Back in 2008, Dancho Danchev blogged about a Christmas-themed attack toolkit. This exploit pack was offered with three different types of licenses: Basic, Standard, and Professional with the latter enabling access to all of the exploits. A couple of years later, the author(s) appeared to have refreshed its available exploits.
Thanks to reader, CL-2011, who shared a copy of this hard-to-get pack with me which I quickly unpackaged and played with like it was an early Christmas present. This exploit pack is apparently called “Merry Christmas Pack”.
To the keen eye, you’ll quickly notice the title of the page, “Phoenix Exploit’s Kit”. Looking at the code, it appears to be a modification of PEK v2.3 with the obvious graphical content replacement as well as some code modifications.
Simply replacing “eval” with “document.write” will get you the deobfuscated script.
From what I could gather, here are the exploits it’s using which you’ll note is nearly identical to Phoenix version 2.3:
CVE-2006-0003 – IE MDAC
CVE-2007-5659 – PDF CollectEmailInfo
CVE-2008-2463 – IE Snapshot
CVE-2008-2992 – PDF Util.Print
CVE-2009-0836 – PDF Open
CVE-2009-0927 – PDF Collab
CVE-2009-1869 – Flash10
CVE-2009-3867 – Java GSB
CVE-2009-4324 – PDF NewPlayer
CVE-2010-0188 – PDF LibTiff
CVE-2010-0806 – IE Peers
CVE-2010-0886 – Java SMB
CVE-2010-1297 – Flash NewFunction
CVE-2010-1885 – HCP
CVE-2010-2884 – Flash Code Exec
CVE-2010-3654 – FlashPlayer Button