.
.---,
/ Berend-Jan Wever aka SkyLined )
/ [EMAIL PROTECTED]/ \
/ http://www.edup.tudelft.nl/~bjwever / /
/ PGP key ID 0x48479882
.
Cheers,
SkyLined
Berend-Jan Wever [EMAIL PROTECTED]
TTP: http://www.edup.tudelft.nl/~bjwever
MSN: [EMAIL PROTECTED]
IRC: SkyLined in #SkyLined on EFNET
PGP: key ID 0x48479882
- Original Message -
From: class 101 [EMAIL PROTECTED]
To: full-disclosure@lists.netsys.com
Sent: Friday
of the default string2int routines
throw exception 0x0eedfade.
Feel free to prove me wrong.
Cheers,
Berend-Jan Wever
SMTP: [EMAIL PROTECTED]
HTTP: http://www.edup.tudelft.nl/~bjwever
MSN: [EMAIL PROTECTED]
IRC: SkyLined in #SkyLined on EFNET
PGP: key ID 0x48479882
- Original Message -
From
cross-site loading as far as I could tell, all three
demo's do not work on it for that matter.
Cheers,
Berend-Jan Wever
SMTP: [EMAIL PROTECTED]
HTTP: http://www.edup.tudelft.nl/~bjwever
MSN: [EMAIL PROTECTED]
IRC: SkyLined in #SkyLined on EFNET
PGP: key ID 0x48479882
Hi all,
I know I released a working exploit earlier but it had two small
imperfections, version 0.2 should be more robust and fully OS/SP/language
independant. I personally believe it should work on all platforms, but I
don't have enough machines nor time to prove my claim, I'll leave that to
They totally forgot HTA files and HTM help files. Who knows what else.
I do ;)
About switching to FireFox: if you drive a car you might end up in a
car-crash, changing cars doesn't prevent that. If 90% of people would be
driving the exact same car, it's obvious most car-crashes will involve
Since the exploit published by flashsky is a rip off of my IE exploit
script published in the IFRAME exploit, it will probably be caught by some
IDS/AV signatures as being the IFRAME exploit.
Cheers,
SkyLined
This vul can be exploited, at
http://www.xfocus.net/flashsky/icoExp/index.html
:
http://www.edup.tudelft.nl/~bjwever/whitepaper_xss.html
http://www.edup.tudelft.nl/~bjwever/whitepaper_xss2.html
Cheers,
Berend-Jan Wever
SMTP: [EMAIL PROTECTED]
HTTP: http://www.edup.tudelft.nl/~bjwever
MSN: [EMAIL PROTECTED]
IRC: SkyLined in #SkyLined on EFNET
PGP: key ID 0x48479882
- Original
0012E78C 637AA644 mshtml.637A9B52 mshtml.637AA63F
0012E788
0012E7FC 63795160 mshtml.637AA363 mshtml.6379515B
0012E7F8
0012E800 63789AE1 Includes mshtml.63795160 mshtml.63789ADE
Cheers,
Berend-Jan
I thought it looked familiar:
http://lists.netsys.com/pipermail/full-disclosure/2004-May/021272.html
It'll probably never get fixed.
Berend-Jan Wever
[EMAIL PROTECTED]
http://www.edup.tudelft.nl/~bjwever
SkyLined in #SkyLined on EFNET
PGP key ID: 0x48479882
- Original Message -
From
be downloaded from my website.
Berend-Jan Wever
[EMAIL PROTECTED]
http://www.edup.tudelft.nl/~bjwever
SkyLined in #SkyLined on EFNET
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Hi all,
Another flaw in IE:
HTML
SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT
SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT
/HTML
Normally I would see if it's exploitable but I figure I'm not MS's pet bug
finder/analyser... So, I've
Skip to the -- Advisory -- part if you are not interested in reading about
disclosure but you are interested in non-technical details about the array sort
vulnerability I released.
- Original Message -
From: Dragos Ruiu [EMAIL PROTECTED]
He didn't have to release it... he could have
Version 2.91 is not vulnerable, does not include crappy CPU consuming useless
features and plays mp3's like any other version.
Cheers,
SkyLined
- Original Message -
From: Brett Moore [EMAIL PROTECTED]
To: [EMAIL PROTECTED] Netsys. Com [EMAIL PROTECTED]
Sent: Wednesday, November 24,
Hi all,
I have been getting a lot of questions about the encoded shellcode I used in
InternetExploiter. That's why I've decided to release the source to my encoder,
so you can all use it in your personal version of my exploit. (Remember that
the origional code was released under GPL! I'm still
Hi all,
Same flaw works for Firefox as well as MSIE:
HTML
SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT
SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT
/HTML
Added to the list:
Since we're sharing information:
Sometimes ago I have examined the products of many software company's to see if
it's possible to exploit vulnerabilities remotely. I have found a number of
vulnerabilities in a number of software products. Vendors have (or will be)
informed of my successful
: [EMAIL PROTECTED]; [EMAIL PROTECTED]; Berend-Jan Wever
[EMAIL PROTECTED]
Sent: Thursday, November 18, 2004 09:04
Subject: [Full-Disclosure] Re: New whitepaper: Writing IA32 Restricted
Instruction Set Shellcode Decoder Loops
Hi,
Nice paper.
Some code examples should be great (i think
to do with all the free time you now have!
Turns out it's not new AT ALL! Every decent mailclient has been supporting it
for years!! Is that cool or what !?
You can even set a filter for specific people (for instance where the from line
contains Berend-Jan Wever), so you won't have to read
Hi all,
This one got rejected by phrack and I couldn't be arsed to rewrite it so it
would make the next edition:
Writing IA32 Restricted Instruction Set Shellcode Decoder Loops by SkyLined
( http://www.edup.tudelft.nl/~bjwever/whitepaper_shellcode.html )
The article addresses the requirements
It is the same bug as far as I know.
Cheers,
SkyLined
- Original Message -
From: Fabian Becker [EMAIL PROTECTED]
To: Berend-Jan Wever [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, November 16, 2004 20:50
Subject: Re: Skype callto:// BoF technical details
Hi all,
There's a new MyDoom variant exploiting the IFRAME issue I posted an
exploit for. It's said to use my code in a modified form. It seems to have
trouble infecting my computer even though I really tried to get it :P. If
anybody could help me get my hands on a copy (of the binary or the
As far as I can tell, this is not exploitable to run a shellcode because
of the fact that NULL's are inserted between charactors. But besides
This is not a problem, read phrack: unicode shellcodes are real.
In fact you can create your own unicode alphanumeric uppercase shellcode using
ALPHA2:
This will recursively call a function again and again untill you've used up all
stack space: It's a stackoverflow DoS (NOT a bufferoverflow) it cannot be
exploited to elevate privilages.
Cheers,
SkyLined
- Original Message -
From: Joseph Stone [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Hi all,
In response to statements found at
http://news.com.com/Exploit+code+makes+IE+flaw+more+dangerous/2100-1002_3-5439370.html
Microsoft is concerned that this new report of a vulnerability in
Internet Explorer was not disclosed responsibly, potentially putting
computer users at risk, the
, seeing what the other
option would imply.
Cheers,
SkyLined
- Original Message -
From: Menashe Eliezer [EMAIL PROTECTED]
To: Berend-Jan Wever [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Sunday, November 07, 2004 23:21
Subject: RE: [Full-Disclosure] MSIE IFRAME and FRAME tag NAME property
If you can't stand the heat, get out of the kitchen!
Cheers,
SkyLined
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
If you can't stand the heat, get out of the kitchen!
And btw: if you're not cooking, get the fuck out too!
Cheers,
SkyLined
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
ROFL:
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, November 01, 2004 19:27
Subject: failure notice
Hi. This is the qmail-send program at lists2.securityfocus.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is
Since nobody else posted an exploit I figured I might aswell slap the BoF together
with my default exploit JavaScript for the scriptkiddies to rejoice and the sysadmins
to worry about.
TECHNICAL
The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides
followed by
Hi all,
Want to view www.georgewbush.com from outside the US? You can't: Access denied. This
security measure (!?) can easily be avoided using a proxy in the US or any anonymous
surfing website though.
So, what is it he doesn't want anyone from outside the US to read ?
Cheers,
SkyLined
Hi all, here's my analysis of these bugs:
2445.html does nothing on my win2ksp4en/ie6.0sp1. (IE does crash when you load it
because the META refresh tag leads to 2446.html.)
2446.html contains an exploitable BoF in the IFRAME tag using the SRC and NAME
property. To trigger the BoF you only need
Here's some IE bugs out of my own collection that still aren't patched (IE6.0 W2K):
Stack overflows (_not_ buffer overflows):
HTML
SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT
SCRIPT a = new Array(); while (1) { (a = new Array(a)).sort(); } /SCRIPT
/HTML
HTML BODY
Hi all,
Wanna do a quick test to see if the programmers that wrote your windows operating
system have any clue as to what there doing ? Run these commands from cmd.exe in the
system32 directory:
for %i in (*.exe) do start %i %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
for %i in (*.exe) do start
is
used to return, the second one is poped of by the shellcode to get the baseaddress.
Cheers,
SkyLined
- Original Message -
From: Berend-Jan Wever [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, October 04, 2004 17:39
Subject: [Full-Disclosure] Test your windows OS
Hi all
As promissed before, the C sources for ALPHA 2: Zero tolerance, a shellcode encoder
that produces alphanumeric code, optionally uppercase-only and unicode-proof.
Happy hacking,
SkyLined
alpha2.tar.gz
Description: Binary data
I suggest kicking people of the list for even mentioning gmail again. I'll take my
chances on any of these guys finding a 0day and then not being able to release it
through full-disclosure.
Cheers,
SkyLined
- Original Message -
From: Sandeep Sengupta [EMAIL PROTECTED]
To: [EMAIL
Hi all,
I'm proud to announce the upcoming release of a new version of ALPHA: ALPHA 2:
Zero-tolerance
Like ALPHA, it is a shellcode encoder that outputs 100% alphanumeric code. In the new
version a lot of the code has been improved and it can now output UNICODE-proof code
too. As a pre-release
I tested this with 6.0.1: No overflows as far as I can see, but then again I didn't
test it on the mentioned webservers: I wrote a small webserver myself that returned
a valid HTTP reply with a pdf file for ANY request (reply copy-pasted from an apache
server).
No matter what I tried, I didn't
Here's a detailed description of what's going wrong with [STYLE]@;/*
The problem is the unterminated comment /*; IE computes the length of the comment
for a memcpy opperation by substracting the end pointer form the start pointer. The
comment starts behind /* and should end at */, but since
Here's a detailed description of what's going wrong with the a href=::%7b right
click bug.
(yeah, my reply is a bit late but I was busy and went on a holliday)
Right click on a link with href=file://:: and IE will try to download
it, fail and try to report an error. While creating this
I just wrote a small poem in JScript:
SCRIPT language=javascript
MSIE = window.open; // for hackers to come in
for (every_bug_found in MSIE) { /* there are zillions more hiden */ }
/SCRIPT
Ok, so it doen't rhyme... but it is another null-pointer exception DoS in MSIE 6.0sp1
(fully
-Disclosure] Mozilla Security Advisory 2004-07-08
Berend-Jan Wever wrote:
The advisory mentions that combining this with a BoF can result in remote code
execution, but they totally forget to mention that formatstring exploits,
integeroverflows, XSS, SQL injection, etc... might cause the same
The advisory mentions that combining this with a BoF can result in remote code
execution, but they totally forget to mention that formatstring exploits,
integeroverflows, XSS, SQL injection, etc... might cause the same problems too. I bet
they just read FD and didn't think for themselves. As
Doesn't look like a null pointer to me, especially since it crashes while
reading 800c0005...
I think it's a format string vulnerability, causing ntdll.RtlFormatMessage
to call ntdll._snwprintf with your href. Might be exploitable, I'll have a
look...
Cheers,
SkyLined
- Original Message -
When I was into finding XSS, I found holes in just about every web-based
email provider with relative ease... The only one that I found was pretty
hardened was hotmail (Probably because everyone is trying to find holes all
the time).
I bet this is still just the tip of the iceberg for yahoo, keep
Every time I post to a list I get these out of office auto-responses.
Can these responders be configured to not respond to stuff from a list?
-Michael
Yes, they can... and no, they won't. Too much shit-for-brains dumb-ass
good-for-nothing mofo's on the list for that. Why the hell do you think
NULL pointer assignment in mshtml, not exploitable.
636D54AF8B48 2C MOV ECX, [EAX+2C]
EAX = 0, Bad read of address 0x002C.
Cheers,
SkyLined
- Original Message -
From: Mike Mauler [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, May 14, 2004 15:55
Subject:
Tested with IE 6.0.2800.1106, SP1 all patches on Win2k 5.00.2195 SP4, all
patches (up to 11-05-2004)
I explored this bug: it looks like a simple DoS, impact low. Further testing
might provide a way to get more out of this, like remote command execution,
but I doubt it.
Detailed technical comments
- Original Message -
From: Drew Copley [EMAIL PROTECTED]
Yeah. It is a zero day worm, and it is very notable as such.
I can not recall a previous zero day worm. (AV is not my job, but I do
try and follow zero day.)
Hence, IE has birthed us the first zero day worm.
We should be
I'd like to suggest everybody starts sending an annoying mail back to the
poster of useless crap like this AND NOT TO THE LIST. You might even send
his email-address to some penis-enlargement companies just for the fun of
it. The mailbombs we can generate together might annoy them more then the
- Original Message -
From: Schmehl, Paul L [EMAIL PROTECTED]
Bagle.AA,AB,AC, etc.
And on and on it goes, and where it ends, nobody knows...
It'll end when Bagle.AAA... hits a BoF in a virusscanner
overwriting EIP with 0x41414141 ;)
Make like a tree and leave.
Cheers,
SkyLined
- Original Message -
From: wagner oliveira [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, March 14, 2004 1:23
Subject: [Full-Disclosure] unsubscription?
How I make for unsubscription?
-
Yahoo! Mail
They might just be checking for bounces, the picture on the internet might
be a way to match your ip to your email address.
I received a few about a month ago but none since.
Cheers,
SkyLined
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, February
Yeah, and no subject, again...
PS. Sorry for the noize ppl.
- Original Message -
From: madsaxon [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, February 11, 2004 23:54
Subject: Re: [Full-Disclosure] (no subject)
At 04:18 PM 2/11/2004 -0600, roberta bragg wrote:
300-1,000
Somebody wouldn't happen to have a copy of the vulnerable versions lying
around that he'd want to share with me, so I can build an exploit ?
Checkpoint doesn't do trial downloads and google didn't return anything
usefull :(
Cheers,
SkyLined
___
Hi,
Attached is my Serv-U SITE CHMOD exploit. Should be pretty script kiddie
friendly.
Cheers,
SkyLined
-BEGIN PGP PUBLIC KEY BLOCK-
Version: PGP 8.0 - not licensed for commercial use: www.pgp.com
Comment: Berend-Jan Wever - [EMAIL PROTECTED]
mQGiBD
Why not call it SkyNet, after T3 ?
SkyLined
- Original Message -
From: Joel R. Helgeson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, August 07, 2003 17:53
Subject: [Full-Disclosure] Red Bull Worm
Lets see, the last big worm to exploit windows was named Code Red after
the
. ..--'''
,CCcc, .-' :
Januari 15, 2002 by Berend-Jan Wever $$$CCb; :
___ bbCCc; '.
(_ | Y$$bCCc
I'm only human... here's the attachment. :P
It's a stripped version with the really cool features yanked
out, but I'm sure you can code those yourself... You've got
to ask yourself a question though: Could there be a remote compromise in the
exploit itself? Script kiddies beware...
Last
Since my mail got rejected for unknown reasons to vuln-dev I'd like to use
this list as a backup to explain to everybody interested what's happening
with bash:
- Original Message -
From: Berend-Jan Wever [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, February 13, 2003 18:33
slowed down
somewhat because significant portions of the network did not have enough
bandwidth to allow it to operate unhindered.
/quote
Berend-Jan Wever
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
You know what's even funnier than flares and other useless mails on
full-disclosure ? People trying to get them to stop by joining in the
useless discussions ;)
Reading these is the whipcream on the dessert of my day, keep up the good
work!
SkyLined
BTW. SPAM!
- Original Message -
From:
P.S. I hearby request that my likeness be superimposed upon the little
guy at http://www.eurocompton.net/jackahz ... I mean for fscks sake...
be creative if you are gonna call me Webster.
Something like this Kev' ? :P :p tell the PHC to update their 0dd
subscribers list to include webster
H...
... isn't hiding your root password security through obscurity ?
... isn't hiding your private PGP key security through obscurity ?
... isn't 90% of security based on these kinds of obscurity ?
FYI: Obscurity, according to the dictionary:
1. Deficiency or absence of light; darkness.
65 matches
Mail list logo
