"Traff.jar" was dropped from an unknown toolkit exploiting
CVE-2013-0431. As most of the JAVA exploits found in the wild, this JAVA
exploit was also seen to be having an encrypted CLASS file (responsible for
turning off the SecurityManager and dropping the payload) and an encrypted payload. Below image
shows the encrypted payload,
The encrypted JAVA CLASS file was found in an array of
byte that later was decoded using a hardcoded key (XOR’d)
We can rip off this part of the code an put it in ECLIPSE
(modify the code a bit to write the resultant decoded CLASS FILE) and debug it.
The result can be outputted to a file named “W.class”.
We have now the decrypted CLASS FILE.
Loading the CLASS FILE under JD and checking the code revels
this,
And again we can rip this code off and analyze it in
ECLIPSE. Modified code reads the encrypted payload and feeds it to the
“dropFile” function with 1st parameter as the encrypted file itself,
the 2nd param being the filename which will later contain the decrypted
EXE and the hardcoded key itself.
Executing the function “dropFile” readily writes the output
of the decrypted EXE to “C:\a.exe” as below :)
There’s a same JAR that’s analyzed by Kahusecurity
differently here - http://www.kahusecurity.com/2013/quick-java-applet-analysis/
No comments:
Post a Comment