[Full-disclosure] Vulnerable test application: Simple Web Server (SWS)
Every once in a while (last time a few months ago) someone emails one of the mailing lists about searching for an example binary, mostly for: - Reverse engineering for vulnerabilities, as a study tool. - Testing fuzzers Some of these exist, but I asked my employer, Beyond Security, to release our test application, specific for testing fuzzing (built for the beSTORM fuzzer). They agreed to release the HTTP version, following their agreement to release our ANI XML specification. The GUI allows you to choose what port your want to run it on, as well as which vulnerabilities should be active. It is called Simple Web Server or SWS, and has the following vulnerabilities: 1. Off-By-One in Content-Length (Integer overflow/malloc issue) 2. Overflow in User-Agent 3. Overflow in Method 4. Overflow in URI 5. Overflow in Host 6. Overflow in Version 7. Overflow in complete packet 8. Off By One in Receive function (linefeed/carriage return issue) 9. Overflow in Authorization Type 10. Overflow in Base64 decoded 11. Overflow in Username of authorization 12. Overflow in Password of authorization 13. Overflow in Body 14. Cross site scripting It can be found on Beyond Security's website, here: http://www.beyondsecurity.com/sws_overview.html Thanks, Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Came across this site
meh...roll your own...you'll learn more that way --- T Biehn [EMAIL PROTECTED] wrote: screw forums, i get all my 0days from metasploit. On 9/8/07, scott [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This site seems to have a lot of registered users.But I only see posts by this one guy.Really stealing news from other sites and posting them there. Let's call this guy out.He claims to be an MCSE privately,but I seriously doubt it.The site is http://hacking-passion.com Now I know I will catch a lot of flames for this,so I'm putting on my Nomex suit right now. Scott -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4ziUsrt057ENXO4RArocAKDKdvFVziAvOPCIe7emMSEfdodAvwCgk/xg MkmaLBUUySKxm533pmqCQi4= =dsv4 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games. http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v denounces the actions of www.derangedsecurity.com
i can't believe that you posted that to full-disclosure. dipshit. On 9/10/07, worried security [EMAIL PROTECTED] wrote: this person has been sharing login information to the world wide web, opening up world governments up to terrorist cyber intrusions. this guy has not been sent to guantanamo bay yet why not? this reckless act of evil against western values is not good for the world. we should stop these individuals from posting government related informations which could harm the population of a country by allowing sensitive data to be accessed by terrorist cyber intrusion. all terrorists are linked up to the world wide web, making it likely the informations were accessable to them and not just responsible security professionals and law inforcement agencies. he said he was posting the informations to let all affected governments learn of the vulnerability to their government infrastructure as a collective of people as it would cause him too much time and money to contact each government network individually. however when there are more than government network employees learning of the informations, then it becomes a risk to national security. the protection of the population and the interests must become the governments first priorty. leaving this individual to make funny remarks of the governments in question by parading their network access informations in the public glare does more than alerting the proper authority to the cause of getting security tightened. derangedsecurity.comhttp://www.derangedsecurity.comshould be held accountable for their actions infront of judge and jury. i as member of the public are fine with arguments and full disclosure of e-commerce vulnerability informations being post to the world wide web in the good nature of freedom of speech but the argument that exposing the network access information of world governments leaving the network open to terrorist cyber intrusion is unacceptable by any code of ethics that i can agree with. i as member of the public say not in my name can you release network access informations to the public for self satisfaction and delight that you have managed to breach the national security infrastructure of a government. i say you should be ashamed, and if you had just claimed you were just being an accessory and conspiracy to cause terrorist cyber intrustions then i wouldn't be writing to complain, but its the fact you use full disclosure of a responsible security professional as an excuse for your actions which makes me believe you should be stripped of your job title and held accountable to the governments you have left vulnerable to terrorist cyber intrusion. you are not a security professional, you are lower than that, you are working against the ethics of the basis of your career of security professional. responsible security professionals don't risk the national security interests of multiple world governments, leaving the population vulnerable in the process by making the government network weaker by offering access to the mass public, where ultimately cyber terrorists are lurking in wait to ambush the network access data to espionage on their operations. this information you post is what your risking to the world, is a greater feeling of instability throughout the affected countries and a general feeling of alarm and distress to the mass public. your informations were reported to the mass public media on the internet as well as chinese television stations, and other mediums of public broadcasting, this is unacceptable in the level of your full disclosure ethic has caused to the wider world. i believe your actions to be morally incorrect and that your actions should be illegal while our brave men are fighting the war on terror to protect your childrens future, this kind of anti government disclosure shouldn't come under the ordinary full disclosure ethics. you post on your website that you are angry your hosting company disapproved on your disclosure to the mass public, you said why bother terminating my website when informations are already been in the public domain? damage limtiation is the reason, and the fact the informations shouldn't have been there in the first place, i thought maybe this would be an indication that your code of conduct was actually immorally and maybe you would reconsider the legality of what you put on your website, but you didn't, you kept the tempo high by relocating your website to a new server which was under the control of your irresponsible self, away from account terminations and away from becoming under the scrutiny of a hosting companys terms of service agreement. you then try and point blame to others, you blame the united states government for contacting your hosting provider to get you shutdown and you blame the governments for leaving their own population open to a national security breach. you in no way find yourself accountable
Re: [Full-disclosure] Came across this site
In my admittedly quick (less than 5 min) review of this site, I did not see anything particularly new (i.e. not available on the usual websites), particularly useful (useable exploits/information collected in one reference spot), or particularly complete (i.e. search of security focus group logs for exploit information). dcdave Dave Druitt -- CSO InfoSec Group 703-626-6516 -- Original message from Mario D [EMAIL PROTECTED]: -- meh...roll your own...you'll learn more that way --- T Biehn wrote: screw forums, i get all my 0days from metasploit. On 9/8/07, scott wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This site seems to have a lot of registered users.But I only see posts by this one guy.Really stealing news from other sites and posting them there. Let's call this guy out.He claims to be an MCSE privately,but I seriously doubt it.The site is http://hacking-passion.com Now I know I will catch a lot of flames for this,so I'm putting on my Nomex suit right now. Scott -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4ziUsrt057ENXO4RArocAKDKdvFVziAvOPCIe7emMSEfdodAvwCgk/xg MkmaLBUUySKxm533pmqCQi4= =dsv4 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games. http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vulnerable test application: Simple Web Server (SWS)
Very interesting, been a while on here now. Downloading as I speak.. will post a follow-up. - S -Original Message- From: [EMAIL PROTECTED] [mailto:full- [EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Monday, September 10, 2007 11:36 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk; code- [EMAIL PROTECTED] Subject: [Full-disclosure] Vulnerable test application: Simple Web Server (SWS) Every once in a while (last time a few months ago) someone emails one of the mailing lists about searching for an example binary, mostly for: - Reverse engineering for vulnerabilities, as a study tool. - Testing fuzzers Some of these exist, but I asked my employer, Beyond Security, to release our test application, specific for testing fuzzing (built for the beSTORM fuzzer). They agreed to release the HTTP version, following their agreement to release our ANI XML specification. The GUI allows you to choose what port your want to run it on, as well as which vulnerabilities should be active. It is called Simple Web Server or SWS, and has the following vulnerabilities: 1. Off-By-One in Content-Length (Integer overflow/malloc issue) 2. Overflow in User-Agent 3. Overflow in Method 4. Overflow in URI 5. Overflow in Host 6. Overflow in Version 7. Overflow in complete packet 8. Off By One in Receive function (linefeed/carriage return issue) 9. Overflow in Authorization Type 10. Overflow in Base64 decoded 11. Overflow in Username of authorization 12. Overflow in Password of authorization 13. Overflow in Body 14. Cross site scripting It can be found on Beyond Security's website, here: http://www.beyondsecurity.com/sws_overview.html Thanks, Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v denounces the actions of www.derangedsecurity.com
Actually this fellow is shit dipped. -- Original message -- From: yiri [EMAIL PROTECTED] i can't believe that you posted that to full-disclosure. dipshit. On 9/10/07, worried security [EMAIL PROTECTED] wrote: this person has been sharing login information to the world wide web, opening up world governments up to terrorist cyber intrusions. this guy has not been sent to guantanamo bay yet why not? this reckless act of evil against western values is not good for the world. we should stop these individuals from posting government related informations which could harm the population of a country by allowing sensitive data to be accessed by terrorist cyber intrusion. all terrorists are linked up to the world wide web, making it likely the informations were accessable to them and not just responsible security professionals and law inforcement agencies. he said he was posting the informations to let all affected governments learn of the vulnerability to their government infrastructure as a collective of people as it would cause him too much time and money to contact each government network individually. however when there are more than government network employees learning of the informa tions, then it becomes a risk to national security. the protection of the population and the interests must become the governments first priorty. leaving this individual to make funny remarks of the governments in question by parading their network access informations in the public glare does more than alerting the proper authority to the cause of getting security tightened. derangedsecurity.com should be held accountable for their actions infront of judge and jury. i as member of the public are fine with arguments and full disclosure of e-commerce vulnerability informations being post to the world wide web in the good nature of freedom of speech but the argument that exposing the network access information of world governments leaving the network open to terrorist cyber intrusion is unacceptable by any code of ethics that i can agree with. i as member of the public say not in my name can you release network access informations to the public for self satisfaction and delight that you h ave managed to breach the national security infrastructure of a government. i say you should be ashamed, and if you had just claimed you were just being an accessory and conspiracy to cause terrorist cyber intrustions then i wouldn't be writing to complain, but its the fact you use full disclosure of a responsible security professional as an excuse for your actions which makes me believe you should be stripped of your job title and held accountable to the governments you have left vulnerable to terrorist cyber intrusion. you are not a security professional, you are lower than that, you are working against the ethics of the basis of your career of security professional. responsible security professionals don't risk the national security interests of multiple world governments, leaving the population vulnerable in the process by making the government network weaker by offering access to the mass public, where ultimately cyber terrorists are lurking in wait to ambush the network acces s data to espionage on their operations. this information you post is what your risking to the world, is a greater feeling of instability throughout the affected countries and a general feeling of alarm and distress to the mass public. your informations were reported to the mass public media on the internet as well as chinese television stations, and other mediums of public broadcasting, this is unacceptable in the level of your full disclosure ethic has caused to the wider world. i believe your actions to be morally incorrect and that your actions should be illegal while our brave men are fighting the war on terror to protect your childrens future, this kind of anti government disclosure shouldn't come under the ordinary full disclosure ethics. you post on your website that you are angry your hosting company disapproved on your disclosure to the mass public, you said why bother terminating my website when informations are already been in the public domain? damage limtiation is the reason, and the fact the informations shouldn't have been there in the first place, i thought maybe this would be an indication that your code of conduct was actually immorally and maybe you would reconsider the legality of what you put on your website, but you didn't, you kept the tempo high by relocating your website to a new server which was under the control of your irresponsible self, away from account terminations and away from becoming under the scrutiny of a hosting companys terms of service agreement. you then try and point blame to others, you blame the united states government for contacting your hosting provider to get you shutdown and you blame the governments for leaving their own
[Full-disclosure] Google Hacking for MPacks, Zunkers and WebAttackers
The following are IPs and domain names currently or historically used to host MPack, WebAttacker and Zunker control panels as well as live exploit URLs within the packs. Some are down, others are still accessible, the rest are publicly cached. If index.php doesn't exist, admin.php or zu.php act as the default admin panel. http://ddanchev.blogspot.com/2007/09/google-hacking-for-mpacks-zunkers-and.html Regards, Dancho ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Came across this site
At the risk of getting flamed... I am starting my own security website at http://vulntrac.com. Let me state to this mans defense it is not easy getting something going on your own. When starting out, how much original content can you have? As long as your citing sources and giving credit where it is due, whats the big deal? At my site I am starting a defacement mirror and a blog on a honeynet I am starting. Both of those things have been done before too. Should I not do them because someone already has? Sorry if I offended anyone - just trying to add some perspective. Brian Brian Toovey [EMAIL PROTECTED] http://vulntrac.com On 9/10/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: In my admittedly quick (less than 5 min) review of this site, I did not see anything particularly new (i.e. not available on the usual websites), particularly useful (useable exploits/information collected in one reference spot), or particularly complete (i.e. search of security focus group logs for exploit information). dcdave Dave Druitt -- CSO InfoSec Group 703-626-6516 -- Original message from Mario D [EMAIL PROTECTED]: -- meh...roll your own...you'll learn more that way --- T Biehn wrote: screw forums, i get all my 0days from metasploit. On 9/8/07, scott wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This site seems to have a lot of registered users.But I only see posts by this one guy.Really stealing news from other sites and posting them there. Let's call this guy out.He claims to be an MCSE privately,but I seriously doubt it.The site is http://hacking-passion.com Now I know I will catch a lot of flames for this,so I'm putting on my Nomex suit right now. Scott -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4ziUsrt057ENXO4RArocAKDKdvFVziAvOPCIe7emMSEfdodAvwCgk/xg MkmaLBUUySKxm533pmqCQi4= =dsv4 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games. http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Came across this site
Brian Toovey wrote: At the risk of getting flamed... At the risk of cry babies whining I shall chime in. Oct 2007 Infiltrated dot net will take off where I left AntiOffline off in 2001. After reading so many shitty websites with distorted views of security in general, I decided to bring back the In Your Face news and Interviews of yestermillenium. It won't be geared towards luzer assed look at me grep -i passwd *.php|echo l33t [EMAIL PROTECTED] but more towards interviews with people I find make the security scene worthwhile. My own personal, obnoxious, clueless ramblings, and outakes on security in general. For those on the scene pre-2001 keep on the look out for a top ten questionnaire coming to your mailboxes. For those under the age of tenteen, still in high school, freshmen/sophomores in college and romper room kiddiots keep away. Stay tuned. J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] How to make money with XSS
http://www.gnucitizen.org/blog/how-to-make-money-with-xss Finding XSS is dead easy task. Everybody is vulnerable to this type of issue and even if there are protection mechanisms on place such as application firewalls and sanitization filters, very often attackers can get a stable exploit working in a matter of a couple of minutes. In fact, I don't think that there are unstable XSS exploits. It is not like the attacker have to manipulate the stack or a corrupted heap in order to get some sort of execution control. No! It is a simple injection issue. So the question is not whether the bad guys can find a XSS issue on your site/application - they can and they will. The question is what sort of things they can do with it. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IisShield 2.2 released
All, I've decided to open source IisShield. Feel free to browse and examine the code. Available at: http://www.codeplex.com/iisshield Cheers, Tiago Halm KodeIT Development Team -Original Message- From: Tiago Halm (Lists) [] Sent: Monday, January 08, 2007 6:46 PM To: full-disclosure@lists.grok.org.uk Subject: IisShield 2.2 released All, KodeIT is proud to announce the new release of IisShield 2.2 with support for IIS 4.0, IIS 5.x and IIS 6.0. Some new features include the ability to define zones with specific rules. With this feature, rules can be split into zones allowing the filtering process to be applied in a per-zone scope versus a per-server scope. Zones are used to specify which requests are included or excluded requests from the filtering engine. Available http://www.kodeit.org/products/iisshield Detailed info http://www.kodeit.org/products/iisshield/iisshield.pdf Comments and suggestions are certainly welcome at kodeit (at) gmail dot com. Cheers, Tiago Halm KodeIT Development Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] XSIO - Cross Site Image Overlaying
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everyone, I wrote a paper about an attack type I call XSIO - Cross Site Image Overlaying. It’s about something which I think many of you have already done but I wasn’t able to find something written about it and even I don’t think, that most of the people out there are aware of how big the impact of something like this could be. But just read the paper if you’re interested in hear some more about it :) http://www.disenchant.ch/blog/xsio-cross-site-image-overlaying/81 Regards, Sven - -- sent by Sven Vetsch / Disenchant www.disenchant.ch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG5Zos8luv3I4ijh0RAmS9AKCKHmQRvTovb61tbGJTlVT4jEWvlgCfdXuJ nGy+yqf4vip3VARU12o+BZM= =VJ1l -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
