CVE-2013-2551 and Exploit Kits

A late post to sum up what has been seen in Exploit Kits regarding that CVE-2013-2551.
This vulnerability has been exploited during Pwn2Own 2013 by VUPEN the 2013-03-07

First mention was by Yonathan Klijnsma from Fox-IT for Neutrino on 2013-09-10.

Neutrino exploit kit now also serves @VUPEN's #CVE-2013-2551 to exploit MSIE 10-9-8-7-6 via the VML integer overflow @kafeine
— Yonathan Klijnsma (@ydklijnsma) September 10, 2013

Malforsec wrote a post about it.
I never get a positive infection with it.

Simultaneous pass on 2 threads of Neutrino 2013-09-14 - Piece of CVE-2013-2551

On 2013-09-25 Yonathan spotted it in Fiesta.

Fiesta exploit kit now also serves @VUPEN's #CVE-2013-2551 to exploit MSIE 10-9-8-7-6 via the VML integer overflow
— Yonathan Klijnsma (@ydklijnsma) September 25, 2013

and made a post about it. Once again I could see it fired but not owning box here. Don't know why.

Fiesta pass firing CVE-2013-2551 (no infection) 2013-10-05

On 2013-10-01 I spotted it on HiMan Exploit Kit, where i saw it working properly.

HiMan Exploit Kit.Say Hi to one more. Working CVE-2013-2551 inside : http://t.co/rDiEDKjsGYpic.twitter.com/5d4PJw9Jn9
— kafeine (@kafeine) October 2, 2013

On 2013-10-05 it was being integrated in Styx

CVE-2013-2551 integration is in progress in Styx (HiMan copy paste for that CVE...hum...%$*£ !! ) pic.twitter.com/OTsx0ZqsB3
— kafeine (@kafeine) October 5, 2013

The code was exactly the same as the one in HiMan EK (the kaf() was the hint that allow me to fast notice it)

On 2013-10-06 it appeared in Magnitude :

Magnitude EK (formerly popads) has integrated CVE-2013-2551 yesterday. ( HiMan EK copy paste again :S ) pic.twitter.com/s0NslEokhf
— kafeine (@kafeine) October 7, 2013

On 2013-10-13 I saw it in Nuclear Pack

Nuclear Pack is integrating CVE-2013-2551 (once again, copy paste from HiMan EK's code :s ) pic.twitter.com/L97uZy4xFp
— kafeine (@kafeine) October 13, 2013

<edit1 2013-11-09>
Sweet Orange :
Spotted by EKWatcher, it's now in Sweet Orange.

Landing size double from :

Sweet Orange - 2013-11-09 02:51

Sweet Orange - 2013-11-09 14:48

GET http://kytus.allseasoninvesting .com:6173/order_temp/sshadmin/lol/amazon.php?english=3
200 OK (text/html)

GET http://bafes.thienchualatinhyeu .com:6173/members.php?files=588&quote=291&pets=4&sales=199&star=171&front=343&staff=37&virus=398&mail=378
200 OK (application/octet-stream) 0b17503fe267660f08d1bc23fa89cb8d <- Urausy

Urausy - Piece of BE Design 2013-11-09

</edit1>

Files : Here some fiddler (Owncloud via Goo.gl)

Read More :
Fiesta Exploit Kit analysis serving MSIE exploit CVE-2013-2551 - 2013-09-27 - Yonathan Klijnsma
Neutrino EK - IE exploit analysis - 2013-09-17 - Malforsec
CVE-2013-2551 MS13-037 Internet Explorer Vulnerability Metasploit Demo - 2013-06-12 - Eromang Blog
VUPEN Advanced Exploitation of Internet Explorer 10 / Windows 8 Overflow (Pwn2Own 2013) 2013-05-22 - Nicolas Joly - Vupen