HackDig : Dig high-quality web security articles for hackers

CVE-2014-2419 (Internet Explorer) and Exploits Kits

2015-08-10 21:40

As published by FireEye Angler EK is now exploiting CVE-2014-2419 fixed with MS15-065

Angler EK :

It seems they might have started to work on that exploit as early as 2015-07-24 where some instances briefly used code to gather ScriptEngineVersion from redirected visitors :

Angler EK gathering ScriptEngineVersion data the fast way.
Today first pass i made was showing a new POST call and was successfully exploiting a VM that used to be safe to Angler.

CVE-2015-2419 successfully exploiting IE11 in windows 7
(Here bedep grabbing Pony and TeslaCrypt then doing some AdFraud)

I spent (too much ;) ) time trying to decode that b value in the POST reply.
Here are some materials :

- The landing after first pass of decoding and with some comments : http://pastebin.com/JQuyAXar

The post call is handled by String['prototype']['jjd'] , ggg is sent to Post data as well as the ScriptEngineVersion (in the shared pass : 17728 )

- The l() function handling the post : http://pastebin.com/hxZJwbaY
- The post data and reply after first pass of decoding : http://pastebin.com/raw.php?i=NWkU7CXr

Files : 2 Fiddlers (ScriptEngineVersion Gathering and successfull pass - use malware as password)

Thanks :
Horgh_RCE for his help

Read More :
CVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - Sudeep Singh, Dan Caselden - FireEye
2015-08-10 - ANGLER EK FROM SENDS BEDEP This pass shared by Brad from Malware-Traffic-Analysis is including the CVE-2015-2419

Source: 4650479933061265631-tsop.6133588357016268618-golb:9991,moc.reggolb:gat

Read:4032 | Comments:0 | Tags: exploit

“CVE-2014-2419 (Internet Explorer) and Exploits Kits”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud