0e41c0f5f6458545f08560b54050501050b5f0407040a0201005509060705
200 OK (text/html) http://pastebin.com/znN5J1nU <- CVE-2014-0322
Partial Decoding of the components to exploit CVE-2014-0322 |
"Ladyr" : Once Deobfuscated : http://pastebin.com/qVafD361
"Felt" Shellcode : http://pastebin.com/w22nNLg8
Following EKWatcher guidelines :
Base64 decode on the "Felt" parameter
piece of Base64decode (felt) |
in diStorm |
or send the output online (thanks Ben Layer)
http://www.onlinedisassembler.com/odaweb/CIUwSY
B64 decoded shellcode in online disassembler |
Xor 0x20 on B64 decoded "Felt" parameter |
GET http://bgpjterlrw.no-ip .info/mycxql2/?533de2b2f35a74c55c50555f570953030105045c5e0600020e060057540b010102
200 OK (application/x-shockwave-flash) 881a4d9fd2902e0af4e4a06bbc6ba63a <- Flash Helper
GET http://bgpjterlrw.no-ip .info/mycxql2/?1f210081f3d41f5b5216590a020b0900055005090b045a010a53010201095b0206;7
200 OK (application/octet-stream) - 98f29794b29c7a90cfc6af778a3d503c Redyms/Ramdo
Files : Fiddler
FlashPack :
Successful CVE-2014-0322 pass in FlashPack : 2014-03-27 |
GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/allow.php
200 OK (text/html)
GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/js/pd.php?id=68656c6c6f303332322e636f6d
200 OK (text/html)
POST http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/get_json.php
200 OK (text/html)
GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/msie.php
200 OK (text/html) <-- CVE-2013-2551
GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/link2jpg/index.php
200 OK (text/html)
http://pastebin.com/BxhPytN3 |
Code targeting CVE-2014-0322 in FlashPack http://pastebin.com/SKSQBwB7 |
200 OK (application/x-shockwave-flash) Flash Helper : f9e1338083a03d1b965ce8502c109372
GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/link2jpg/Erido.jpg
200 OK (image/jpeg)
Same file name and Xor key (95) as when this 0day has been first spotted live.
Erido.jpg after xor 95 pass. |
Dropped in %temp%\low |
kilensis.com /terkas/audio/loadmsie10.php
176.102.37.5543918 | 176.102.32.0/19 | IPSYSTEMS | UA | IPSYSTEMS.COM.UA | TK IPSYSTEMS LTD.
and here is the second file :
Files : Fiddler and samples (OwnCloud)
<post publication edit>You'll also find Pcap and samples by malware-traffic</edit>
Angler EK :
Successfull pass for CVE-2014-0322 in Angler EK 2014-03-28 |
200 OK (text/html)
Piece of the code targeting CVE-2014-0322 in Angler EK 2014-03-28 http://pastebin.com/PqrdhTnK |
Why wasting time renaming functions ? |
GET http://callositfrenavisseque.teampac12 .com/2ZhNTwSvCb7q0rUMk1eeQBch4k8SW3YuQb72x92634nu21RH
200 OK (text/html) 7aeefe2f40d607df2c51b89f912d9b37
GET http://callositfrenavisseque.teampac12 .com/QNZhV37gKdfsOwXFL86KIlYIKGhDK4PXmb55GtwVhjzPf-HP
200 OK (application/octet-stream) 0d62ee4c2fe169a65cd2d9afde80b6bc (Reveton Ransomware)
Files : Landing,SWF,Encoded and Decoded Payload (see here for decoding)
Sweet Orange :
Successful CVE-2014-0322 pass in Sweet Orange 2014-04-09 |
200 OK (text/html) http://pastebin.com/pPGJwa5f
CVE-2014-0322 in Sweet Orange landing after some replace and b64 decode |
GET http://bkse .pw/LiveUser_Admin/kaztPkw
200 OK (application/x-shockwave-flash) bef27f41b067d6f842c471562f78735b SWF Helper
GET http://duckfood .pw/customer.php?press=589&support=4&index=457&technical=171&game=555&polls=265&intm=447&flash=726&trans=335
200 OK (application/octet-stream) b87500d8d40ec1ac249f44c29a71f07f (Target Japan)
Files : Fiddler/Sample
HiMan :
Edit : 2014-04-17 - Thanks Eoin Miller for hints on finding it.
CVE-2014-0322 pass in HiMan 2014-04-16 |
GET http://alertsecurity3-0004 .pw/fulypixojn.php
200 OK (text/html)
GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/at.php?hg=687474703a2f2f616c6572747365637572697479332d303030342e70772f6b79646f706f636665766f6b6f786f71712f747572662e7068703f6e3d3730366337353637
200 OK (text/html) CVE-2014-0322 http://pastebin.com/uaWHZNwe
Piece of CVE-2014-0322 in HiMan after deobfuscation 2014-04-16 http://pastebin.com/5ANw4u4H |
GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/rues3.swf
200 OK (application/x-shockwave-flash) Flash Helper d67a83c6b3062cc5b451da2bd7c97499
GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/turf2.php
200 OK (application/octet-stream) Payload seems to be a test file.
GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/att.php?hg=687474703a2f2f616c6572747365637572697479332d303030342e70772f6b79646f706f636665766f6b6f786f71712f747572662e7068703f6e3d3730366337353637
200 OK (text/html) CVE-2013-2551 try
GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/cw.php?rbbr=687474703a2f2f616c6572747365637572697479332d303030342e70772f6b79646f706f636665766f6b6f786f71712f747572662e7068703f6e3d3730366337353637
200 OK (text/html) Call for Flash CVE
GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/nn.php?nh=687474703a2f2f616c6572747365637572697479332d303030342e70772f6b79646f706f636665766f6b6f786f71712f747572662e7068703f6e3d3730366337353637
200 OK (text/html) Call for Silverlight CVE
GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/uf.jar
200 OK (application/java-archive)
Files : 2 Fiddler (on non CVE-2014-0322 but containing the real payload which is an Urausy like ransomware)
Note :
(See this : http://pastebin.com/Ya8kZihy ) <edit 2014-04-10> Got them.. The Vuln is not there. Was maybe a test or something. </edit>
This is the Styx from the guys who were pushing Kovter and Zaccess in Sakura till december 2013 who then switch to styx.
Last known (to me) position :
2014/02/16 12:3x;goo6.payingmails.ostrowwlkp.pl;80;64.251.30.161
2014/02/16 12:3x;mami1.payingmails.ostrowwlkp.pl;80;64.251.30.161
2014/02/16 13:3x;alfad.magsforeveryone.ostrowwlkp.pl;80;64.251.30.161
2014/02/16 13:3x;kinov.magsforeveryone.ostrowwlkp.pl;80;64.251.30.161
2014/02/16 13:4x;wmczo.iaozu.ostrowwlkp.pl;80;64.251.30.162
2014/02/16 13:4x;shiyu.iaozu.ostrowwlkp.pl;80;64.251.30.162
2014/02/16 13:5x;opera.iaozu.ostrowwlkp.pl;80;64.251.30.162
2014/02/16 16:1x;talen.cncnc.ostrowwlkp.pl;80;64.251.30.162
2014/02/16 16:1x;asla.cncnc.ostrowwlkp.pl;80;64.251.30.162
<edit 2014-04-10>
For those interested they are now here :
2014/04/10 xx:xx:xx;vivas.etudiants.ostrowiec.pl;80;192.133.137.68
2014/04/10 xx:xx:xx;tv24.etudiants.ostrowiec.pl;80;192.133.137.68
2014/04/10 xx:xx:xx;auror.elcuara.ostrowiec.pl;80;192.133.137.68
2014/04/10 xx:xx:xx;thete.elcuara.ostrowiec.pl;80;192.133.137.68
</edit>
Read More :
Emerging Threat: MS IE 10 Zero-Day (CVE-2014-0322) Use-After-Free Remote Code Execution Vulnerability - 2014-02-19 - Symantec
New Internet Explorer 10 Zero-Day Discovered in Watering Hole Attack - 2014-02-14 - Symantec