Monday, April 8, 2013

Decrypting "traff.jar" JAVA Exploit (Payload part)

"Traff.jar" was dropped from an unknown toolkit exploiting CVE-2013-0431. As most of the JAVA exploits found in the wild, this JAVA exploit was also seen to be having an encrypted CLASS file (responsible for turning off the SecurityManager and dropping the payload) and an encrypted payload. Below image shows the encrypted payload,

The encrypted JAVA CLASS file was found in an array of byte that later was decoded using a hardcoded key (XOR’d)

We can rip off this part of the code an put it in ECLIPSE (modify the code a bit to write the resultant decoded CLASS FILE) and debug it. The result can be outputted to a file named “W.class”.

We have now the decrypted CLASS FILE. 

Loading the CLASS FILE under JD and checking the code revels this,

And again we can rip this code off and analyze it in ECLIPSE. Modified code reads the encrypted payload and feeds it to the “dropFile” function with 1st parameter as the encrypted file itself, the 2nd param being the filename which will later contain the decrypted EXE and the hardcoded key itself.

Executing the function “dropFile” readily writes the output of the decrypted EXE to “C:\a.exe” as below :)

There’s a same JAR that’s analyzed by Kahusecurity differently here -

No comments:

Post a Comment