Zero Day Java Exploits(All Java Exploits goes here)

Forum for analysis and discussion about malware.
Kafeine
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm

Re: Zero Day Java Exploits(All Java Exploits goes here)

Post by Kafeine » Sat Mar 30, 2013 2:08 pm

Blaze wrote:CVE-2012-1723
Other one is unknown
Bart, looking at your file this looks like from Sweet Orange.
So chance are high that it's CVE-2013-0431 with Serialization.
Cf:

Code: Select all

   String str = "co00m.su000n.j000mx.mbe00anser00ver.MB00eanInst0ant00iat0or";

User avatar
secObs
Posts: 25
Joined: Sun Mar 04, 2012 10:53 pm
Location: here, there and everywhere
Contact:

Re: Zero Day Java Exploits(All Java Exploits goes here)

Post by secObs » Sat Mar 30, 2013 11:03 pm

Kafeine wrote:
Blaze wrote:CVE-2012-1723
Other one is unknown
Bart, looking at your file this looks like from Sweet Orange.
So chance are high that it's CVE-2013-0431 with Serialization.
Cf:

Code: Select all

   String str = "co00m.su000n.j000mx.mbe00anser00ver.MB00eanInst0ant00iat0or";
Yes, it's CVE-2013-0431.

CVE-2013-0431 uses a vulnerability of the Introspector class.

Image

In attach:
- CVE-2013-0422 from Fiesta and Redkit
- CVE-2013-0431 from BlackHole and Sweet Orange
You do not have the required permissions to view the files attached to this post.

User avatar
Blaze
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: Zero Day Java Exploits(All Java Exploits goes here)

Post by Blaze » Mon Apr 01, 2013 4:09 pm

Figured, thanks for the confirmation guys!

User avatar
secObs
Posts: 25
Joined: Sun Mar 04, 2012 10:53 pm
Location: here, there and everywhere
Contact:

Re: Zero Day Java Exploits(All Java Exploits goes here)

Post by secObs » Fri Apr 05, 2013 9:58 pm

In attach:
- CVE-2013-1493 from Sibhost "Exploit Kit" with encoded Urausy inside.
- CVE-2013-0431 from Neutrino
You do not have the required permissions to view the files attached to this post.

User avatar
Squirl
Posts: 15
Joined: Sun Apr 03, 2011 11:48 pm

Re: Zero Day Java Exploits(All Java Exploits goes here)

Post by Squirl » Tue Apr 09, 2013 10:47 am

From Blackhole
CVE 2013-0422

Jar and Executable in attached
You do not have the required permissions to view the files attached to this post.

User avatar
secObs
Posts: 25
Joined: Sun Mar 04, 2012 10:53 pm
Location: here, there and everywhere
Contact:

Re: Zero Day Java Exploits(All Java Exploits goes here)

Post by secObs » Tue Apr 09, 2013 10:07 pm

Squirl wrote:From Blackhole
CVE 2013-0422

Jar and Executable in attached
This is CVE-2013-0431 not 0422, anyhow thank you for sharing.

User avatar
Squirl
Posts: 15
Joined: Sun Apr 03, 2011 11:48 pm

Re: Zero Day Java Exploits(All Java Exploits goes here)

Post by Squirl » Wed Apr 10, 2013 8:42 am

Yep, you're quite right! Rushed my analysis a bit :?

User avatar
Squirl
Posts: 15
Joined: Sun Apr 03, 2011 11:48 pm

Re: Zero Day Java Exploits(All Java Exploits goes here)

Post by Squirl » Wed Apr 17, 2013 1:05 pm

RedKit exploiting 2013-0422 (VT confirms :) ) together with all payloads.
You do not have the required permissions to view the files attached to this post.

N3mes1s
Posts: 42
Joined: Wed Mar 09, 2011 5:17 pm

Re: Zero Day Java Exploits(All Java Exploits goes here)

Post by N3mes1s » Thu Apr 18, 2013 12:52 pm

CVE-2012-1723 dropped from redkit boston.html campaign

https://www.virustotal.com/en/file/0bf5 ... 366289246/
You do not have the required permissions to view the files attached to this post.

User avatar
Blaze
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: Zero Day Java Exploits(All Java Exploits goes here)

Post by Blaze » Fri May 03, 2013 3:26 pm

CVE-2013-1493 attached.
You do not have the required permissions to view the files attached to this post.

Post Reply