Shaman's Dream

[BADMAN]

New exploit kit

Code: [Select]

inter-solutions.cn/ImNYbH63/auth.php Control panel

Code: [Select]

inter-solutions.cn/ImNYbH63/exe.php?exp=pdf PDF exploit

Code: [Select]

inter-solutions.cn/ImNYbH63/index.php?exp=2[3,4]other exploits
Who know something more about it ?!
I try to replace new Date() to  the lastmodified property from http header but script doesn't compile....
So how to decode this exploits ?

[SysAdMini]

This one is a bit tricky to decode in Malzilla ,but you don't need "lastmodified" property.

I recommend a Javascript debugger like Google Chromes' integrated debugger. It's much easier than decoding in Malzilla
in this case.

This sample is tricky because you may not modify the code. Lines of decoding code are part of the algorithm.
You get a rubbish result if you modify the function "bMVFunc". But you have to modify this function ,because
Malzilla doesn't accept the original code ("qOGet is not a function").

Solution for Malzilla:
-Make a copy of the main function "bMVFunc",paste it and rename it to "bMVFunc2"
-modify function "bMVFunc2",replace "var qOGet = nInM["uEn6eJsEcEadpJeJ".replace(/[J68Ed]/g, new String)];" by "var qOGet = unescape;"
-modify "bMVFunc(arrayWGetD);" to "bMVFunc2(arrayWGetD);"
-run the script and you'll get the exploit code for a single exploit
-download the next exploit from url at the end of the page (e.g.index.php?exp=2) and repeat all the steps above until you have decoded all exploits

modified version of your sample attached

[BADMAN]

THNX!

[SysAdMini]

Unmasking the Dreaming Shaman - the Shamans Dream exploit kit
http://perpetualhorizon.blogspot.com/2010/01/unmasking-dreaming-shaman-shamans-dream.html