Sava Exploits Pack

This is a new exploit pack that is being offered for free. It also goes by the name, “Pay0C Pack”. The author seemed to have combined exploits and content from various other exploit packs.

Here’s a list of the exploits said to be included:

  • Sun Java Calendar Deserialization Exploit
  • Sun Java JRE
  • Java RMIConnectionImpl Deserialization Privilege Escalation Exploit
  • Sun Java JRE AWT SetDiff ICM Buffer Overflow
  • Signed Applet Social Engineering Code Exec
  • Java Statement.Invoke Trusted Method Chain Exploit
  • Adobe Collab.getIcon
  • Adobe Doc.Media.newPlayer
  • Adobe Util.Printf
  • PDF Exploit LibTIFF
  • Bleeding Pack PDF
  • AOL Instant Messenger
  • Firefox Escape retval + any FF
  • Internet Explorer COM CreateObject
  • Windows ANI LoadAniIcon
  • Snapshot Viewer for Microsoft Access
  • Internet Explorer Tabular Data Control ActiveX
  • Internet Explorer Winhlp32.exe MsgBox Code Execution
  • Microsoft Help Center XSS and Command Execution
  • Internet Explorer CSS SetUserClip
  • America Online ICQ ActiveX
  • IE_0Day
  • IEPeers
  • SpreadSheet
  • ShockWave
  • CVE_2010_0806
  • Aurora
  • IE CreateObject

Here’s a look at the web panel:

If the panel looks familar to you, it should, it’s Eleonore:

The Javascript exploit code is pretty hefty, here’s what it looks like:

After beautifying the Javascript code, we have a better understanding of what it’s doing:

As you can see, it uses a bit of math and bit-shifting to convert the random-looking text at the bottom. And it processes this data in 1K chunks. The deobfuscated script is very long. Here’s a portion of it:

The author indicates that there is an improved version which has more features built into the panel. I have no further information as far as the additional features and cost are concerned. Have a look at this pack which is similarly named “Savage Exploit Pack”:

By the way, this panel has been reused from another exploit pack called “Tornado”.

Posted on: 06/14/2011