So I dove right in examining the JAR for the function that uses the param and decodes the callback. Not to my surprise the JAR does not decompile correctly. However it obviously taks advantage of CVE-2012-0507.
So I went back to the drawing board. My drawing board just happens to be Notepad++
So I pasted the param value Notepad and started to replace all the HTML values with the corresponding ASCII value.
HTML
After replacing
At first glance I did not see it. Then it hit me! If you ignore the first "0" and then replace the ";" with nothing, then the values become hex values that should look familiar :)
So with all of this knowledge and knowing that my alphabet list I created earlier still held true. I simply used a python script my pal created for me utilizing my alphabet and decoded the JARs callback.
h00p://secondhand4u.ru:8080/forum/links/column.php?zf=3436353638&oe=3307093738070736060b&n=02&re=e&mk=k
I believe this marks the first time the BHEK authors have used two forms of obfuscation in the param value field.
Nice. The request there is consistent with the binary get request.
ReplyDeletehttp://fortknoxnetworks.blogspot.com/2012/10/blackhole-20-binary-get-request.html
#malwaremustdie
It sure is! Great work
Delete