http://malware.dontneedcoffee.com/2015/08/cve-2014-2419-internet-explorer-and.html
--------------------------------------------------------------------------------------------
As published by FireEye Angler EK is now exploiting CVE-2014-2419 fixed with MS15-065
Angler EK :
2015-08-10
It seems they might have started to work on that exploit as early as 2015-07-24 where some instances briefly used code to gather ScriptEngineVersion from redirected visitors :
Today first pass i made was showing a new POST call and was successfully exploiting a VM that used to be safe to Angler.
I spent (too much ;) ) time trying to decode that b value in the POST reply.
Here are some materials :
- The landing after first pass of decoding and with some comments : http://pastebin.com/JQuyAXar
- The l() function handling the post : http://pastebin.com/hxZJwbaY
- The post data and reply after first pass of decoding : http://pastebin.com/raw.php?i=NWkU7CXr
Files : 2 Fiddlers (ScriptEngineVersion Gathering and successfull pass - use malware as password)
Thanks :
Horgh_RCE for his help
Read More :
CVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - Sudeep Singh, Dan Caselden - FireEye
2015-08-10 - ANGLER EK FROM 144.76.161.249 SENDS BEDEP This pass shared by Brad from Malware-Traffic-Analysis is including the CVE-2015-2419
Generic bypass of next-gen intrusion / threat / breach detection systems - 2015-06-05 - Zoltan Balazs - Effitas
- Angler added - 2015-07-24
--------------------------------------------------------------------------------------------
Original
CVE-2014-2419 (Internet Explorer) and Exploits Kits
Angler EK :
2015-08-10
It seems they might have started to work on that exploit as early as 2015-07-24 where some instances briefly used code to gather ScriptEngineVersion from redirected visitors :
 |
| Angler EK gathering ScriptEngineVersion data the fast way. 2015-07-24 |
 |
| CVE-2015-2419 successfully exploiting IE11 in windows 7 2015-08-10 (Here bedep grabbing Pony and TeslaCrypt then doing some AdFraud) |
I spent (too much ;) ) time trying to decode that b value in the POST reply.
Here are some materials :
- The landing after first pass of decoding and with some comments : http://pastebin.com/JQuyAXar
 |
| The post call is handled by String['prototype']['jjd'] , ggg is sent to Post data as well as the ScriptEngineVersion (in the shared pass : 17728 ) |
- The l() function handling the post : http://pastebin.com/hxZJwbaY
- The post data and reply after first pass of decoding : http://pastebin.com/raw.php?i=NWkU7CXr
Files : 2 Fiddlers (ScriptEngineVersion Gathering and successfull pass - use malware as password)
Thanks :
Horgh_RCE for his help
Read More :
CVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - Sudeep Singh, Dan Caselden - FireEye
2015-08-10 - ANGLER EK FROM 144.76.161.249 SENDS BEDEP This pass shared by Brad from Malware-Traffic-Analysis is including the CVE-2015-2419
Generic bypass of next-gen intrusion / threat / breach detection systems - 2015-06-05 - Zoltan Balazs - Effitas
