Malware Domain List
Malware Related => Tools of the trade / Internet News => Topic started by: SysAdMini on February 20, 2009, 07:06:26 am
-
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
-
hxxp://dump.vicp.cc/l/a.bin - url from the same 0day i suppose...
-
cnc on religion.xicp.net and religion.8866.org? Japan? WTF ???
-
http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html
-
Homebrew patch for Adobe AcroReader 9
http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html
-
and saw somebody working version of this? very interesting to see
-
Targeted PDFs Used as Exploits
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/vulnerabilities_exploits/article-id/188
-
milw0rm POC-s:
http://milw0rm.com/exploits/8090
http://milw0rm.com/exploits/8099
I think that soon will attack as well as POC in public
-
Thanks WIEx for the lynks ;)
-
it's DoS exploit
-
but it works under 9 ;)
-
it's only crash apllication)
-
the new payload for me... pdf md5: 8AE719CDD29F0E6AF4D4DD321CC40355
...
while (pointers.length<=0x100000/2)pointers+=pointers
pointers=pointers.substring(0,0x100000/2-32/2-4/2-pointers1.length-2/2
while (nop.length<=0x100000/2)nop+=nop
nop=nop.substring(0,0x100000/2-32/2-4/2-jmp.length-2/2)
var x=new Array()
for (i=0 ; i<150 ; i++)
{
x[i]=nop+shellcode
}
for ( ; i<201 ; i++)
{
x[i]=pointers+pointers1
}
return x
...
(http://img10.imageshack.us/img10/5553/pdfjs.jpg)
load from
http://202.67.215.110/caonimabi.exe
(http://www.robtex.com/dot/202.67.215.110,202.67.215.0/24,AS4645,olympic-2012.org,uyghurameircan.com,winupdate.crackcode.net!1AS2,0NET1,3A0,4A0,5A0!2.png)
IP is very know from several malware, ex: http://www.threatexpert.com/report.aspx?md5=39376f28624e3de9e23d6fd57235b42e (http://www.threatexpert.com/report.aspx?md5=39376f28624e3de9e23d6fd57235b42e)
-
it's only crash apllication)
u do not know the secret :D
-
it's only crash apllication)
Yes, I said that this POC (proof of concept) exploit
-
Serg, thx, good work:)
-
Serg, thx, good work:)
Ur welcome)
WIEx r u from opensc.ws? :-\ and r ur icq 274734*?
-
WIEx r u from opensc.ws?
No, Only as a spectator)
and r ur icq 274734*?
no:)
-
Adobe Acrobat pdf 0-day exploit, No JavaScript needed
https://isc.sans.org/diary.html?storyid=5926
http://secunia.com/blog/44/
-
tested on malware
(http://img301.imageshack.us/img301/1882/pdfexpl.jpg)
payload doesn't start but reader crached => exp works, no js needed... shit...
-
Adobe Reader and Acrobat Issue update
http://blogs.adobe.com/psirt/ (http://blogs.adobe.com/psirt/)
Adobe is also planning to make updates available for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18th. :o
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option :o
5. Click OK
I hate adobe. 1 month without solution... >:(
-
upload this file here
-
Could we have this file for analysis also? At least entire javascript code....
-
Could we have this file for analysis also? At least entire javascript code....
No :-*
-
Didier Stevens decribes a howto get infected from this pdf vulnerability WITHOUT opening the pdf file !!!!
Quickpost: /JBIG2Decode Trigger Trio
http://blog.didierstevens.com/2009/03/04/quickpost-jbig2decode-trigger-trio/
-
Could we have this file for analysis also? At least entire javascript code....
No :-*
maybe,the javascript code its not important ,javascript only make a heap spray with a address,but from the info on the net, cant find the exploit address,so the head of jbig2decode stream i think is very important
also ,in windows,if the mouse jump to the PDF file ,the acroRD32info.exe will open it without using reader,
add me with icq 94507815 and get more info
-
Thanks for PoC :-) :-*
-
tell me plz, how can I insert it in a way exploit JS source, or Shellcode (execute for example)?
-
Ask Serg about it
-
He-he,I really hate "replying in place" of others,but well...I think Serg already gave his answer regarding this issue... ::)
-
He-he,I really hate "replying in place" of others,but well...I think Serg already gave his answer regarding this issue... ::)
Thank u sowhat-x! :) I can't reply "NO" to all sriptkiddies around the world...
-
Adobe Reader and Acrobat JBIG2 Encoded Stream Heap Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=776
-
btw I forgot..
my Analysis of the PDF Exploit
http://web17.webbpro.de/index.php?page=analysing-the-pdf-exploit