Sunday, September 26, 2010

Crimepack 3.1.3 Exploit kit info

Download Crimepack 3.1.3 Deny IP list CrimepackDenyiplist.txt

Download deny ip list as is, without whois info

Please note that I am not the owner of the exploit pack and will not post any files for the download. Thank you ~ Mila
Update 2 Sept 29
The cryptor.php, which is the pdf builder, indeed contains enough code to build malicious pdf for the last Adobe zero day CVE-2010-2883. However, it appears to be work in progress and not a fully implemented feature. Will post more information as it becomes available.

Update 1 sept 27 Percy Sabourin @Garlandors pointed out that one piece of code was taken from the Metasploit exploit for the "Cooltype" Adobe 0 day CVE-2010-2883, which became public on Sept. 9, 2010. See the last screenshot and below this paragraph. The code indeed looks the same, we first thought it was only for the content part of the pdf but at this time it is not clear whether the pdf generator would actually generate a working pdf exploit using this vulnerability CVE-2010-2883. There are no corresponding ini or php files in the pack too. Also, nearly all php files in the pack are encrypted with ionCube encoder.

Also, it means the pack or at least crypter.php was produced during the period Sept 9-21, 2010

        $PDFFile .= self::rndSeparators("<>",0);
        $PDFFile .= self::rndSeparators("endobj",0);
        $PDFFile .= self::rndSeparators("8 0 obj ",0);
        $PDFFile .= self::rndSeparators("<>",0);
        $PDFFile .= self::rndSeparators("stream",0);
        $PDFFile .= self::rndSeparators("0 g BT /F7 32 Tf 32 Tc 1 0 0 1 32 773.872 Tm (Hello World!) Tj   ET",0);
        $PDFFile .= self::rndSeparators("endstream",0);
        $PDFFile .= self::rndSeparators("endobj",0);
        $PDFFile .= self::rndSeparators("9 0 obj ",0);
        $PDFFile .= self::rndSeparators("<>",0);
        $PDFFile .= self::rndSeparators("endobj",0);

Crimepack 3.1.3 Java exploit analysis is available at by Donato 'ratsoul' Ferrante
Crimepack 3.1.3 – checking vital signs

 Crimpack 3.1.3 Deny IP list
(to prevent analysis and detection by security companies and ISP providers) 

Crimepack 3.1.3 includes 15 exploits listed below. 

desc="IE6 COM CreateObject Code Execution"
CVE-2006-0003 -MS06-014 for lE6/Microsoft Data Access Components (MDAC) Remote Code Execution

desc="IE7 Uninitialized Memory Corruption"
CVE-2009-0075/0076 - MS09-002 - lE7 Memory Corruption

desc="Java getValue Remote Code Execution"
CVE-2010-0840 Java Trusted Method Chaining

desc="JRE 'WebStart' RCE"
CVE-2010-1423 - Java Deployment Toolkit Remote Argument Injection Vulnerability

desc="Java Deserialize"
CVE-2008-5353 - Javad0—JRECalendar  Java Deserialize

desc="Microsoft Help & Support Centre"
CVE-2010-1885 - Help Center URL Validation Vulnerability

desc="IEPeers Remote Code Execution"
CVE-2010-0806 - IEPeers Remote Code Execution

desc="PDF Exploits (collectEmailInfo, getIcon, util.printf)"
CVE-2008-2992 - PDF Exploit• util.printf     
CVE-2009-0927 - PDF Exploit- collab.getlcon      
CVE-2007-5659/2008-0655 - PDF Exploit -collab, collectEmaillnfo

desc="Opera TN3270"
CVE-2009-3269 - Telnet for Opera Th3270 

desc="AOL Radio AmpX Buffer Overflow"
CVE-2007-5755 - AOL Radio AmpX Buffer Overflow 

desc="Internet Explorer 7 XML Exploit"
CVE-2008-4844 - Internet Explorer 7 XML Exploit 

desc="Firefox 3.5/1.4/1.5 exploits"
CVE-2009-0355 - Firefox - Components/sessionstore/src/nsSessionStore.js 

desc="OWC Spreadsheet Memory Corruption"
CVE-2009-1136 - MSO9-043 - lE OWC Spreadsheet ActiveX control Memory Corruption

The following exploits that were present in the previous versions were removed:
CVE-2008-2463 - M508-041 - MS Access Snapshot Viewer
CVE-2009-3867 - Java Runtime Env. getSoundBank Stack BOF  
CVE-2010-0188    PDF Exploit - LibTiff Integer Overflow  

PDF Generator
This version of exploit pack does not include many pdf exploits - only three older ones using the following vulnerabilities. 
CVE-2008-2992 - PDF Exploit• util.printf     
CVE-2009-0927 - PDF Exploit- collab.getlcon      
CVE-2007-5659/2008-0655 - PDF Exploit -collab, collectEmaillnfo

However, it includes a pdf exploit builder - generator cryptor.php, which will generate malicious pdfs on the fly with various MD5 hash values for each victim.
Please read a bit more at

We will post additional information if it becomes available. If you have links to any analysis publications for this version, please send, we will add.

No comments:

Post a Comment