Meta(sploit) Pack

Some time ago, the Open Source Exploit Pack was released on some hacker forums. As the name implies, the author has intended for this to be open source and improved by others. Well, someone recently modified this pack and got it to work with the Metasploit Framework as the back-end. It’s called MetaPack.

Before I get to that, let’s take a quick look at the Open Source Exploit Pack first.

This pack comes with the following exploits:
* CVE-2006-0003
* CVE-2007-5659
* CVE-2008-2463
* CVE-2009-0927
* CVE-2009-1136
* CVE-2010-0188
* CVE-2010-0249
* CVE-2010-0806
* CVE-2010-0886
* CVE-2010-3653
* CVE-2010-3962
* OSVDB-61964

Here’s what the obfuscated exploit code looks like. I found this in the wild a couple of weeks ago:

This is the beautified version of the script that deobfuscates and executes the exploit. It uses a character shifting method to obfuscate the code.

At the bottom of the source code, there’s a meta refresh tag:
<META HTTP-EQUIV=”REFRESH” CONTENT=”1;URL=index.php?Number=2″>

This takes the user to the second page of exploits if none of the exploits on the first page worked. This process repeats itself until the fourth page and then it stops. If an exploit does work then the payload is delivered and the redirection stops.

Each page contains the same obfuscated Javascript code but the variables and gibberish text are different. One way to deobfuscate the code is to change the third to the last line (see the screenshot above) from “zXx3W7y4I.write(rYYVMWR3L);” to “alert(rYYVMWR3L);”.

Here are the deobfuscated exploit code for each of the four pages:

Since I didn’t have access to the panel, there’s no way to tell just how effective this kit is. By the way, here’s what the statistics panel looks like without any traffic:

Now let’s get back to MetaPack which is also known as GuerillaPack or ChePack.

It is an interesting concept to combine an exploit pack with Metasploit. The exploit pack’s admin panel provides the load statistics and the ability to easily swap out the payload file while Metasploit has a lot of exploits to choose from. I suppose this pack was made for those who don’t know how to convert or export exploits from Metasploit.

To set up this pack, you need to start Metasploit and load it up with the exploits you want to use. Or you could write a script to dynamically call up the appropriate exploit automatically.

When you configure each exploit in Metasploit, the “download and exec” payload you choose is the URL for the exploit pack. The exploit pack’s config file contains the exploits you want to use so it can keep track of them.

Cool, it works.

This pack is definitely an interesting concept but I don’t think we’ll be seeing a lot of this in the wild. For one, the Metasploit Framework is one hefty install. I suppose you could minimize the MSF install to run with the bare essentials or install the main parts on a Heroku-type server. The other thing is that the Metasploit exploits are detected by AV so you would need to wrap the exploits with some kind of obfuscation.

This entry was posted in Exploit Packs, Malscript and tagged , , , , , , , . Bookmark the permalink.