An Overview of Exploit Packs (Update 15) January 28, 2012

Version 15. January 28, 2012

The full table in xls format - Version 15 can be downloaded from here. 

xlsx format
in csv format Packs Sheet 1  References sheet 2


Additions - with many thanks to Kahu Security



 Hierarchy Exploit Pack
=================
CVE-2006-0003
CVE-2009-0927
CVE-2010-0094
CVE-2010-0188
CVE-2010-0806
CVE-2010-0840
CVE-2010-1297
CVE-2010-1885
CVE-2011-0611
JavaSignedApplet

Siberia Private
==========
CVE-2005-0055
CVE-2006-0003
CVE-2007-5659
CVE-2008-2463
CVE-2008-2992
CVE-2009-0075
CVE-2009-0927
CVE-2009-3867
CVE-2009-4324
CVE-2010-0806

Techno XPack
===========
CVE-2008-2992
CVE-2010-0188
CVE-2010-0842
CVE-2010-1297
CVE-2010-2884
CVE-2010-3552
CVE-2010-3654
JavaSignedApplet

"Yang Pack"
=========
CVE-2010-0806
CVE-2011-2110
CVE-2011-2140
CVE-2011-354

Version 14. January 19, 2012

Version 14 Exploit Pack table additions:

Credits for the excellent Wild Wild West (October 2011 edition) go to kahusecurity.com

With many thanks to  XyliBox (Xylitol - Steven),  Malware Intelligence blog,  and xakepy.cc for the information:

1. Blackhole 1.2.1  (Java Rhino added, weaker Java exploits removed)
2. Blackhole 1.2.1 (Java Skyline added)
3. Sakura Exploit Pack 1.0  (new kid on the block, private pack)
4. Phoenix 2.8. mini (condensed version of 2.7)
5. Fragus Black (weak Spanish twist on the original, black colored admin panel, a few old exploits added)

If you find any errors or CVE information for packs not featured , please send it to my email (in my profile above, thank you very much) .

 
The full table in xls format - Version 14 can be downloaded from here. 

The exploit pack table in XLSX format
The exploit pack table in csv format 

The references sheet in csv format 

P.S. There are always corrections and additions thanks to your feedback after the document release, come back in a day or two to check in case v.15 is out.

Version 13. Aug 20, 2011

Kahusecurity issued an updated version of their Wild Wild West graphic that will help you learn Who is Who in the world of exploit packs. You can view the full version of their post in the link above.

Version 13 exploit pack table additions:

1. Bleeding Life 3.0
2. Merry Christmas Pack (many thanks to kahusecurity.com)+
3. Best Pack (many thanks to kahusecurity.com)
4. Sava Pack (many thanks to kahusecurity.com)
5. LinuQ 
6. Eleonore 1.6.5
7. Zero Pack
8. Salo Pack (incomplete but it is also old)

List of packs in the table in alphabetical order

1. Best Pack
2. Blackhole Exploit 1.0
3. Blackhole Exploit 1.1
4. Bleeding Life 2.0
5. Bleeding Life 3.0
6. Bomba
7. CRIMEPACK 2.2.1
8. CRIMEPACK 2.2.8
9. CRIMEPACK 3.0
10. CRIMEPACK 3.1.3
11. Dloader
12. EL Fiiesta
13. Eleonore 1.3.2
14. Eleonore 1.4.1
15. Eleonore 1.4.4 Moded
16. Eleonore 1.6.3a
17. Eleonore 1.6.4
18. Eleonore 1.6.5
19. Fragus 1
20. Icepack
21. Impassioned Framework 1.0
22. Incognito
23. iPack
24. JustExploit
25. Katrin
26. Merry Christmas Pack
27. Liberty  1.0.7
28. Liberty 2.1.0*
29. LinuQ pack
30. Lupit
31. Mpack
32. Mushroom/unknown
33. Open Source Exploit (Metapack)
34. Papka
35. Phoenix  2.0 
36. Phoenix 2.1
37. Phoenix 2.2
38. Phoenix 2.3
39. Phoenix 2.4
40. Phoenix 2.5
41. Phoenix 2.7
42. Robopak
43. Salo pack
44. Sava Pack
45. SEO Sploit pack
46. Siberia
47. T-Iframer
48. Unique Pack Sploit 2.1
49. Webattack
50. Yes Exploit 3.0RC
51. Zero Pack
52. Zombie Infection kit
53. Zopack

----------------------------------------------
Bleeding Life 3.0
New Version Ad is here 

Merry Christmas Pack read analysis at kahusecurity.com	Best Pack read analysis at  kahusecurity.com	Sava Pack read analysis at kahusecurity.com
Eleonore 1.6.5  [+] CVE-2011-0611 [+] CVE-2011-0559 [+] CVE-2010-4452 [-] CVE-2010-0886	Salo Pack Old (2009), added just for the collection	Zero Pack 62 exploits from various packs (mostly Open Source pack)
LinuQ pack Designed to compromise linux servers using vulnerable PHPMyAdmin. Comes with DDoS bot but any kind of code can be loaded for Linux botnet creation. LinuQ pack is PhpMyAdmin exploit pack with 4 PMA exploits based on a previous Russian version of the Romanian PMA scanner ZmEu. it is not considered to be original, unique, new, or anything special. All exploits are public and known well. It is designed to be installed on an IRC server (like UnrealIRCD). IP ranges already listed in bios.txt can be scanned, vulnerable IPs and specific PMA vulnerabilities will be listed in vuln.txt, then the corresponding exploits can be launched against the vulnerable server. It is more like a bot using PMA vulnerabilities than exploit pack. It is using CVE-2009-1148 (unconfirmed) CVE-2009-1149 (unconfirmed) CVE-2009-1150 (unconfirmed) CVE-2009-1151 (confirmed)

 ====================================================================

Version 12. May 26, 2011

additional changes (many thanks to kahusecurity.com)

Bomba

Papka

See the list of packs covered in the list below


The full table in xls format - Version 12 can be downloaded from here.

I want to thank everyone who sent packs and information  :)

Version 11 May 26, 2011 Changes:

1. Phoenix2.7
2. "Dloader" (well, dloader is a loader but the pack is  some unnamed pack http://damagelab.org/lofiversion/index.php?t=20852)
3. nuclear pack
4. Katrin
5. Robopak
6. Blackhole exploit kit 1.1.0
7. Mushroom/unknown
8. Open Source Exploit kit
   

====================================================================

10. May 8, 2011 Version 10        Exploit Pack Table_V10May11
First, I want to thank everyone who sent and posted comments for updates and corrections. 

*** The Wild Wild West picture is from a great post about evolution of exploit packs by Kahu Security  Wild Wild West Update



As usual, send your corrections and update lists.

Changes:

• Eleonore 1.6.4
• Eleonore 1.6.3a
• Incognito
• Blackhole

Go1Pack  (not included) as reported as being a fake pack, here is a gui. Here is a threatpost article referencing it as it was used for an attack 
Also, here is another article claiming it is not a fake http://community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx
Go1 Pack CVE are reportedly
CVE-2006-0003
CVE-2009-0927
CVE-2010-1423
CVE-2010-1885
Does anyone have this pack or see it offered for sale?

Exploit kits I am planning to analyze and add (and/or find CVE listing for) are:

• Open Source Exploit Kit
• SALO
• K0de

Legend: 

Black color entries by Francois Paget

Red color entries by Gunther

Blue color entries by Mila

Also, here is a great presentation by Ratsoul (Donato Ferrante) about Java Exploits (http://www.inreverse.net/?p=1687)

--------------------------------------------------------
 9.  April 5, 2011  Version 9        ExploitPackTable_V9Apr11

It actually needs another update but I am posting it now and will issue version 10 as soon as I can.

Changes:
Phoenix 2.5
IFramer
Tornado
Bleeding life

Many thanks to Gunther for his contributions.
If you wish to add some, please send your info together with the reference links. Also please feel free to send corrections if you notice any mistakes

8. Update 8 Oct 22, 2010 Version 8 ExploitPackTable_V8Oct22-10

Changes: 

1. Eleonore 1.4.4 Moded added (thanks to malwareint.blogspot.com)
2. Correction on CVE-2010-0746 in Phoenix 2.2 and 2.3. It is a mistake and the correct CVE is CVE-2010-0886 (thanks to
   ♫
   etonshell for noticing)
   
3. SEO Sploit pack added (thanks to whsbehind.blogspot.com,  evilcodecave.blogspot.com and blog.ahnlab.com)

7. Update 7 Oct 18, 2010 Version 7 ExploitPackTable_V7Oct18-10 released

 thanks to SecNiche we have updates for Phoenix 2.4 :)

  

We also added shorthand/slang/abbreviated names for exploits for easy matching of exploits to CVE in the future. Please send us more information re packs, exploit names that can be added in the list. Thank you!

 

6. Update 6 Sept 27, 2010 Version 6 ExploitPackTable_V6Sept26-10 released

 Thanks to Francois Paget (McAfee) we have updates for Phoenix 2.2 and Phoenix 2.3

5. Update 5. Sept 27, 2010 Version 5 ExploitPackTable_V5Sept26-10 released

Added updates for Phoenix 2.1 and Crimepack 3.1.3

  

4 Update 4  July 23, 2010  Version 4 ExploitPackTable_V4Ju23-10 released. Added a new Russian exploit kit called Zombie Infection Kit to the table. Read more at malwareview.com

Update 3  July 7, 2010. Please read more about this on the Brian Krebs' blog Pirate Bay Hack Exposes User Booty 

Update 2 June 27, 2010 Sorry but Impassioned Framework is back where it belongs - blue

Update 1 June 24, 2010 Eleonore 1.4.1 columns was updated to include the correct list of the current exploits.

Francois Paget  www.avertlabs.com kindly agreed to allow us to make additions to his Overview of Exploit Packs table published on Avertlabs (McAfee Blog)

Many thanks to Gunther from ARTeam for his help with the update. There are a few blanks and question marks, please do no hesitate to email me if you know the answer or if you see any errors.

Please click on the image below to expand it (it is a partial screenshot)  Impassioned Framework is tentatively marked a different color because the author claims it is a security audit tool not exploit pack. However, there was no sufficient information provided yet to validate such claims. The pack is temporarily/tentatively marked a different color. We'll keep you posted.