Redkit Exploit Kit

Redkit like to download payload as an executable named like a html file.

HTTP Request Method = GET
HTTP URI = *.html or *.htm
Content Type = application/octet-stream

RedKit Gate

Regex URI for “\/h(m|f)[a-z]{2}\.html?$” — This is now out of date. They seem to have turned to random.

Examples:

/aced.htm
/acgu.htm
/efxq.htm
/hcwf.htm

Can regex for ^http:\/\/[a-z0-9-.]+?\/[a-z]{4}\.html?$ but very prone to false positives.

JARs and PDFs are still easiest to spot.

/887.jar
/332.jar
/987.pdf
/Runs.class
/Runs/class.class
/Gobon/class.class
/Gobon.class

EXE’s are still easy too.

/33.html (application/octet-stream)
/62.html (application/octet-stream)

Examples:

See Examples of RedKit Gates in UrlQuery.net

See examples of RedKit PDF and JAR files in UrlQuery.net

See examples of RedKit EXE files in UrlQuery.net

REM RedKit Redirector – Not sure if still active

HTTP Request Method = GET
HTTP URI = */rem*.htm OR */rem*.html

Regex

“:81\/rem[0-9]\.html?$”

See examples of REM redirectors on UrlQuery.net

Comments are closed.