CritXPack Changes URI Encoding

Thanks to @Set_Abominae for sharing this!

CritXPack seems to be using a new encoding for params and/or received a slight build update. (220213 – Feb 22 2013)

Current Exploit Chain –

/a220213k/btxqfuta/index.php?id=1234512345
/a220213k/btxqfuta/js/js.js
/a220213k/btxqfuta/gate.php?ver=gpwpPEgpwP:E:p:g.c.Eg:Egc1E81wgp:Epg18Epg18&p=8.0.0.456&j=1.6.0.26&f=10.0.42.4
/a220213k/btxqfuta/j16.php?i=Egc1E81wg1 > JAR
/a220213k/btxqfuta/load.php?e=E&ip=gpwpPEggwP > EXE

(index.php) Encoded Landing / Decoded Landing
(js.js) Encoded PluginDetect / Decoded PluginDetect
(gate.php) Encoded Gate / Decoded Gate

This will alter the existing signatures for CritXPack.

CritXPack Landing

HTTP Method = GET
HTTP URI contains /index.php?id=
Regex HTTP URI for \/[a-z][0-9]{6}[a-z]\/

CritXPack PluginDetect

HTTP Method = GET
HTTP URI ends with /js/js.js
Regex HTTP URI for \/[a-z][0-9]{6}[a-z]\/

CritXPack PluginDetect Response

HTTP Method = GET
HTTP URI contains /gate.php?ver=
Regex HTTP URI for \/[a-z][0-9]{6}[a-z]\/

CritxPack JAR

HTTP Method = GET
HTTP URI contains /j15.php?i= OR /j16.php?i= OR /j17.php?i=
Content-type = application/java-archive
Regex HTTP URI for \/[a-z][0-9]{6}[a-z]\/

CritXPack EXE

HTTP Request Method = GET
HTTP URI contains “*/load.php?e=*”
Regex HTTP URI for \/[a-z][0-9]{6}[a-z]\/

Comments are closed.