Sunday, September 26, 2010

Crimepack 3.1.3 Exploit kit info


Download Crimepack 3.1.3 Deny IP list CrimepackDenyiplist.txt

Download deny ip list as is, without whois info



Please note that I am not the owner of the exploit pack and will not post any files for the download. Thank you ~ Mila
Update 2 Sept 29
The cryptor.php, which is the pdf builder, indeed contains enough code to build malicious pdf for the last Adobe zero day CVE-2010-2883. However, it appears to be work in progress and not a fully implemented feature. Will post more information as it becomes available.

Update 1 sept 27 Percy Sabourin @Garlandors pointed out that one piece of code was taken from the Metasploit exploit for the "Cooltype" Adobe 0 day CVE-2010-2883, which became public on Sept. 9, 2010. See the last screenshot and below this paragraph. The code indeed looks the same, we first thought it was only for the content part of the pdf but at this time it is not clear whether the pdf generator would actually generate a working pdf exploit using this vulnerability CVE-2010-2883. There are no corresponding ini or php files in the pack too. Also, nearly all php files in the pack are encrypted with ionCube encoder.

Also, it means the pack or at least crypter.php was produced during the period Sept 9-21, 2010

        $PDFFile .= self::rndSeparators("<>",0);
        $PDFFile .= self::rndSeparators("endobj",0);
        $PDFFile .= self::rndSeparators("8 0 obj ",0);
        $PDFFile .= self::rndSeparators("<>",0);
        $PDFFile .= self::rndSeparators("stream",0);
        $PDFFile .= self::rndSeparators("0 g BT /F7 32 Tf 32 Tc 1 0 0 1 32 773.872 Tm (Hello World!) Tj   ET",0);
        $PDFFile .= self::rndSeparators("endstream",0);
        $PDFFile .= self::rndSeparators("endobj",0);
        $PDFFile .= self::rndSeparators("9 0 obj ",0);
        $PDFFile .= self::rndSeparators("<>",0);
        $PDFFile .= self::rndSeparators("endobj",0);

Crimepack 3.1.3 Java exploit analysis is available at InReverse.net by Donato 'ratsoul' Ferrante
Crimepack 3.1.3 – checking vital signs

 Crimpack 3.1.3 Deny IP list
(to prevent analysis and detection by security companies and ISP providers) 




Crimepack 3.1.3 includes 15 exploits listed below. 

001
name="mdac"
desc="IE6 COM CreateObject Code Execution"
CVE-2006-0003 -MS06-014 for lE6/Microsoft Data Access Components (MDAC) Remote Code Execution

002
name="msiemc"
desc="IE7 Uninitialized Memory Corruption"
CVE-2009-0075/0076 - MS09-002 - lE7 Memory Corruption

003
name="javagetval"
desc="Java getValue Remote Code Execution"
CVE-2010-0840 Java Trusted Method Chaining

004
name="javanew"
desc="JRE 'WebStart' RCE"
CVE-2010-1423 - Java Deployment Toolkit Remote Argument Injection Vulnerability

005
name="javaold"
desc="Java Deserialize"
CVE-2008-5353 - Javad0—JRECalendar  Java Deserialize

006
name="hcp"
desc="Microsoft Help & Support Centre"
CVE-2010-1885 - Help Center URL Validation Vulnerability

007
name="iepeers"
desc="IEPeers Remote Code Execution"
CVE-2010-0806 - IEPeers Remote Code Execution

008
name="pdfexpl"
desc="PDF Exploits (collectEmailInfo, getIcon, util.printf)"
CVE-2008-2992 - PDF Exploit• util.printf     
CVE-2009-0927 - PDF Exploit- collab.getlcon      
CVE-2007-5659/2008-0655 - PDF Exploit -collab, collectEmaillnfo

009
name="opera"
desc="Opera TN3270"
CVE-2009-3269 - Telnet for Opera Th3270 

010
name="aol"
desc="AOL Radio AmpX Buffer Overflow"
CVE-2007-5755 - AOL Radio AmpX Buffer Overflow 

011
name="iexml"
desc="Internet Explorer 7 XML Exploit"
CVE-2008-4844 - Internet Explorer 7 XML Exploit 

012
name="firefoxdiffer"
desc="Firefox 3.5/1.4/1.5 exploits"
CVE-2009-0355 - Firefox - Components/sessionstore/src/nsSessionStore.js 

013
name="spreadsheet"
desc="OWC Spreadsheet Memory Corruption"
CVE-2009-1136 - MSO9-043 - lE OWC Spreadsheet ActiveX control Memory Corruption
 

The following exploits that were present in the previous versions were removed:
CVE-2008-2463 - M508-041 - MS Access Snapshot Viewer
CVE-2009-3867 - Java Runtime Env. getSoundBank Stack BOF  
CVE-2010-0188    PDF Exploit - LibTiff Integer Overflow  

PDF Generator
This version of exploit pack does not include many pdf exploits - only three older ones using the following vulnerabilities. 
CVE-2008-2992 - PDF Exploit• util.printf     
CVE-2009-0927 - PDF Exploit- collab.getlcon      
CVE-2007-5659/2008-0655 - PDF Exploit -collab, collectEmaillnfo


However, it includes a pdf exploit builder - generator cryptor.php, which will generate malicious pdfs on the fly with various MD5 hash values for each victim.
Please read a bit more at InReverse.net




We will post additional information if it becomes available. If you have links to any analysis publications for this version, please send, we will add.



No comments:

Post a Comment