Download Crimepack 3.1.3 Deny IP list CrimepackDenyiplist.txt
Download deny ip list as is, without whois info
Please note that I am not the owner of the exploit pack and will not post any files for the download. Thank you ~ Mila
Update 2 Sept 29
The cryptor.php, which is the pdf builder, indeed contains enough code to build malicious pdf for the last Adobe zero day CVE-2010-2883. However, it appears to be work in progress and not a fully implemented feature. Will post more information as it becomes available.Update 1 sept 27 Percy Sabourin @Garlandors pointed out that one piece of code was taken from the Metasploit exploit for the "Cooltype" Adobe 0 day CVE-2010-2883, which became public on Sept. 9, 2010. See the last screenshot and below this paragraph. The code indeed looks the same, we first thought it was only for the content part of the pdf but at this time it is not clear whether the pdf generator would actually generate a working pdf exploit using this vulnerability CVE-2010-2883. There are no corresponding ini or php files in the pack too. Also, nearly all php files in the pack are encrypted with ionCube encoder.
Also, it means the pack or at least crypter.php was produced during the period Sept 9-21, 2010
$PDFFile .= self::rndSeparators("<>",0);
$PDFFile .= self::rndSeparators("endobj",0);
$PDFFile .= self::rndSeparators("8 0 obj ",0);
$PDFFile .= self::rndSeparators("<>",0);
$PDFFile .= self::rndSeparators("stream",0);
$PDFFile .= self::rndSeparators("0 g BT /F7 32 Tf 32 Tc 1 0 0 1 32 773.872 Tm (Hello World!) Tj ET",0);
$PDFFile .= self::rndSeparators("endstream",0);
$PDFFile .= self::rndSeparators("endobj",0);
$PDFFile .= self::rndSeparators("9 0 obj ",0);
$PDFFile .= self::rndSeparators("<>",0);
$PDFFile .= self::rndSeparators("endobj",0);
$PDFFile .= self::rndSeparators("endobj",0);
$PDFFile .= self::rndSeparators("8 0 obj ",0);
$PDFFile .= self::rndSeparators("<>",0);
$PDFFile .= self::rndSeparators("stream",0);
$PDFFile .= self::rndSeparators("0 g BT /F7 32 Tf 32 Tc 1 0 0 1 32 773.872 Tm (Hello World!) Tj ET",0);
$PDFFile .= self::rndSeparators("endstream",0);
$PDFFile .= self::rndSeparators("endobj",0);
$PDFFile .= self::rndSeparators("9 0 obj ",0);
$PDFFile .= self::rndSeparators("<>",0);
$PDFFile .= self::rndSeparators("endobj",0);
Crimepack 3.1.3 Java exploit analysis is available at InReverse.net by Donato 'ratsoul' Ferrante
Crimepack 3.1.3 – checking vital signs
Crimepack 3.1.3 – checking vital signs
Crimpack 3.1.3 Deny IP list
(to prevent analysis and detection by security companies and ISP providers)
Crimepack 3.1.3 includes 15 exploits listed below.
001
name="mdac"
desc="IE6 COM CreateObject Code Execution"
CVE-2006-0003 -MS06-014 for lE6/Microsoft Data Access Components (MDAC) Remote Code Execution
002
name="msiemc"
desc="IE7 Uninitialized Memory Corruption"
CVE-2009-0075/0076 - MS09-002 - lE7 Memory Corruption
003
name="javagetval"
desc="Java getValue Remote Code Execution"
CVE-2010-0840 Java Trusted Method Chaining
004
name="javanew"
desc="JRE 'WebStart' RCE"
CVE-2010-1423 - Java Deployment Toolkit Remote Argument Injection Vulnerability
005
name="javaold"
desc="Java Deserialize"
CVE-2008-5353 - Javad0—JRECalendar Java Deserialize
006
name="hcp"
desc="Microsoft Help & Support Centre"
CVE-2010-1885 - Help Center URL Validation Vulnerability
007
name="iepeers"
desc="IEPeers Remote Code Execution"
CVE-2010-0806 - IEPeers Remote Code Execution
008
name="pdfexpl"
desc="PDF Exploits (collectEmailInfo, getIcon, util.printf)"
CVE-2008-2992 - PDF Exploit• util.printf
CVE-2009-0927 - PDF Exploit- collab.getlcon
CVE-2007-5659/2008-0655 - PDF Exploit -collab, collectEmaillnfo
009
name="opera"
desc="Opera TN3270"
CVE-2009-3269 - Telnet for Opera Th3270
010
name="aol"
desc="AOL Radio AmpX Buffer Overflow"
CVE-2007-5755 - AOL Radio AmpX Buffer Overflow
011
name="iexml"
desc="Internet Explorer 7 XML Exploit"
CVE-2008-4844 - Internet Explorer 7 XML Exploit
012
name="firefoxdiffer"
desc="Firefox 3.5/1.4/1.5 exploits"
CVE-2009-0355 - Firefox - Components/sessionstore/src/nsSessionStore.js
013
name="spreadsheet"
desc="OWC Spreadsheet Memory Corruption"
CVE-2009-1136 - MSO9-043 - lE OWC Spreadsheet ActiveX control Memory Corruption
The following exploits that were present in the previous versions were removed:
CVE-2008-2463 - M508-041 - MS Access Snapshot Viewer
CVE-2009-3867 - Java Runtime Env. getSoundBank Stack BOF
CVE-2010-0188 PDF Exploit - LibTiff Integer Overflow
PDF Generator
This version of exploit pack does not include many pdf exploits - only three older ones using the following vulnerabilities.
CVE-2008-2992 - PDF Exploit• util.printf
CVE-2009-0927 - PDF Exploit- collab.getlcon
CVE-2007-5659/2008-0655 - PDF Exploit -collab, collectEmaillnfo
However, it includes a pdf exploit builder - generator cryptor.php, which will generate malicious pdfs on the fly with various MD5 hash values for each victim.
Please read a bit more at InReverse.net
We will post additional information if it becomes available. If you have links to any analysis publications for this version, please send, we will add.
No comments:
Post a Comment