Nuclear Exploit Pack Signatures

Gates

HTTP METHOD = GET
Content Type = text/html
HTTP URI = */t/*
Regex URI for “\/t\/[a-f0-9]{32}$”

See Examples on UrlQuery.net

OR

HTTP METHOD = GET
Content Type = text/html
Regex HTTP URI for :[0-9]+\/[a-f0-9]{32}\.html

See Examples on UrlQuery.net

JAR / PDF Payloads

HTTP METHOD = GET
Content Type = text/html
HTTP URI = *.jar OR *.pdf
Regex URI for “[a-f0-9]{32}\/[0-9]+?\/[a-f0-9]{32}\.(jar|pdf)$””

Examples:

hxxp://ravishigha.in/images/13d5ae8ab5e9f8592c67331c9e3c96bb/670158000/7f60f2b6166f381b44ef142744cd6271.jar
hxxp://travislowq.in/images/8e80dbc58fedbb3b16c41238ad27e67c/670145520/0f76f34ead3bbe76f0bc54af1f01b960.jar
hxxp://travismedz.in/images/de432476f233d162af3bbfff70e5cc6e/670205130/4d21668e2b5d171b4358bd3914444b74.jar
hxxp://travislowq.in/images/8e80dbc58fedbb3b16c41238ad27e67c/670145520/0f76f34ead3bbe76f0bc54af1f01b960.pdf
hxxp://ravishigha.in/images/13d5ae8ab5e9f8592c67331c9e3c96bb/670158000/7f60f2b6166f381b44ef142744cd6271.pdf

Executables

HTTP METHOD = GET
Content Type = application/octet-stream
Regex URI for “\/[0-9]+?\/[a-f0-9]{32}\/[a-f0-9]{32}\/[0-9](\/[0-9])?$”

Examples:

hxxp://ravishigha.in/f/670159140/39d2b0c5605315cff8a6b187b9850e8e/13d5ae8ab5e9f8592c67331c9e3c96bb/3/2
hxxp://ravishigha.in/f/670159140/39d2b0c5605315cff8a6b187b9850e8e/13d5ae8ab5e9f8592c67331c9e3c96bb/3
hxxp://ravishigha.in/f/670158000/7f60f2b6166f381b44ef142744cd6271/13d5ae8ab5e9f8592c67331c9e3c96bb/3/2
hxxp://ravishigha.in/f/670158000/7f60f2b6166f381b44ef142744cd6271/13d5ae8ab5e9f8592c67331c9e3c96bb/3
hxxp://travislowq.in/f/670145520/0f76f34ead3bbe76f0bc54af1f01b960/8e80dbc58fedbb3b16c41238ad27e67c/6

Comments are closed.