2008-08-23

le fiesta - another exploit pack



This is yet another web based exploit pack which utilizes PHP and SQL. Overall, it's similar to the other PHP based packs except here the file structure is much more compact, not that it really matters, and it's less smart about serving out exploits (not loaders) to already visited victims.

Uses two layers of encryption/obfuscation via Javascript with random function and variable names upon each visit. Here's a rough list of included exploits:

COM objects
(see metasploit)

"?spl=com"
EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F CreateControlRange

"?spl=vml2"
DirectAnimation.PathControl

"?spl=wfi"
WebViewFolderIcon.WebViewFolderIcon.1 setSlice()

"?spl=zango1"
8C875948-9C60-4381-9248-0DF180542D53 DownloadAndExec()

"?spl=zango2"
BFC08CFF-C737-4433-BD5A-0EE7EFCFEE54 DownloadAndExec()

"?spl=myspace"
48DD0448-9209-4F81-9F6D-D83562940134

"?spl=ymj"
5F810AFC-BB5F-4416-BE63-E01DD117BD6C AddImage()

"?spl=buddy"
Sb.SuperBuddy.1 LinkSBIcons()



The ?spl= parameter will be passed to "load.php" which will update statistics of each exploit.

No comments: