Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 5 December 2011

Blackhole exploit: For those wondering, Part 2

I received a comment to the 2009 blog. This one houses a variation of the MO used that I outlined in part 1 (was not going to be a part 2, but it's got a few changes that warranted it).

The MO in this case, is;

1. Site A
2. Exploit

There's no MITMs this time. There's also a slight change in the code used on the exploit page itself, though curiously, it's even easier to decode than the last one (only 3 lines needing commented out this time).

I've not got the headers for this one, but the e-mail apparently contains;

Dear Customer,

FLIGHT ELECTRONIC NUMBER 24-3054499
DATE & TIME / DECEMBER 12, 2011, 07:16 PM
ARRIVING AIRPORT: Chicago O'Hare International Airport
PRICE : 743.59 USD

Please download and print out your ticket here:
Download hxxp://thefire.org/reports/guides/1/tztei.htm?B9I5=Z66FITS&2Q5=5CO8CFG2ARLWIHHCFJHL0VG7G&

Jazlyn Warren,
Airlines America


4b1273d8-59cae6f0


thefire.org lives at;

IP: 64.49.244.212
IP PTR: Resolution failed
ASN: 10532 64.49.192.0/18 RACKSPACE - Rackspace Hosting
Registrar: GoDaddy

This redirects to;

czredret.ru/main.php

Which is living on Infium IP space;

IP: 188.190.99.26
IP PTR: ip-188-190-99-26.hosted-in.infiumhost.com
ASN: 197145 188.190.96.0/19 ASINFIUM Infium Ltd.

inetnum: 188.190.96.0 - 188.190.127.255
netname: INFIUM
descr: Infium LTD
country: UA
org: ORG-INFI1-RIPE
admin-c: INF20-RIPE
tech-c: INF20-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: NETASSIST-MNT
mnt-routes: NETASSIST-MNT
mnt-domains: NETASSIST-MNT
source: RIPE # Filtered

organisation: ORG-INFI1-RIPE
org-name: Infium Ltd.
org-type: OTHER
address: 61129, Ukraine, Kharkov, Traktorostroiteley 156/41 ave, office 200
mnt-ref: INFIUM-MNT
mnt-by: INFIUM-MNT
source: RIPE # Filtered

person: Infium Ltd
address: 61129, Kharkov, Ukraine, Traktorostroiteley 156/41, office 200
abuse-mailbox: abusemail@infiumhost.com
phone: +380577632339
phone: +1425606-33-07
nic-hdl: INF20-RIPE
mnt-by: INFIUM-MNT
source: RIPE # Filtered

:: Information related to '188.190.96.0/19AS197145'

route: 188.190.96.0/19
descr: Infium LTD
origin: AS197145
mnt-by: NETASSIST-MNT
source: RIPE # Filtered


In the case of this variation, all you need to do is comment out the following lines;

//a=(window.document.removeChild+'')['split']('')[1];
//if(a==='f'||a==='u') < this line appears twice, you'll need to comment out both


From here it's the same as the last one - locate the line containing "?f=" to get the value you'll need for the payload (in this case, /w.php?f=17).

References

Blackhole exploit: For those wondering
http://hphosts.blogspot.com/2011/12/blackhole-exploit-for-those-wondering.html

2 comments:

Valerii said...

vds with ip 188.190.99.26 already blocked

MysteryFCM said...

Thanks for letting me know (though not quite sure what you mean by "already blocked" - it was very much live when I published this).