Liberty Exploit System
MS06-014 Internet Explorer (MDAC) Remote Code Execution Exploit
PDF util.printf(), PDF collab.collectEmailInfo(), PDF collab.getIcon()
Yesterday i was looking for this packet of exploits called Liberty pack.
So it was really interesting and more interesting when i have found that the default username and password is user and pass …
so i have search in malwareurl for a cpanel admin.php of liberty pack…
the first panel found i had try user and pass for login but don’t work so i think that also the utilizator of liberty pack know now that leave the default password is insecure.
So i have try the most common passwords = 1234,god,password and… it work!!!
Now i have the access to the liberty pack cpanel
it looks nice but not so nice for a 500$ exploit pack, is the essential for make it work…
Ok is not really big, i have see some other of 15k uniques visits but is not bad
It inject for the most in ie7 and old ie version
The principal infected country is Turkey
The most infected OS is windows xp but there is also a strange Unknow system that i suspect to be some "crew" windows version like tinyxp or blackxp
This is one of the most interesting part the referreals
looks like a turkish forum infected http://www.msxlabs.org/
naturally about windows stuff 😀
and also the other referreals are all forums
(i suppose that the attacker inject in the post a invisible frame about the exploited page for infect other user of the forum)
Ok this is the exploit used for infect the users
how i have find it… simple looking in the page source i have see a id=6 about exploits commented
i have try to insert it in the admin page and i have see the redirection to the exploit page 😀
what that exploit number means ? ms06-014 is a vulnerability in the microsoft data access components!!!
id=4 reset the counter
i have try to inject some code in the upload form but don’t work for now…
this are the files used by liberty pack
site.com/index.php site.com/download.pdf site.com/Hidden.swf site.com/update.php site.com/update.exe site.com/admin.php
thanks everyone for listening