2007-12-07

Neosploit exploit toolkit

The Neosploit toolkit is an advanced exploit framework to compromise web site visitors. It was written by "grabarz". It is unknown if this is a group or an individual. There's some information which suggests it is an individual.

It's not as popular as the Mpack toolkit but is gaining popularity steadily. It was written in the C language and is used as a CGI script. It can support multiple users from the same script. The exploit code will be the same from all users but the delivered executables can be different.

Similar to other toolkits this one provide various statistics too. Instead of using a database as the means to store them Neosploit uses several files with specific internal structures. The following information about the visitor is logged: Operating System, Web browser and its version, IP address, and the Referer.

Delivered exploit code is obfuscated using custom Javascript decoding function. The function name and all local variables are random in order to avoid detection by Network IDS. Often, several layers of obfuscation with anti-decoding tricks are used to deter the faint-hearted.

Toolkit's URL scheme is designed in such a way which will prohibit thecurious of obtaining the executables even if the same one is used from previous exploits.

Perhaps the reason for its slow adoption is its high price. It ranges, depending on version, from $1500 to $3000. Common version seen today in the wild is 1.5.x, with 2.0.x in beta mode. First detected version was 1.0.x early this year.

More in-depth analysis will follow.

6 comments:

iD said...

Hello,

I'm interested in buying the newest version of NeoSploit. Any tips how/where to contact the author?

-=[ dxp ]=- said...

Sure,

Use your favorite search engine with specific keywords.

iD said...

That's what I did -=[ dxp ]=-
Please get me into contact with him.

My msn is iD@uNkn0wn.eu

-=[ dxp ]=- said...

Then your search wasn't thorough enough.

I will not discuss this subject here anymore. Also, your intent is not clear.

Like I said before, seek and you shall find.

iD said...

Well, I'm not from russia and also not that much into webtoolkits like NeoSploit. I just wanna buy it to do some new ideas I got..

Well dude, what do you want to get me in contact with him?

My icq is: 243970646

Hex´nHash said...

OMG a scriptkid! ^^