A multi-vulnerability, dynamically self-obfuscating, client-configurable and portable exploit kit written and released in 2012
Warning: These exploits are VERY old in internet years, however they are still live if you install and configure this application on a web server.
After uploading the files to a web server, chmod install.php to 777 and run it in a browser. This will load a configuration page and setup the SQL database. The client was then instructed to delete install.php.
Once configured, navigate to admin/login.php and log in. Index.html was intentionally made to look non-existent in order for the admin panel to be harder to find (clearly, this was not effective). The resulting administrator panel (admin.php) displays traffic and infection statistics, dynamically generated and obfuscated iframe code to be inserted into a clients' hacked websites for traffic, and other configurable settings.
From the victim's side: when index.php is loaded, they are redirected to one of several other php scripts in the 'spl' directory based on the detected browser. These files attempt to load a list of browser and os specific exploits, contained in the 'files/load' directory. These exploits attempt to run inject a shellcode downloader, which is dynamically generated in php with a link to the client's specified malware, into memory and run it (ex: files/load/libt.php). Any javascript loaded onto the victim's pc first has its variable names randomized, then is encrypted with a randomly generated key, and finally obfuscated to avoid antivirus detection.
Of course, it has been years since I've even looked at this code, and therefore I do not have the depth of understanding that I did while it was on the market. However, there are several noteworthy scripts that I still find myself impressed with in terms of complexity, even having much more experience in development:
https://malekal.com/en-serenity-exploit-pack/ http://blog.malwaremustdie.org/2012/11/what-serenity-exploit-kit-dropped.html