2015-01-29 - Exploit Integration
CVE-2015-0311 (Flash up to 16.0.0.287) integrating Exploit Kits
Patched with Flash 16.0.0.296 the CVE-2015-0311 has been first seen exploited by Angler EK ( 2015-01-20 ) , soon after used in "standalone" mode in huge malvert campaign (pushing either Reveton, either Bedep (doing adfraud and grabbing malware : Pony mostly from what I saw) )
 |
| CVE-2015-0311 used in standalone mode to drop Bedep grab Pony and perform adfraud 2015-01-28 |
656beccf7bfeefcc42c692e8320b080b
9543862cc9ae4ca77a3a683bf0c82392
f5a7aabaeb4dd62d72d74224d4064979
c1206173b4bd7d54f61e46876b89fa2f
613db35a14bc5d36fcb46603f1a73ca1
5adb0980caa5ba40125ddede266ade71
Here are some MD5 for the CVE-2015-0311 fired by Angler EK:
a956021a2a8b6351e94f11e4b799c97e - 2015-01-21 <- First spotted as it and shared.
cacd5a2271e204f3ce561cf3ca08d12c - 2015-01-22
7aff26e0ea8523c8086692a2f35fd20c - 2015-01-23
ea14f42ba6ff9f4b39158864ec98dd35 - 2015-01-25
8f45fdb14f81cd154090922769137387 - 2015-01-27 <- Once exploit extended to all Angler Threads
(Note: All were sent almost live to VT. Interestingly only one md5 leaked publicly before patch )
CVE-2015-0311 has been integrated today in RIG
RIG: 2015-01-29
[note that CVE-2014-6332 is in RIG as well. I'll update the associated post soon]
CVE id confirmed by Anton Ivanov ( Kaspersky ) (Thanks ! )
 |
| RIG successfully exploit Windows 8.1 IE11 Flash 16.0.0.257 - 2015-01-29 using CVE-2015-0311 |
 |
| E:\\CrackAndHack\\targets\\Flash\\exploits\\y0lny\\new4\\fd\\src;;_SafeStr_12.as |
Fiddler sent to VT. (Not shared here on purpose. No need to ask in comments : why ? break % is still too high).
Sample : 196467aa4e6e1c2a66b49d465d37f9b9
[Edit] First rotated sample after that post : 270c1ff742a50a13ae68d4c88b700017 [/Edit]
Fiesta: 2015-01-31
 |
| Fiesta successfully exploit Windows XP IE8 Flash 16.0.0.257 using CVE-2015-0311 Fiesta Logo courtesy of FoxIT. |
Fiddler sent to VT
Nuclear Pack: 2015-02-01
 |
Nuclear Pack successfully exploit Windows XP IE8 Flash 16.0.0.257 using CVE-2015-0311 2015-02-01. |
Fiddler sent to VT
Sweet Orange: 2015-02-05 (maybe few days before)
Only today in XP...maybe sent earlier to Windows7 / 8
I decided to take another look after tweets from @_MDL_
 |
| Sweet Orange firing exploit for CVE-2015-0311 - 2015-02-05 |
Files: 2 fiddlers
Neutrino :
CVE identification by Anton Ivanov ( Kaspersky )
 |
| Neutrino firing his bundle of Sploit : 2015-02-06 Note: in this pass the Vawtrak payload is most probably CVE-2014-6332 load |
Magnitude:
CVE identification by Timo Hirvonen from F-Secure
 |
| Magnitude - CVE-2015-0311 exploited successfully - 2015-02-08 |
Fiddler : Magnitude_CVE-2015-0311_2015-02-08
Read More:
A Different Exploit Angle on Adobe's Recent Zero-Day - 2015-01-27 - Dan Caselden, Corbin Souffrant, James T. Bennett - FireEye
Top adult site xHamster involved in large malvertising campaign - 2015-01-27 - Malwarebytes Labs
Analyzing CVE-2015-0311: Flash Zero Day Vulnerability - 2015-01-26 Peter Pi - TrendMicro
Post Publication Reading :
The latest Flash UAF Vulnerabilities in Exploit Kits - 2015-05-28 - Unit42 - Palo Alto
Exploiting CVE-2015-0311: A Use-After-Free in Adobe Flash Player - 2015-03-04 - Francisco Falcon - CoreSecurity
Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3 - 2015-03-25 - Francisco Falcon - CoreSecurity