Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
def callback(self, hdr, data): # Parse the Ethernet packet decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(data) # Parse the IP packet inside the Ethernet packet, typep iphdr = ether.child() udphdr = iphdr.child() # First check that the packets are not comming from the local host # Then check that it is a UDP packet (incase you changed the BPF) also # Check that the destination port for the packet is a closed port on the host if (iphdr.get_ip_src() != self.ip): self.refresh_portlist() if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist): if self.called == 0: self.callonce() print Incoming UDP packet from %s%iphdr.get_ip_src() self.dumper.dump(hdr, data) def refresh_portlist(self): # bash script to get all the open and listening UDP ports # used in the callback function as criteria for logging traffic output = os.popen(./getports.sh) pl = output.readlines() self.portlist = [] for p in pl: self.portlist.append(int(p)) Seriously? popen()ing a bash script that calls netstat and awk twice for every packet? Tillmann ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [FOREGROUND SECURITY 2011-004] Infoblox NetMRI 6.2.1 Multiple Cross-Site Scripting (XSS) vulnerabilities
FOREGROUND SECURITY, SECURITY ADVISORY 2011-004 - Original release date: November 10, 2011 - Discovered by: Jose Carlos de Arriba - Senior Security Analyst at Foreground Security - Contact: (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com) - Severity: 4.3/10 (Base CVSS Score) I. VULNERABILITY - Infoblox NetMRI 6.2.1 (latest version available when the vulnerability was discovered), 6.1.2 and 6.0.2.42 Multiple Cross Site Scripting - XSS (prior versions have not been checked but could be vulnerable too). II. BACKGROUND - Infoblox NetMRI is a network automation solution for configuration, optimization and compliance enforcement. With hundreds of built-in rules and industry best practices, it automates network change, intelligently manages device configurations and reduces the risk of human error. III. DESCRIPTION - Infoblox NetMRI 6.2.1 (latest version available when the vulnerability was discovered), 6.1.2 and 6.0.2.42 presents multiple Cross-Site Scripting vulnerabilities on its eulaAccepted and mode parameters in the admin login page, due to an insufficient sanitization on user supplied data and encoding output. A malicious user could perform session hijacking or phishing attacks. IV. PROOF OF CONCEPT - POST /netmri/config/userAdmin/login.tdf HTTP/1.1 Content-Length: 691 Cookie: Host: netmrihost:443 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) formStack=netmri/config/userAdmin/logineulaAccepted=scriptalert(document.cookie)/scriptmode=scriptalert(document.cookie)/scriptskipjackPassword=ForegroundSecurityskipjackUsername=ForegroundSecurityweakPassword=false V. BUSINESS IMPACT - An attacker could perform session hijacking or phishing attacks. VI. SYSTEMS AFFECTED - Infoblox NetMRI 6.2.1 (latest), 6.1.2 and 6.0.2 branches (prior versions have not been checked but could be vulnerable too). VII. SOLUTION - Vulnerability fixed on 6.2.2 version - available as of 10 Nov 2011 Also the following security patches are available: - v6.2.1-NETMRI-8831 - v6.1.2-NETMRI-8831 - v6.0.2-NETMRI-8831 VIII. REFERENCES - http://www.infoblox.com/en/products/netmri.html http://www.foregroundsecurity.com/ http://www.painsec.com IX. CREDITS - This vulnerability has been discovered by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com). X. REVISION HISTORY - - November 10, 2011: Initial release. XI. DISCLOSURE TIMELINE - August 28, 2011: Vulnerability discovered by Jose Carlos de Arriba. August 28, 2011: Vendor contacted by email. August 29: Vendor response asking for details. September 21, 2011: Security advisory sent to vendor. November 10, 2011: Security Fix released by vendor. November 10, 2011: Security advisory released. XII. LEGAL NOTICES - The information contained within this advisory is supplied as-iswith no warranties or guarantees of fitness of use or otherwise. Jose Carlos de Arriba, CISSP Senior Security Analyst Foreground Security www.foregroundsecurity.com jcarriba (at) foregroundsecurity (dot) com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
not my code dude. i just offered it, for anyone who was interested... again, people bashing the user, who does nothing but inform :s ghood one. On 11 November 2011 19:17, Tillmann Werner tillmann.wer...@gmx.de wrote: def callback(self, hdr, data): # Parse the Ethernet packet decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(data) # Parse the IP packet inside the Ethernet packet, typep iphdr = ether.child() udphdr = iphdr.child() # First check that the packets are not comming from the local host # Then check that it is a UDP packet (incase you changed the BPF) also # Check that the destination port for the packet is a closed port on the host if (iphdr.get_ip_src() != self.ip): self.refresh_portlist() if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist): if self.called == 0: self.callonce() print Incoming UDP packet from %s%iphdr.get_ip_src() self.dumper.dump(hdr, data) def refresh_portlist(self): # bash script to get all the open and listening UDP ports # used in the callback function as criteria for logging traffic output = os.popen(./getports.sh) pl = output.readlines() self.portlist = [] for p in pl: self.portlist.append(int(p)) Seriously? popen()ing a bash script that calls netstat and awk twice for every packet? Tillmann ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
btw, you do realise, it is doing exactly what it is meant to , right ? it is called a honeypot sir... try figure out WHY it is looping... then maybe, the code is nicer yes... i dont really care for it... i am, making the proper.cpp scanner. nothing more interests me about it, and, nothing else, i need others to tell me, thx. I have done this my own b4, please, dont try holding any hands. I will only, cut off your feet ;) later On 11 November 2011 19:17, Tillmann Werner tillmann.wer...@gmx.de wrote: def callback(self, hdr, data): # Parse the Ethernet packet decoder = ImpactDecoder.EthDecoder() ether = decoder.decode(data) # Parse the IP packet inside the Ethernet packet, typep iphdr = ether.child() udphdr = iphdr.child() # First check that the packets are not comming from the local host # Then check that it is a UDP packet (incase you changed the BPF) also # Check that the destination port for the packet is a closed port on the host if (iphdr.get_ip_src() != self.ip): self.refresh_portlist() if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist): if self.called == 0: self.callonce() print Incoming UDP packet from %s%iphdr.get_ip_src() self.dumper.dump(hdr, data) def refresh_portlist(self): # bash script to get all the open and listening UDP ports # used in the callback function as criteria for logging traffic output = os.popen(./getports.sh) pl = output.readlines() self.portlist = [] for p in pl: self.portlist.append(int(p)) Seriously? popen()ing a bash script that calls netstat and awk twice for every packet? Tillmann ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Steam defaced
On 10/11/2011 23:25, Henri Salo wrote: As I usually have good news.. Here is some more: http://forums.steampowered.com/forums/ Steam joins the failboat. Its worse than that Jim, he's dead! from another mailing list... On 11/11/11 00:29, Paul M wrote: Did you get journalism training at the BBC? It's their forums, not the game distribution system Nope, it's credit cards and passwords too: http://www.pcgamer.com/2011/11/10/steam-database-hacked-encrypted-credit-card-information-and-passwords-compromised/ -- Matthew Bloch and --- http://forums.steampowered.com/forums/forumdisplay.php?f=17 We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Steam defaced
this is starting to remind me of that time when everyone has like 30game valid steam lisences he is dead, Jim! On 11 November 2011 20:52, Jacqui Caren jacqui.ca...@ntlworld.com wrote: On 10/11/2011 23:25, Henri Salo wrote: As I usually have good news.. Here is some more: http://forums.steampowered.com/forums/ Steam joins the failboat. Its worse than that Jim, he's dead! from another mailing list... On 11/11/11 00:29, Paul M wrote: Did you get journalism training at the BBC? It's their forums, not the game distribution system Nope, it's credit cards and passwords too: http://www.pcgamer.com/2011/11/10/steam-database-hacked-encrypted-credit-card-information-and-passwords-compromised/ -- Matthew Bloch and --- http://forums.steampowered.com/forums/forumdisplay.php?f=17 We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
PoC ? http://www.youtube.com/watch?v=4aBE6o0oDlo http://www.youtube.com/watch?v=4aBE6o0oDlo[]'s Sergito 2011/11/10 Thor (Hammer of God) t...@hammerofgod.com So, I've looked about on the web to see what software of any consequence you have written, but I can't find any. Can you point me to anything that illustrates that you know how to develop wide scale software applications and execute an SDL plan, or do you just like to sit back and bitch about everyone else without actually doing anything? I'm serious - I'd really like to know. Over all these years, all I've ever seen from you is talk about how stupid everyone else is, but I've never once actually seen you do anything constructive. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Georgi Guninski Sent: Thursday, November 10, 2011 8:48 AM To: xD 0x41 Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) On Thu, Nov 10, 2011 at 08:46:44AM +1100, xD 0x41 wrote: You could just google for IRC packs of win2k src ;) I know i have a copy of it somewhere... acvtually tho, would not be helpful tho, as it does not affect win2k.. so i guess there would be some code there but not the code you want. @george and, ideally if 'years' ago existed for this exploit but, it does only affect v6 and up , this is tested so xp/2k/2k3 not affected... still, i know people are using other ways anyhow , and thats just how botting is... one way dies, one takes its place :s i guess we wait for the rls of this.. maybe! as in real life, real bugs die (the imaginary case is not clear to me). i suppose trustworthy computing doesn't mean not many bugs still alive. -- j ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Steam defaced
On Fri, Nov 11, 2011 at 12:54 AM, xD 0x41 sec...@gmail.com wrote: about the clouds, dude, i found the whole attacking of amazon as rude, So did I, which is why I came to Amazon's defense in pointing out that those in glass houses shouldn't be throwing stones. The company (Enomaly) abusing Amazon over a complex SAML XML digsig vulnerability[1] was/is still using a trivial vulnerable signature mechanism in their own products that Amazon had fixed years ago[2], among other issues which I had reported 6+ months earlier (not validating requests, passing prices to clients in hidden form fields, etc). Their security response is also appalling[3]. and shit, so, as i said before, your a lamer. and, just stfu and wear it, thats MY opinion i did not say the whole list has to follow shithead. stfu and ride your magical carpet thru the clouds... :P~ to the others who find cloud bs amusing, or ripping or fucking with amazon as amusing, go read what your kids are buying shit from.. then maybe you would see, some places, you do not fuck with, you ttreat with respect, because they sometimes wont affect you directly, but oneday, it wmay well do this, thanks to your silly exploits on things that should not be used like this, features manipulated into exploits...shit, you should not be disclosing shit with amazon, on Fd, fullstop. If you cannot see my view then, your just as stupid as i have thought. now go play with your cloud formations, and upload some f1les to s0m3 l33t 4p4ch3 s3rv3r kid. eh sorry henri and others, but i had to just get that out to, about cloud/sploitcloud... it is fkn ridicuoud...asking for trouble, people like that should get knocks on the door, simply to be put into a mnental home for theyre own good. Sorry for the confusion but that's not at all what I said[4]. No harm done — others replied off list to say they found it amusing. Anyway I have a credit card to go cancel (per the subject of this thread). Sam 1. http://www.theregister.co.uk/2011/11/01/amazon_downplays_cloud_crypto_flaw/ 2. http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html 3. http://samj.net/2011/11/how-not-to-respond-to-vulnerability.html 4. http://samj.net/2011/10/sploitcloud.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Steam defaced
Hi! Hrm, well, i guess the best thing then is to maybe re tell them abit about it... maybe I should try adding in a report of report :s , as Im a amazon user, and, it is so big, that somany could be affected for nothing, and really, i am free user so, id loose nothing but, i know my family, has used it for simply books etc...wich, makes me abit paranoid with it.. but, I am sorry, i did not take enough time to read, i was busy, and just saw abit of a laugh at first,without real;ly seeing why :s i can say sorry, and will, and hope that Amazon is bloody listening this time! if not, we can make them :) i know, that it should be rep[aired, if it is not secure,and best way, is always thru discussion and bringing it to places like here to scrutinise..so infact, we prettymuch, agree on this, and then have more power with amazon, as there is then 2 minds on it.. and, this would then be hard to ignore, as, only more people would just privately add theyre own comments im sure, as users that is..(if users0.. I will try to get anything within the system, fixed, so, maybe i should be writing less emails when i am not feeling well :s. I apologise for my rudeness earlier... i was, and have had, a bad day... a blown box, (my best box..) amongst other things :s... anyhow, I do wish only best for amazon, so, any infos on this, and, oonn the earlier reports etc and how they then handled it, i guess is what ill be looking for. i seem to have a good rapport with the staff there, and, they have done me many favors, so, i could always try to speak to them to :s i guess every words count...whe it comes to matters where, one voice just, does not ring thru enough... and, they are so buig, you could just get one lazy ass admin who doesnt want to patch...and, it would take then, persistence... So, if this is the case and, your being ignored, we could easily solve that.. I will ead more on this and your links when i wake... i am now in sleepy land, and , already half asleep..so, all i say is, sorry for the misunderstanding, i am abit of an arsehole at time :s but feel free to kick my butt back :P hehe. take care, and thanks, for being a good spotrt. if you code, pleae feel free to join my competition...and, with that, every donation received by my non profit website, would be shown, as going directly back into competition prizes/hosting. This would be shown, and, i guess it would proove to be very bad, if i werent keepin that word.. but, i have, and will uphold this... and, am forking out the prize (yes a nice Kindle Pad from amazon), the newer models, are very very nice, but, it will be even newer by the first draw... so, i implore people with the extra bux, to read how to donate1 and, this way, i would happilym, run 250-300bux code prizes, ona very regular basis. Thankyou to those who are already participating, feel free to register or email me about it, and, i will add you in... now taking, skilled coders/pocs,and for more indepth rules, regarding how it will be judged and what will be judged as materials..well, you may want to speak to me or my staff about this, but, it basically is , all for the coders. as it was, always before it was 'popular'.. cheers! xd-- @ #HaxNET,#HaxSHELLS@EFNET http://crazycoders.com/2011/11/craziest-coders-ever-and-links/ COMPETITION,But for indepth rules and judging,please ask me, orill maybe add that into the online space in next day..but basically d0s is not in, 0days are not what makes the prize and coding skills will be judged, Coding Styles/Methods used/Originality/Unique-exploitation vectors, uses of methods wich are uncommon or, different and ofcourse simply writing the better codes Nomatter what the overflow, all stack based will be ofcourse, judged more indepth,aswith simply a GOOD PC wich, covers all elements of the PoC details, only 2010-2011 will be judged, since, we are NOT in 2009 anymore. Hope this will bring some people fun and, all donates will be saton, tomakesure theyre NOT illegit,so dont even waste time if your a carder :) On 11 Noember 2011 22:32, Sam Johnston s...@samj.net wrote: On Fri, Nov 11, 2011 at 12:54 AM, xD 0x41 sec...@gmail.com wrote: about the clouds, dude, i found the whole attacking of amazon as rude, So did I, which is why I came to Amazon's defense in pointing out that those in glass houses shouldn't be throwing stones. The company (Enomaly) abusing Amazon over a complex SAML XML digsig vulnerability[1] was/is still using a trivial vulnerable signature mechanism in their own products that Amazon had fixed years ago[2], among other issues which I had reported 6+ months earlier (not validating requests, passing prices to clients in hidden form fields, etc). Their security response is also appalling[3]. and shit, so, as i said before, your a lamer. and, just stfu and wear it, thats MY opinion i did not say the whole list has to follow shithead. stfu and ride your magical carpet thru the clouds... :P~ to the others who find
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:170 ] java-1.6.0-openjdk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:170 http://www.mandriva.com/security/ ___ Package : java-1.6.0-openjdk Date: November 11, 2011 Affected: 2010.1, 2011., Enterprise Server 5.0 ___ Problem Description: Security issues were identified and fixed in openjdk (icedtea6) and icedtea-web: IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking (CVE-2011-3547). IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT (CVE-2011-3548). IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D (CVE-2011-3551). IcedTea6 prior to 1.10.4 allows remote attackers to affect integrity via unknown vectors related to Networking (CVE-2011-3552). IcedTea6 prior to 1.10.4 allows remote authenticated users to affect confidentiality, related to JAXWS (CVE-2011-3553). IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting (CVE-2011-3544). IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization (CVE-2011-3521). IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors (CVE-2011-3554). A flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection (CVE-2011-3389). Note: This update mitigates the CVE-2011-3389 issue by splitting the first application data record byte to a separate SSL/TLS protocol record. This mitigation may cause compatibility issues with some SSL/TLS implementations and can be disabled using the jsse.enableCBCProtection boolean property. This can be done on the command line by appending the flag -Djsse.enableCBCProtection=false to the java command. IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to HotSpot (CVE-2011-3558). IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability, related to RMI (CVE-2011-3556). IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability, related to RMI (CVE-2011-3557). IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE (CVE-2011-3560). Deepak Bhole discovered a flaw in the Same Origin Policy (SOP) implementation in the IcedTea project Web browser plugin. A malicious applet could use this flaw to bypass SOP protection and open connections to any sub-domain of the second-level domain of the applet#039;s origin, as well as any sub-domain of the domain that is the suffix of the origin second-level domain. For example, IcedTea-Web plugin allowed applet from some.host.example.com to connect to other.host.example.com, www.example.com, and example.com, as well as www.ample.com or ample.com. (CVE-2011-3377). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3558 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3377
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.comwrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Talk is indeed cheap! Gary B On 11/11/2011 11:43 AM, Ryan Dewhurst wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Yeah, I gotta say, I'm going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.commailto:ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.commailto:jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.commailto:sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Would scapy be a suitable tool to attempt this kind of packet manipulation with? I'm a programmer, but I'm new to this kind of network/packet-level/security scripting. What tools / frameworks / languages etc do you guys use to write these kinds of exploit scripts? cheers, dan :) (keep forgetting I need to reply-all on this list) On 11 November 2011 17:01, Mario Vilas mvi...@gmail.com wrote: I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.comwrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-328 : ProFTPD Response Pool Use-After-Free Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ZDI-11-328 : ProFTPD Response Pool Use-After-Free Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-328 November 11, 2011 - -- CVE ID: - -- CVSS: 9, AV:N/AC:L/Au:S/C:C/I:C/A:C - -- Affected Vendors: ProFTPD - -- Affected Products: ProFTPD FTP Server - -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the ProFTPd server. Authentication is required to exploit this vulnerability in order to have access to the ftp command set. The specific flaw exists within how the server manages the response pool that is used to send responses from the server to the client. When handling an exceptional condition the application will fail to restore the original response pointer which will allow there to be more than one reference to the response pointer. The next time it is used, a memory corruption can be made to occur which can allow for code execution under the context of the application. - -- Vendor Response: ProFTPD has issued an update to correct this vulnerability. More details can be found at: http://bugs.proftpd.org/show_bug.cgi?id=3711 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2011-11-11 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * Anonymous - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJOvXz0AAoJEFVtgMGTo1scMAUH/31rmHvtuUPlo6ZCtWPticzo o2EWPQfH62BEa496tR3d8kBkTJciT4c54GZc6bpxCvpDao9fIwi6AbqIxQpL3Ea3 U6EHf1Ffod1OSiIppC0BQZ5RVZpAi5FgYzMjUVxIxaILBQmIDUI9+78zIuPYURXs 7Xw0wcCHqx0qPt10trQmCs+S5vrt68Txn/pWZRALin9+87KnQF0zmtfSlDzr+fZq 0T/rp/Q/9wq/qCrYMXh6hqt4WSyHo+mkzC4uzJNIq1OIgPKmhyajv5DRbGyHBg73 nLZG6Norg2B3hrFAm1A3u+krFbQZ9QDzwStbzaADWCyVrbwerK0PHYx8Cy4P/Mc= =dF8c -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2344-1] python-django-piston security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2344-1 secur...@debian.org http://www.debian.org/security/Florian Weimer November 11, 2011 http://www.debian.org/security/faq - - Package: python-django-piston Vulnerability : deserialization vulnerability Problem type : remote Debian-specific: no CVE ID : CVE-2011-4103 Debian Bug : 647315 It was discovered that the Piston framework can deserializes untrusted YAML and Pickle data, leading to remote code execution. (CVE-2011-4103) The old stable distribution (lenny) does not contain a python-django-piston package. For the stable distribution (squeeze), this problem has been fixed in version 0.2.2-1+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 0.2.2-2. We recommend that you upgrade your python-django-piston packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJOvYoMAAoJEL97/wQC1SS+D8AH/3DiGitk5hOvsN4rLl7KQWSO d3MvnfplQWW/tHgKCYo1KqMhGBUXYO0SB7y6IpxP85hsPBK+RBa6SH92lLAHGyJM yYjOik2BtDlVHno0733DgOR5KqymUmAx+cs84Uw5Cl+F/m8ao3+Re+kUvldXmsy5 aJeHCI0HxETmW6QtA719mWolVenJGSf37+chi8vMgQXibFk4H2BbCztq9OuFsFxK 1rLLwalOurdEaui8hqUrgtp2gWIiLEhmXaS5ZdRKh6fvRiyQVNKuC8zXKeHArD7b G+iGr3wadAP4maTxw3Pf+jdo0AiTVCMTemvgjx3glJdP3Yo4sz0mTeuYmGL1vI8= =SY+6 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2345-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2345-1 secur...@debian.org http://www.debian.org/security/Florian Weimer November 11, 2011 http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : local (remote) Debian-specific: no CVE ID : CVE-2011-3647 CVE-2011-3648 CVE-2011-3650 Several vulnerabilities have been discovered in Icedove, a mail client based on Thunderbird. CVE-2011-3647 The JSSubScriptLoader does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior. CVE-2011-3648 A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding. CVE-2011-3650 Iceweasel does not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. For the stable distribution (squeeze), these problems have been fixed in version 3.0.11-1+squeeze6. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 3.1.15-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJOvZIdAAoJEL97/wQC1SS+eRsIAJE6hacrJBLdG2FezXbqKK2B juHyC245DzaZ2sqO4RsP6VDKNdop6URQljoJfn7ewh4tw4oribXhV00CiwpFaLM7 ui+YKyJ22vCtrp5DBIzsirR08c7/Dy+jKDa2iq4jCJDjmEzpbfHzFbW6jaMKtoge 7SBGbmaHVKyJbLhIY9E9i1U72EJrBJNqQ31gChvaZpJ0N6LzYL4z/ze4lXLgcS6R k/0XH396nbLO2zgFxi0ok9iYQZblCoIlDTiTpLqWVFyeFG7LHh15LZPgUclhwZoe 8PhOByLk9/YcRW+ooKKjYwfT1qzYOOuU8y4ozPEKLMx5dHC9H2//xKviQNMJO+4= =uqXx -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Skype Vendor Website - Cross Site Scripting Vulnerability
Title: == Skype Vendor Website - Cross Site Scripting Vulnerability Date: = 2011-11-11 References: === http://www.vulnerability-lab.com/get_content.php?id=309 VL-ID: = 309 Introduction: = Skype is a software application that allows users to make voice and video calls and chats over the Internet. Calls to other users within the Skype service are free, while calls to both traditional landline telephones and mobile phones can be made for a fee using a debit-based user account system. Skype has also become popular for its additional features which include instant messaging, file transfer, and videoconferencing. Skype has 663 million registered users as of 2010. The network is operated by Skype Limited, which has its headquarters in Luxembourg. Most of the development team and 44% of the overall employees of Skype are situated in the offices of Tallinn and Tartu, Estonia. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Skype) Abstract: = The Vulnerability-Lab Team discovered a cross site scripting vulnerability on the Skype main vendor website. Report-Timeline: 2011-11-04: Vendor Notification 2011-11-05: Vendor Response/Feedback 2011-11-10: Vendor Fix/Patch 2011-11-11: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = Low Details: A non-persistent cross site scripting vulnerability is detected on the Skype vendor website. The vulnerability allows remote attackers to hijack skype customer sessions via cross site scripting. Successful exploitation of the client-side vulnerability can result in session hijacking account steal. Vulnerable Module(s): [+] Subscriptions to call a single country Affected Module(s): [+] Skype.com Picture(s): ../ive1.png ../ive2.png ../ive3.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers on client-side via required user inter action. For demonstration or reproduce ... PoC: img src=tester1337.png onerror=alert(CROSS-SITE-SCRIPTING) / Reference(s): www.skype.com/intl/en/prices/pay-monthly-new Risk: = The security risk of the non persistent cross site scripting vulnerability is estimated as low(+). Credits: Vulnerability Research Laboratory - Aditya Gupta Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iGuard Biometric Access Control - Multiple Vulnerabilities
Title: == iGuard Biometric Access Control - Multiple Vulnerabilities Date: = 2011-11-08 References: === 2011/Q3-4 URL: http://vulnerability-lab.com/get_content.php?id=104 VL-ID: = 104 Introduction: = Each iGuard Biometric / Smart Card Security Appliance has a built-in Web Server enables all the computers in the corporate network to directly simultaneously access the device using any Internet Browser, such as Microsoft Internet Explorer Netscape Navigator. Different computer platforms such as Apple Macintosh, Microsoft Windows Linux machines can access the device. No additional software is required. So whether you are in an airport lounge or a hotel room, you can always check if your employees are already in the office or not, and you can even control, modify or disable their access rights to your office remotely via internet connection provided your iGuard Biometric / Smart Card Security Appliance is connected to an external IP address or your network is available through a VPN connection that is reachable from your location. (Copy of the Vendor Website: http://iguard.me/iguard-access-control.html) Abstract: = Vulnerability-Lab Team discovered multiple persistent non-persistent input validation vulnerabilities on iGuards - Biometric Access Control Application. Report-Timeline: 2011-09-01: Public or Non-Public Disclosure Status: Published Affected Products: == Exploitation-Technique: === Remote Severity: = Medium Details: Multiple persistent input validation vulnerabilities are detected oniGuards - Biometric Access Control Application. The vulnerability allows an local privileged user account or remote attacker(with inter action) to manipulate the vulnerable application sections. Successful exploitation of the bug can lead to session hijacking manipulation of vulnerable application modules via persistent inject. Vulnerable Module(s): (Persistent) [+] Select Month [+] New Access Record - ID [+] Department ID Description 1.2 A client-side cross site vulnerability is detected on iGuards - Biometric Access Control Application. The bug allows an remote attacker to attack (high user inter action) a customer on client-side. Successful exploitation can result in phishing passwords or manipulation of content when processing client-side requests. Vulnerable Module(s): (Non-Persistent) [+] Employee Record Pictures: ../1.png ../2.png ../3.png ../4.png Proof of Concept: = The vulnerabilities can be exploited by remote attackers or local low privileged user accounts. For demonstration or reproduce ... PoC: (Persistent) ../database.cgi.htm Risk: = The security risk of the persistent web vulnerabilities are estimated as medium. The security risk of the client-side vulnerability are estimated as low. Credits: Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright ©
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I have said, when the author wants to, and when hes ready to, i am sure he will. On 12 November 2011 00:54, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
yer yer... everyone trys to shoot the messenger, when, i should have just stfu, and, not offered any insight, wich would probably have been better, sorry, ill makesure to keep this shit to myself, until the actual author, gives out shit.. .ok...thx. my mistake On 12 November 2011 03:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
are you braindead ? your humor, is really lost on me..so, i think, look within :P On 12 November 2011 04:01, Mario Vilas mvi...@gmail.com wrote: I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 201111-03 ] OpenTTD: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 20-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: OpenTTD: Multiple vulnerabilities Date: November 11, 2011 Bugs: #381799 ID: 20-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities were found in OpenTTD which could lead to execution of arbitrary code, a Denial of Service, or privilege escalation. Background == OpenTTD is a clone of Transport Tycoon Deluxe. Affected packages = --- Package / Vulnerable /Unaffected --- 1 games-simulation/openttd 1.1.3= 1.1.3 Description === Multiple vulnerabilities have been discovered in OpenTTD. Please review the CVE identifiers referenced below for details. Impact == A remote attacker could execute arbitrary code with the privileges of the OpenTTD process or cause a Denial of Service. Local users could cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All OpenTTD users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =games-simulation/openttd-1.1.3 NOTE: This is a legacy GLSA. Updates for all affected architectures are available since September 27, 2011. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2010-4168 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4168 [ 2 ] CVE-2011-3341 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3341 [ 3 ] CVE-2011-3342 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3342 [ 4 ] CVE-2011-3343 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3343 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-20-03.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 201111-04 ] phpDocumentor: Function call injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 20-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: phpDocumentor: Function call injection Date: November 11, 2011 Bugs: #213318 ID: 20-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis phpDocumentor bundles Smarty which contains an input sanitation flaw, allowing attackers to call arbitrary PHP functions. Background == The phpDocumentor package provides automatic documenting of PHP API directly from the source. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-php/PEAR-PhpDocumentor 1.4.3-r1 = 1.4.3-r1 Description === phpDocumentor bundles Smarty with the modifier.regex_replace.php plug-in which does not properly sanitize input related to the ASCII NUL character in a search string. Impact == A remote attacker could call arbitrary PHP functions via templates. Workaround == There is no known workaround at this time. Resolution == All phpDocumentor users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot -v =dev-php/PEAR-PhpDocumentor-1.4.3-r1 NOTE: This is a legacy GLSA. Updates for all affected architectures are available since February 12, 2011. It is likely that your system is already no longer affected by this issue. References == [ 1 ] CVE-2008-1066 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1066 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-20-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
yep! next time, i wont say shit, and, believe it. seems, you cannot even wait for the author to do it... as, to wich, i have said... and, i tried to show yu also, ow to simply *catch* it... but, you trying to get code from me, wich, i will never give you :) so to those who care about it, and want to wait, they can then see who is bullshitting who.. I am shocked, howmany socalled 'skilled' people, cannot get this bug to work... but, theyre NOT the ones whining about code :) they probably already doing what I am, making a nice, portable cpp version, wich, wouldnot be hard, if you already know what to start with etc.. so, i guess idscussion, would only assist maliugn use of code, wich i wont have , as a ms user. Sorry but, wen the author likes, he will gief to u. until then , go roll a joint and relax. thx! On 12 November 2011 03:57, Gary Baribault g...@baribault.net wrote: Talk is indeed cheap! Gary B On 11/11/2011 11:43 AM, Ryan Dewhurst wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Would scapy be a suitable tool to attempt this kind of packet manipulation with? I'm a programmer, but I'm new to this kind of network/packet-level/security scripting. Yes, scapy + impacket./..would probably help u with the python side... On 12 November 2011 04:04, Dan Ballance tzewang.do...@gmail.com wrote: Would scapy be a suitable tool to attempt this kind of packet manipulation with? I'm a programmer, but I'm new to this kind of network/packet-level/security scripting. What tools / frameworks / languages etc do you guys use to write these kinds of exploit scripts? cheers, dan :) (keep forgetting I need to reply-all on this list) On 11 November 2011 17:01, Mario Vilas mvi...@gmail.com wrote: I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Sat, 12 Nov 2011 09:22:19 +1100, xD 0x41 said: yer yer... everyone trys to shoot the messenger, when, i should have just stfu, and, not offered any insight, wich would probably have been better, sorry, ill makesure to keep this shit to myself, until the actual author, gives out shit.. .ok...thx. I think the problem was that you didn't offer any insight that they were able to understand and follow. pgpNNplnLFfgR.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
You are definitely a lamer secn3t. Also for you little brain, impacket has nothing to do with crafting UDP packets.. Thanks for proving this again and again. On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 sec...@gmail.com wrote: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Sat, 12 Nov 2011 09:36:21 +1100, xD 0x41 said:
well look at that :P
not same author but , nice coding predelka! good one, i will add you
to crazycoders.com coderslist... i guess there is a few codes you have
now done wich might be useful... cheers.
Did you actually do a code review? There's some... issues. ;)
First, the comment block says it needs 2^32 packets sent.
Then we do:
for(lthreads=0;lthreads250;lthreads++){//UDP flood
iret = pthread_create(thread,NULL,sendpackets,argv[1]);
(250, not 256? Gaak ;)
And then sendpackets() does this:
for(i=0;i4294967295;i++){
So this is working 250 times as hard as it has to. No wonder it takes 52 days.
;)
Also, the variable 'active' is at least theoretically racy - it's *possible*,
but unlikely, that the main program will kick off the 250 threads, and fall
through to the 'while(active)' loop before any of the threads have hit the
active++ in their code.
pgpZZmnYj19D9.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:171 ] networkmanager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:171 http://www.mandriva.com/security/ ___ Package : networkmanager Date: November 11, 2011 Affected: 2011. ___ Problem Description: Security issues were identified and fixed in networkmanager: GNOME NetworkManager before 0.8.6 does not properly enforce the auth_admin element in PolicyKit, which allows local users to bypass intended wireless network sharing restrictions via unspecified vectors (CVE-2011-2176). Incomplete blacklist vulnerability in the svEscape function in settings/plugins/ifcfg-rh/shvar.c in the ifcfg-rh plug-in for GNOME NetworkManager 0.9.1, 0.9.0, 0.8.1, and possibly other versions, when PolicyKit is configured to allow users to create new connections, allows local users to execute arbitrary commands via a newline character in the name for a new network connection, which is not properly handled when writing to the ifcfg file (CVE-2011-3364). Instead of patching networkmanager, the latest 0.8.6.0 stable version is being provided due to the large amount of bugs fixed upstream. Also the networkmanager-applet, networkmanager-openconnect, networkmanager-openvpn, networkmanager-pptp, networkmanager-vpnc is being provided with their latest 0.8.6.0 stable versions. The provided packages solves these security vulnerabilities. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2176 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3364 http://cgit.freedesktop.org/NetworkManager/NetworkManager/plain/NEWS?h=NM_0_8 ___ Updated Packages: Mandriva Linux 2011: c530bf1caf9f0c7a893dc6fb5c12199e 2011/i586/libnm-glib2-0.8.6.0-0.1-mdv2011.0.i586.rpm ebc62339c61d69de533ff547424b33da 2011/i586/libnm-glib-devel-0.8.6.0-0.1-mdv2011.0.i586.rpm 5d6f29391291ef36852288cadae40d95 2011/i586/libnm-glib-vpn1-0.8.6.0-0.1-mdv2011.0.i586.rpm 6087abf2686821434eb3afc51912437e 2011/i586/libnm-glib-vpn-devel-0.8.6.0-0.1-mdv2011.0.i586.rpm b8977f7ed13a0294a7ebbaadee039428 2011/i586/libnm-util1-0.8.6.0-0.1-mdv2011.0.i586.rpm c1600e19ab5b04e35287079c9be02738 2011/i586/libnm-util-devel-0.8.6.0-0.1-mdv2011.0.i586.rpm 4414ce4ae05cf979afd44680876c8391 2011/i586/networkmanager-0.8.6.0-0.1-mdv2011.0.i586.rpm 958dd23cbafd3b408754a4a579ac22ba 2011/i586/networkmanager-applet-0.8.6.0-0.1-mdv2011.0.i586.rpm ba3dede9e2b3c1fa30f43bd19039b7ab 2011/i586/networkmanager-openconnect-0.8.6.0-0.1-mdv2011.0.i586.rpm d50dcbedbde986d3942498fd1f5474b1 2011/i586/networkmanager-openvpn-0.8.6.0-0.1-mdv2011.0.i586.rpm 0f360660a076e002d0159d7ad01dc8ac 2011/i586/networkmanager-pptp-0.8.6.0-0.1-mdv2011.0.i586.rpm 7c55fc8d1ed0039d9f8457778600de5e 2011/i586/networkmanager-vpnc-0.8.6.0-0.1-mdv2011.0.i586.rpm 9646534c9bb96c7f92a63179ae540e7f 2011/SRPMS/networkmanager-0.8.6.0-0.1.src.rpm fedaf805fc6d4d70a49f4455254a5427 2011/SRPMS/networkmanager-applet-0.8.6.0-0.1.src.rpm c5bf3fe13685d2a4cdcff69e38db2f3c 2011/SRPMS/networkmanager-openconnect-0.8.6.0-0.1.src.rpm 0eadfcb51e4dbbe140464887b04a7fb8 2011/SRPMS/networkmanager-openvpn-0.8.6.0-0.1.src.rpm 5e85b3b3f14cd6dd9057c9d02cbb2f15 2011/SRPMS/networkmanager-pptp-0.8.6.0-0.1.src.rpm 9c83f344de996d5eb8e76b54b4e23bbe 2011/SRPMS/networkmanager-vpnc-0.8.6.0-0.1.src.rpm Mandriva Linux 2011/X86_64: 9fe4801401ee1ed6357238051f5bf295 2011/x86_64/lib64nm-glib2-0.8.6.0-0.1-mdv2011.0.x86_64.rpm b221a9f33856ab77eb3c18c9b39d1fad 2011/x86_64/lib64nm-glib-devel-0.8.6.0-0.1-mdv2011.0.x86_64.rpm 518492246aae82e41b4a11646241ce25 2011/x86_64/lib64nm-glib-vpn1-0.8.6.0-0.1-mdv2011.0.x86_64.rpm d6972f15d6e98236c1721086ab32a3ba 2011/x86_64/lib64nm-glib-vpn-devel-0.8.6.0-0.1-mdv2011.0.x86_64.rpm 9fb5f213996fb6e4a59351138c51fd34 2011/x86_64/lib64nm-util1-0.8.6.0-0.1-mdv2011.0.x86_64.rpm d4b5e921aa28d9c55f38eb976c69003f 2011/x86_64/lib64nm-util-devel-0.8.6.0-0.1-mdv2011.0.x86_64.rpm 42737153344129c8196a2b34345a76f6 2011/x86_64/networkmanager-0.8.6.0-0.1-mdv2011.0.x86_64.rpm 70433a01223f7a26156dfac562d7e56c 2011/x86_64/networkmanager-applet-0.8.6.0-0.1-mdv2011.0.x86_64.rpm 19cf7eab0cd01a6c610d40cd0c81cf97 2011/x86_64/networkmanager-openconnect-0.8.6.0-0.1-mdv2011.0.x86_64.rpm f8a66ca3491630187725bbdeeb9c62ac 2011/x86_64/networkmanager-openvpn-0.8.6.0-0.1-mdv2011.0.x86_64.rpm edfd577bd13f0c7c23c22d7af9be173a 2011/x86_64/networkmanager-pptp-0.8.6.0-0.1-mdv2011.0.x86_64.rpm 14c16994c828cb316b7004fc31e6dc40 2011/x86_64/networkmanager-vpnc-0.8.6.0-0.1-mdv2011.0.x86_64.rpm 9646534c9bb96c7f92a63179ae540e7f
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
lol... yea... no idea, dont care this is just for those ppl who
*had* to see something :)
now let them, worry why theyre box is executing ping fkloods and
crap..or, maybe causing, even worse things ;)
I know prdelka, is verry good with backdoors :P lol... i hope he got
every fucker who was breaking ballz.
also, ofcourse, if it takes 49days then...why would ms even woprry..
hehe... just ignore me, until the real author comes forward, and, then
the ppl who abused me, can see for themselfs, how this works.
and not until then, or, until i make my own scanner, will i even share
one bit more of actual info, because, it was always a stack based
overflow, NOT off-by-one :)
anyhow... it doesnty take, 49days, atall..
and, yes, indeed, will be one good packet, if the packet , has the
right SQN + Ack number.
I guess, a stream of udps, would be just as effective
but, i dont know yet, until my own code scanner is done.
so, i dont care fopr what ppl say... i know my windows... and, know my
ms exploits ... ms, is not as secure as we would love to think, and,
once a hole like this is opened, there is many ways to reopen it..
there is a magic key for every box...
anyhow later..
On 12 November 2011 09:58, valdis.kletni...@vt.edu wrote:
On Sat, 12 Nov 2011 09:36:21 +1100, xD 0x41 said:
well look at that :P
not same author but , nice coding predelka! good one, i will add you
to crazycoders.com coderslist... i guess there is a few codes you have
now done wich might be useful... cheers.
Did you actually do a code review? There's some... issues. ;)
First, the comment block says it needs 2^32 packets sent.
Then we do:
for(lthreads=0;lthreads250;lthreads++){//UDP flood
iret = pthread_create(thread,NULL,sendpackets,argv[1]);
(250, not 256? Gaak ;)
And then sendpackets() does this:
for(i=0;i4294967295;i++){
So this is working 250 times as hard as it has to. No wonder it takes 52
days. ;)
Also, the variable 'active' is at least theoretically racy - it's *possible*,
but unlikely, that the main program will kick off the 250 threads, and fall
through to the 'while(active)' loop before any of the threads have hit the
active++ in their code.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewski lcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Let me guess your M$ 0days can be triggered by hitting ALT-F4 while browsing with IE ? On Fri, Nov 11, 2011 at 3:26 PM, xD 0x41 sec...@gmail.com wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewski lcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2011:172 ] libreoffice
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:172 http://www.mandriva.com/security/ ___ Package : libreoffice Date: November 11, 2011 Affected: 2011. ___ Problem Description: Multiple vulnerabilies has been discovered and corrected in libreoffice: Stack-based buffer overflow in the Lotus Word Pro import filter in LibreOffice before 3.3.3 allows remote attackers to execute arbitrary code via a crafted .lwp file (CVE-2011-2685). oowriter in OpenOffice.org 3.3.0 and LibreOffice before 3.4.3 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted DOC file that triggers an out-of-bounds read in the DOC sprm parser (CVE-2011-2713). This update brings a new LibreOffice version 3.4.3 release linked against stdc++ and gcc_s standard libraries available in the Mandriva 2011 and solves installing conflicts with libstdc++ (#64224). The package clipart-openclipart was dropped from the main repository in the Mandriva 2011. However it is not required having clipart-openclipart installed in order to install libreoffice-openclipart as the LibreOffice still provides some cliparts directly in that package (#63634). This update fixes some OpenOffice.org leftovers in some packages description replacing that by LibreOffice (#64658). This update brings new LibreOffice l10n locale packages: Assanese as, Bengali bn, Dzongkha dz, Farsi fa, Irish ga, Galician gl, Gujarati gu, Croatian hr, Kannada kn, Lithuanian lt, Latvian lv, Maithili mai, Malayalam ml, Marathi mr, Ndebele nr, Northern Shoto nso, Oriya or, Punjabi pa_IN, Romanian ro, Secwepemctsin sh, Sinhalese si, Serbian sr, Swati ss, Shoto st, Telugu te, Thai th, Tswana tn, Tsonga ts, Ukrainian uk, Venda ve and Xhosa xh. Help packages are also provided for: bn, dz, gl, gu, hr, si and uk. Additionally the gaupol packages are being provided to solve a build dependcy of some of the supporting tools already added into 2011. The updated packages have been upgraded to LibreOffice version 3.4.3 where these isssues has been resolved. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2685 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2713 https://qa.mandriva.com/64224 https://qa.mandriva.com/63634 https://qa.mandriva.com/64658 ___ Updated Packages: Mandriva Linux 2011: 07f3e263d7b4b794415d16a173b4e813 2011/i586/gaupol-0.18-1.1-mdv2011.0.noarch.rpm 656a524a48dd18893b11d833b035e8e9 2011/i586/libgraphite2_2-1.0.3-0.1-mdv2011.0.i586.rpm b8b93abba2950ed3b37e7fe1bb20c08b 2011/i586/libgraphite2-devel-1.0.3-0.1-mdv2011.0.i586.rpm ae50181c818959a14aebff6a74552a19 2011/i586/libreoffice-3.4.3-2.2-mdv2011.0.i586.rpm 849e0d981434b206cf51c2f7205e577d 2011/i586/libreoffice-base-3.4.3-2.2-mdv2011.0.i586.rpm 57d7a019bb427cd0c15adbe9882efba6 2011/i586/libreoffice-calc-3.4.3-2.2-mdv2011.0.i586.rpm 3e69f87c66a206f36d2f3dc282894d91 2011/i586/libreoffice-common-3.4.3-2.2-mdv2011.0.i586.rpm 2872a70960e5e0fa6640b8a5be462233 2011/i586/libreoffice-core-3.4.3-2.2-mdv2011.0.i586.rpm 05456ee4c5666b355e61f0814c746e41 2011/i586/libreoffice-devel-3.4.3-2.2-mdv2011.0.i586.rpm 2a36ab0e4608c0511c9bb2686397cf94 2011/i586/libreoffice-devel-doc-3.4.3-2.2-mdv2011.0.i586.rpm 033021f40260353e7087b94ff8a98fb5 2011/i586/libreoffice-draw-3.4.3-2.2-mdv2011.0.i586.rpm cfbbcdfb05c43507e497930dfa42fe35 2011/i586/libreoffice-filter-binfilter-3.4.3-2.2-mdv2011.0.i586.rpm 3cc8765ceb7101b92bffb60dfb17ceee 2011/i586/libreoffice-gnome-3.4.3-2.2-mdv2011.0.i586.rpm b68e11f47de9509c65779344208b88a1 2011/i586/libreoffice-help-bg-3.4.3-2.2-mdv2011.0.i586.rpm 420c4f9fb73b1dbf04568b98298140dd 2011/i586/libreoffice-help-bn-3.4.3-2.2-mdv2011.0.i586.rpm 19c1e87691f3f6c08c0f8b1aaf21b99d 2011/i586/libreoffice-help-bs-3.4.3-2.2-mdv2011.0.i586.rpm 7d5abbb5efe44c628e4e65588a74e0ec 2011/i586/libreoffice-help-ca-3.4.3-2.2-mdv2011.0.i586.rpm e8e5578ea655fb7820de0ce4b9372c1f 2011/i586/libreoffice-help-cs-3.4.3-2.2-mdv2011.0.i586.rpm 061326bfc4ee9c2dec813cdf6456b7dc 2011/i586/libreoffice-help-da-3.4.3-2.2-mdv2011.0.i586.rpm 93fb98dc85eb797fa170550ddd4a2cd0 2011/i586/libreoffice-help-de-3.4.3-2.2-mdv2011.0.i586.rpm 507669164ce0d2f2ab94cf7e4a011a89 2011/i586/libreoffice-help-dz-3.4.3-2.2-mdv2011.0.i586.rpm 5f5710145d550b768cc29ed45baf0ab5 2011/i586/libreoffice-help-el-3.4.3-2.2-mdv2011.0.i586.rpm 4af4fbc2d61c095fbc9598db29132253 2011/i586/libreoffice-help-en_GB-3.4.3-2.2-mdv2011.0.i586.rpm 55e5bae5aec14783590a6b8d04b2dd48
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
I have no doubt that a lot of things are lost on you. On Fri, Nov 11, 2011 at 11:23 PM, xD 0x41 sec...@gmail.com wrote: are you braindead ? your humor, is really lost on me..so, i think, look within :P On 12 November 2011 04:01, Mario Vilas mvi...@gmail.com wrote: I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Fri, Nov 11, 2011 at 5:28 PM, xD 0x41 sec...@gmail.com wrote: I am shocked, howmany socalled 'skilled' people, cannot get this bug to work... but, theyre NOT the ones whining about code :) I didn't ask for a proof of concept, I told you to explain the bug and/or your claims with code. There is a difference. You've come here making some outrageous claims that you can trigger the bug with one packet, how we're all wrong about the timing aspect of the bug, and even a rather unusual description of the bug itself (which was difficult to interpret, but seems flat out wrong, however it may be due to the language barrier). We can look beyond your broken English and read code, whether it be disassembly or a proof of concept, then determine if your claims are sensible or not. You've made statements that seem to indicate have analyzed the bug and attempted to describe it, so I'm asking you to put that in a form we can all understand and that isn't bound by language limitations. I can read disassembly, I can't read and comprehend your English. I'm trying not to jump to conclusions here, but so far you've made claims that no one else seems to back up and it appears you are just blathering and foaming at the mouth to appear l33t like a lot of other people talking about this bug. You can resolve that by providing code to prove your claims, otherwise no one is going to listen to you or care. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Okay, now I'm confused! From http://oss.coresecurity.com/projects/impacket.html Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapyhttp://oss.coresecurity.com/projects/pcapy.html. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies. Thanks for your input Antony. Can you explain why impacket has nothing to do with crafting UDP packets? Fascinating thread this. Thanks to all!! dan :) On 11 November 2011 22:42, Antony widmal antony.wid...@gmail.com wrote: You are definitely a lamer secn3t. Also for you little brain, impacket has nothing to do with crafting UDP packets.. Thanks for proving this again and again. On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 sec...@gmail.com wrote: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from what I can make of your writing). No one cares about paragraphs of speculation and bragging, code or you are just another heavy breather in the perv closet of FD. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia -
[Full-disclosure] Joomla Component (com_content) - Blind SQL Injection Vulnerability
Title: == Joomla Component (com_content) - Blind SQL Injection Vulnerability Date: = 2011-11-11 References: === http://www.vulnerability-lab.com/get_content.php?id=323 VL-ID: = 323 Introduction: = Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns[citation needed], stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. Joomla had been downloaded 23 million times. Between March 2007 and February 2011 there had been more than 21 million downloads. There are over 7,400 free and commercial extensions available from the official Joomla! Extension Directory and more available from other sources (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Joomla!) Abstract: = A vulnerability laboratory researcher discovered a Blind SQL Injection vulnerability on the com_content component of the joomla CMS. Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A blind SQL Injection vulnerability was detected on the com_content component of the joomla CMS. The vulnerability allows an attacker (remote) to inject/execute own sql statements on the affected application dbms. Successful exploitation of the vulnerability can result in compromise of the affected application dbms. Vulnerable Module(s): [+] com_content Proof of Concept: = The vulnerability can be exploited be remote attackers. For demonstration or reproduce ... 1: [Site]/joomla/index.php?option=com_contentview=archiveyear=1 [BSQLI] 2: [Site]/joomla/index.php?option=com_contentview=archiveyear=-1 or 1=1-- 3: [Site]/joomla/index.php?option=com_contentview=archiveyear=-1 or 1=0-- [x] Demo : http://www.paul.house.gov/index.php?option=com_contentview=archiveyear=-1 or 1=0-- Risk: = The security risk of the blind sql injection vulnerability is estimated as critical. Credits: E.Shahmohamadi (IRAN) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Fri, Nov 11, 2011 at 3:13 PM, xD 0x41 sec...@gmail.com wrote anyhow... it doesnty take, 49days, atall.. and, yes, indeed, will be one good packet, if the packet , has the right SQN + Ack number. ^^ We are discussing UDP, as per the MS advisory, yes? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
or a blue screen... 2011/11/11 Antony widmal antony.wid...@gmail.com Let me guess your M$ 0days can be triggered by hitting ALT-F4 while browsing with IE ? On Fri, Nov 11, 2011 at 3:26 PM, xD 0x41 sec...@gmail.com wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewski lcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joomla Component (com_content) - Blind SQL Injection Vulnerability
Which version is this? On Sat, Nov 12, 2011 at 12:35 AM, resea...@vulnerability-lab.com resea...@vulnerability-lab.com wrote: Title: == Joomla Component (com_content) - Blind SQL Injection Vulnerability Date: = 2011-11-11 References: === http://www.vulnerability-lab.com/get_content.php?id=323 VL-ID: = 323 Introduction: = Joomla is a free and open source content management system (CMS) for publishing content on the World Wide Web and intranets and a model–view–controller (MVC) Web application framework that can also be used independently. Joomla is written in PHP, uses object-oriented programming (OOP) techniques and software design patterns[citation needed], stores data in a MySQL database, and includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. Joomla had been downloaded 23 million times. Between March 2007 and February 2011 there had been more than 21 million downloads. There are over 7,400 free and commercial extensions available from the official Joomla! Extension Directory and more available from other sources (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Joomla!) Abstract: = A vulnerability laboratory researcher discovered a Blind SQL Injection vulnerability on the com_content component of the joomla CMS. Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A blind SQL Injection vulnerability was detected on the com_content component of the joomla CMS. The vulnerability allows an attacker (remote) to inject/execute own sql statements on the affected application dbms. Successful exploitation of the vulnerability can result in compromise of the affected application dbms. Vulnerable Module(s): [+] com_content Proof of Concept: = The vulnerability can be exploited be remote attackers. For demonstration or reproduce ... 1: [Site]/joomla/index.php?option=com_contentview=archiveyear=1 [BSQLI] 2: [Site]/joomla/index.php?option=com_contentview=archiveyear=-1 or 1=1-- 3: [Site]/joomla/index.php?option=com_contentview=archiveyear=-1 or 1=0-- [x] Demo : http://www.paul.house.gov/index.php?option=com_contentview=archiveyear=-1or 1=0-- Risk: = The security risk of the blind sql injection vulnerability is estimated as critical. Credits: E.Shahmohamadi (IRAN) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2011|Vulnerability-Lab -- Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com Contact: ad...@vulnerability-lab.com or supp...@vulnerability-lab.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
0day for ms, is not so hard, and, i hjave already explained one of them to some people :) but, i dont care, because, you dont have it, and, i do. so, many people have 0days...whats wrong with this ? i found my own, and, thats why i am happy to keep them. and, as i said, one, i have discussed and, made a working scanner binary for.. so, i guess that much, some people do know is true... so, thats not rare atall.. you want to wonder about just wibndows, imagine linux... and, there is , the imagination, is big there and there is plenty and plenty of attacks still available on fully patched NON grsec kernels :) and yes, i have 0days of those, also. enjoy.some get lucky, others just...suck.. On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
unleash the dragons and let you see what a 10k botnet feels like. unleash away son :) another, hider... always have some bs to say, but, your just jealous... as most lame botnet owners, are.. ddos, is yo9ur no.1 skill, and only reason your here, is to try get the .cpp scanner, and thats that. so you go stfu, and, believe me, 10k, is nothing. youcome out , and show yourself, and, your bum will be much worse off than b4. now, dont play with adults, go jack some net...lame d0skid. On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
oh, you really areee lame... go ahead... ddos away... but, you will never face me, as always :) typical doskiddy... jealousy bites eh :) go home, your boring me. again, this is great stuff from Fd! DDos, and, all for trying, to mention a few things, and try to be civil about it. meh. fuck you all. lame. if this is your idea, of how to beat on someone, for somethin that, will soon be public, then go ahead... as i said, no ddos , and no dsokid,ever dares face me, and, if the list is causing me this much problems, then it can goto my spam nowon. fucking gits. and kiddo, come on out and show yaself..whats matter, scared that ill fire back ? On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Received: from [127.0.0.1] (host86-160-211-44.range86-160.btcentralplus.com. [86.160.211.44]) to bad eh... On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Typical S-K behavior; talk about stuff he has nfi. Le 11 nov. 2011 19:15, xD 0x41 sec...@gmail.com a écrit : 0day for ms, is not so hard, and, i hjave already explained one of them to some people 0day for ms, is not so hard, and, i hjave already explained one of them to some people :) but, i dont care, because, you dont have it, and, i do. so, many people have 0days...whats wrong with this ? i found my own, and, thats why i am happy to keep them. and, as i said, one, i have discussed and, made a working scanner binary for.. so, i guess that much, some people do know is true... so, thats not rare atall.. you want to wonder about just wibndows, imagine linux... and, there is , the imagination, is big there and there is plenty and plenty of attacks still available on fully patched NON grsec kernels :) and yes, i have 0days of those, also. enjoy.some get lucky, others just...suck.. On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Even worse
dude, cry to your isp, when they kick your ass :) now fuckoff. On 12 November 2011 15:13, crazy coder crazycoder1...@gmail.com wrote: So, you know how to view the source of a message. Do you know how to fix a zone transfer, eh? crazycoders.com. 300 IN SOA ns2.psychz.net. ufo.mboca.com. 201102 20 20 20 20 crazycoders.com. 60 IN MX 0 crazycoders.com. crazycoders.com. 86400 IN NS ns2.psychz.net. crazycoders.com. 86400 IN NS ns14.psychz.net. crazycoders.com. 86400 IN NS ns15.psychz.net. crazycoders.com. 60 IN A 173.224.214.202 member.0f.crazycoders.com. 300 IN A 72.20.12.11 1337.crazycoders.com. 300 IN A 72.20.12.10 default._domainkey.crazycoders.com. 300 IN TXT k=rsa\; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALFWHaishP7Edaj+i4ndem/VzV7diLWwc7BuEJ1XGjnPBrpfayzuODrWPzqg2DAjl1CTRM4hDfk82TuY1T3AcRPL4S+yCGdwBbjLBk9Eb/RQB6N7UrXdPPGuKhxJjs39swIDAQAB\; best-at.crazycoders.com. 300 IN 2001:470:d:10e8::c0de:1 cpanel.crazycoders.com. 14400 IN A 173.224.214.202 crazycoders.crazycoders.com. 14400 IN A 173.224.214.202 www.crazycoders.crazycoders.com. 14400 IN A 173.224.214.202 dmdsecurity.crazycoders.com. 300 IN A 173.224.214.202 default._domainkey.dmdsecurity.crazycoders.com. 300 IN TXT k=rsa\; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANXQE6RQJ9uRaHKT/CnnFe4+luS2DHN/YKgtm/8cAsifM62rKBOWbX5aXFe6Zj1vKnm0RPRDoexeAEyV1RMLuI8PFPCuw/Z6X0Z9mQ6IJzMgAsrrUcowxOiIp8DrNEjSkQIDAQAB\; www.dmdsecurity.crazycoders.com. 300 IN A 173.224.214.202 ftp.crazycoders.com. 60 IN CNAME crazycoders.com. l33t-c0derz.crazycoders.com. 300 IN 2001:470:d:10e8::c0de:3 localhost.crazycoders.com. 60 IN A 127.0.0.1 luv.crazycoders.com. 300 IN 2001:470:d:10e8::6 mail.crazycoders.com. 60 IN CNAME crazycoders.com. webdisk.crazycoders.com. 14400 IN A 173.224.214.202 webmail.crazycoders.com. 14400 IN A 173.224.214.202 whm.crazycoders.com. 14400 IN A 173.224.214.202 www.crazycoders.com. 60 IN CNAME crazycoders.com. crazycoders.com. 300 IN SOA ns2.psychz.net. ufo.mboca.com. 201102 20 20 20 20 xD 0x41 sec...@gmail.com wrote: Received: from [127.0.0.1] (host86-160-211-44.range86-160.btcentralplus.com. [86.160.211.44]) to bad eh... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Even worse
nice excuse to ddos again...to bad, i will be reporting that Ip. you know, and i know, it IS yours. so, enjoy. arsehole. and, a stupid arsehole, who did not think that, being a PUBLIC LISt, it will NOT filter anything, your mail showed, from your own hme, no proxys,. your screwed.go east shit, and keep ddosing. and, thanks, i needed to get some of that ipv4 list ... was wondering where 2 of my ips had gone! have a nice day sir, one of the few left, if i do and, my hoster does, report your arse to btcentral. and believe me, at this stage, got lube ?? later arsehole.. On 12 November 2011 15:13, crazy coder crazycoder1...@gmail.com wrote: So, you know how to view the source of a message. Do you know how to fix a zone transfer, eh? crazycoders.com. 300 IN SOA ns2.psychz.net. ufo.mboca.com. 201102 20 20 20 20 crazycoders.com. 60 IN MX 0 crazycoders.com. crazycoders.com. 86400 IN NS ns2.psychz.net. crazycoders.com. 86400 IN NS ns14.psychz.net. crazycoders.com. 86400 IN NS ns15.psychz.net. crazycoders.com. 60 IN A 173.224.214.202 member.0f.crazycoders.com. 300 IN A 72.20.12.11 1337.crazycoders.com. 300 IN A 72.20.12.10 default._domainkey.crazycoders.com. 300 IN TXT k=rsa\; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALFWHaishP7Edaj+i4ndem/VzV7diLWwc7BuEJ1XGjnPBrpfayzuODrWPzqg2DAjl1CTRM4hDfk82TuY1T3AcRPL4S+yCGdwBbjLBk9Eb/RQB6N7UrXdPPGuKhxJjs39swIDAQAB\; best-at.crazycoders.com. 300 IN 2001:470:d:10e8::c0de:1 cpanel.crazycoders.com. 14400 IN A 173.224.214.202 crazycoders.crazycoders.com. 14400 IN A 173.224.214.202 www.crazycoders.crazycoders.com. 14400 IN A 173.224.214.202 dmdsecurity.crazycoders.com. 300 IN A 173.224.214.202 default._domainkey.dmdsecurity.crazycoders.com. 300 IN TXT k=rsa\; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANXQE6RQJ9uRaHKT/CnnFe4+luS2DHN/YKgtm/8cAsifM62rKBOWbX5aXFe6Zj1vKnm0RPRDoexeAEyV1RMLuI8PFPCuw/Z6X0Z9mQ6IJzMgAsrrUcowxOiIp8DrNEjSkQIDAQAB\; www.dmdsecurity.crazycoders.com. 300 IN A 173.224.214.202 ftp.crazycoders.com. 60 IN CNAME crazycoders.com. l33t-c0derz.crazycoders.com. 300 IN 2001:470:d:10e8::c0de:3 localhost.crazycoders.com. 60 IN A 127.0.0.1 luv.crazycoders.com. 300 IN 2001:470:d:10e8::6 mail.crazycoders.com. 60 IN CNAME crazycoders.com. webdisk.crazycoders.com. 14400 IN A 173.224.214.202 webmail.crazycoders.com. 14400 IN A 173.224.214.202 whm.crazycoders.com. 14400 IN A 173.224.214.202 www.crazycoders.com. 60 IN CNAME crazycoders.com. crazycoders.com. 300 IN SOA ns2.psychz.net. ufo.mboca.com. 201102 20 20 20 20 xD 0x41 sec...@gmail.com wrote: Received: from [127.0.0.1] (host86-160-211-44.range86-160.btcentralplus.com. [86.160.211.44]) to bad eh... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Nop. Im in your mom's bedroom,walk up the stairs you will hear us.. Le 11 nov. 2011 19:57, xD 0x41 sec...@gmail.com a écrit : another fuck who hides :) On 12 November 2011 14:51, Antony widmal antony.wid...@gmail.com wrote: Typical S-K behavior; talk about stuff he has nfi. Le 11 nov. 2011 19:15, xD 0x41 sec...@gmail.com a écrit : 0day for ms, is not so hard, and, i hjave already explained one of them to some people 0day for ms, is not so hard, and, i hjave already explained one of them to some people :) but, i dont care, because, you dont have it, and, i do. so, many people have 0days...whats wrong with this ? i found my own, and, thats why i am happy to keep them. and, as i said, one, i have discussed and, made a working scanner binary for.. so, i guess that much, some people do know is true... so, thats not rare atall.. you want to wonder about just wibndows, imagine linux... and, there is , the imagination, is big there and there is plenty and plenty of attacks still available on fully patched NON grsec kernels :) and yes, i have 0days of those, also. enjoy.some get lucky, others just...suck.. On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Even worse
eh, he had already put it on fd... so, what did it matter..and you really think, it is hard todo a nslookup ? you still have to, login to cpanel, and, i kow, you can go right ahead... there is no cpanel bruter, go make one, i dont think it is so posible...and even then, howlong will someone wait... you dont get it dude. this idiot, is dd0s'in the frigging website, over me trying to be open about a very private matter and, all that guy was here for, wwas to try find any new ms0**.***.cpp to add to his rBot... believe me i dont mind, he revealed his Ip when he used thunderbird, to tthreaten, then, used a fake gmail again, to show records... so, i dont think im the one making an idiot of myself, i learnt two things, 1. i will NEVER, mark those words, NEVER, help this list, again, in any matter, and, not respond to any posts. thats it for me. and B. your a pack of wolves, still not seeing that, just because your all sitting there hiding, like the frigging trolls you are, hanging shit on me, because i could not reveal more than alittle, wich, was already to much, and, because i dont give a poc, i deserve to be trashed and ddosd... nice list!! later. On 12 November 2011 15:34, Chris L inchcom...@gmail.com wrote: I have no idea what the point of this post is. Hell, most of your posts are hard to understand. However, considering it appears it involves your own, (or at least an associated to you crazy coders site), I'd think you would pay more attention to it. Now, I'm not one to think that security through obscurity is a good policy, but that said, revealing the login page: cpanel.crazycoders.com just seems stupid to me. Technically, it requires SSL, so the page is: https://cpanel.crazycoders.com:2083/ . Still, not a good idea to advertise it. Maybe one idiot was trying to break in, and you wanted to burn him, but you just told everyone, on a list called Full Disclosure no less, the address of your login page. Does that really strike you as a good idea? https://cpanel.crazycoders.com:2083/ On Fri, Nov 11, 2011 at 8:18 PM, xD 0x41 sec...@gmail.com wrote: dude, cry to your isp, when they kick your ass :) now fuckoff. On 12 November 2011 15:13, crazy coder crazycoder1...@gmail.com wrote: So, you know how to view the source of a message. Do you know how to fix a zone transfer, eh? crazycoders.com. 300 IN SOA ns2.psychz.net. ufo.mboca.com. 201102 20 20 20 20 crazycoders.com. 60 IN MX 0 crazycoders.com. crazycoders.com. 86400 IN NS ns2.psychz.net. crazycoders.com. 86400 IN NS ns14.psychz.net. crazycoders.com. 86400 IN NS ns15.psychz.net. crazycoders.com. 60 IN A 173.224.214.202 member.0f.crazycoders.com. 300 IN A 72.20.12.11 1337.crazycoders.com. 300 IN A 72.20.12.10 default._domainkey.crazycoders.com. 300 IN TXT k=rsa\; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALFWHaishP7Edaj+i4ndem/VzV7diLWwc7BuEJ1XGjnPBrpfayzuODrWPzqg2DAjl1CTRM4hDfk82TuY1T3AcRPL4S+yCGdwBbjLBk9Eb/RQB6N7UrXdPPGuKhxJjs39swIDAQAB\; best-at.crazycoders.com. 300 IN 2001:470:d:10e8::c0de:1 cpanel.crazycoders.com. 14400 IN A 173.224.214.202 crazycoders.crazycoders.com. 14400 IN A 173.224.214.202 www.crazycoders.crazycoders.com. 14400 IN A 173.224.214.202 dmdsecurity.crazycoders.com. 300 IN A 173.224.214.202 default._domainkey.dmdsecurity.crazycoders.com. 300 IN TXT k=rsa\; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANXQE6RQJ9uRaHKT/CnnFe4+luS2DHN/YKgtm/8cAsifM62rKBOWbX5aXFe6Zj1vKnm0RPRDoexeAEyV1RMLuI8PFPCuw/Z6X0Z9mQ6IJzMgAsrrUcowxOiIp8DrNEjSkQIDAQAB\; www.dmdsecurity.crazycoders.com. 300 IN A 173.224.214.202 ftp.crazycoders.com. 60 IN CNAME crazycoders.com. l33t-c0derz.crazycoders.com. 300 IN 2001:470:d:10e8::c0de:3 localhost.crazycoders.com. 60 IN A 127.0.0.1 luv.crazycoders.com. 300 IN 2001:470:d:10e8::6 mail.crazycoders.com. 60 IN CNAME crazycoders.com. webdisk.crazycoders.com. 14400 IN A 173.224.214.202 webmail.crazycoders.com. 14400 IN A 173.224.214.202 whm.crazycoders.com. 14400 IN A 173.224.214.202 www.crazycoders.com. 60 IN CNAME crazycoders.com. crazycoders.com. 300 IN SOA ns2.psychz.net. ufo.mboca.com. 201102 20 20 20 20 xD 0x41 sec...@gmail.com wrote: Received: from [127.0.0.1] (host86-160-211-44.range86-160.btcentralplus.com. [86.160.211.44]) to bad eh... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Even worse
oh, and your nice, by double posting the infos, yet telling me im the fool. nice one! your a no.1 cocksucker. no go fuck yourself, with antony and the other wanker whos goin to fucking jail./ On 12 November 2011 15:34, Chris L inchcom...@gmail.com wrote: I have no idea what the point of this post is. Hell, most of your posts are hard to understand. However, considering it appears it involves your own, (or at least an associated to you crazy coders site), I'd think you would pay more attention to it. Now, I'm not one to think that security through obscurity is a good policy, but that said, revealing the login page: cpanel.crazycoders.com just seems stupid to me. Technically, it requires SSL, so the page is: https://cpanel.crazycoders.com:2083/ . Still, not a good idea to advertise it. Maybe one idiot was trying to break in, and you wanted to burn him, but you just told everyone, on a list called Full Disclosure no less, the address of your login page. Does that really strike you as a good idea? https://cpanel.crazycoders.com:2083/ On Fri, Nov 11, 2011 at 8:18 PM, xD 0x41 sec...@gmail.com wrote: dude, cry to your isp, when they kick your ass :) now fuckoff. On 12 November 2011 15:13, crazy coder crazycoder1...@gmail.com wrote: So, you know how to view the source of a message. Do you know how to fix a zone transfer, eh? crazycoders.com. 300 IN SOA ns2.psychz.net. ufo.mboca.com. 201102 20 20 20 20 crazycoders.com. 60 IN MX 0 crazycoders.com. crazycoders.com. 86400 IN NS ns2.psychz.net. crazycoders.com. 86400 IN NS ns14.psychz.net. crazycoders.com. 86400 IN NS ns15.psychz.net. crazycoders.com. 60 IN A 173.224.214.202 member.0f.crazycoders.com. 300 IN A 72.20.12.11 1337.crazycoders.com. 300 IN A 72.20.12.10 default._domainkey.crazycoders.com. 300 IN TXT k=rsa\; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALFWHaishP7Edaj+i4ndem/VzV7diLWwc7BuEJ1XGjnPBrpfayzuODrWPzqg2DAjl1CTRM4hDfk82TuY1T3AcRPL4S+yCGdwBbjLBk9Eb/RQB6N7UrXdPPGuKhxJjs39swIDAQAB\; best-at.crazycoders.com. 300 IN 2001:470:d:10e8::c0de:1 cpanel.crazycoders.com. 14400 IN A 173.224.214.202 crazycoders.crazycoders.com. 14400 IN A 173.224.214.202 www.crazycoders.crazycoders.com. 14400 IN A 173.224.214.202 dmdsecurity.crazycoders.com. 300 IN A 173.224.214.202 default._domainkey.dmdsecurity.crazycoders.com. 300 IN TXT k=rsa\; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANXQE6RQJ9uRaHKT/CnnFe4+luS2DHN/YKgtm/8cAsifM62rKBOWbX5aXFe6Zj1vKnm0RPRDoexeAEyV1RMLuI8PFPCuw/Z6X0Z9mQ6IJzMgAsrrUcowxOiIp8DrNEjSkQIDAQAB\; www.dmdsecurity.crazycoders.com. 300 IN A 173.224.214.202 ftp.crazycoders.com. 60 IN CNAME crazycoders.com. l33t-c0derz.crazycoders.com. 300 IN 2001:470:d:10e8::c0de:3 localhost.crazycoders.com. 60 IN A 127.0.0.1 luv.crazycoders.com. 300 IN 2001:470:d:10e8::6 mail.crazycoders.com. 60 IN CNAME crazycoders.com. webdisk.crazycoders.com. 14400 IN A 173.224.214.202 webmail.crazycoders.com. 14400 IN A 173.224.214.202 whm.crazycoders.com. 14400 IN A 173.224.214.202 www.crazycoders.com. 60 IN CNAME crazycoders.com. crazycoders.com. 300 IN SOA ns2.psychz.net. ufo.mboca.com. 201102 20 20 20 20 xD 0x41 sec...@gmail.com wrote: Received: from [127.0.0.1] (host86-160-211-44.range86-160.btcentralplus.com. [86.160.211.44]) to bad eh... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Walk the stairs i said. Im fixing your father genetic issue. Le 11 nov. 2011 20:47, xD 0x41 sec...@gmail.com a écrit : yes, dude, if i were to ever see you, in aus, id beat your arse so good, mother jokes would become a fucking dream to you.. believe it stupid. keep it up to... thinking, im someone who i am not , still.. now, go fuck yaself. if i find out who you are, you will cry mercy forever. On 12 November 2011 15:44, Antony widmal antony.wid...@gmail.com wrote: Nop. Im in your mom's bedroom,walk up the stairs you will hear us.. Le 11 nov. 2011 19:57, xD 0x41 sec...@gmail.com a écrit : another fuck who hides :) On 12 November 2011 14:51, Antony widmal antony.wid...@gmail.com wrote: Typical S-K behavior; talk about stuff he has nfi. Le 11 nov. 2011 19:15, xD 0x41 sec...@gmail.com a écrit : 0day for ms, is not so hard, and, i hjave already explained one of them to some people 0day for ms, is not so hard, and, i hjave already explained one of them to some people :) but, i dont care, because, you dont have it, and, i do. so, many people have 0days...whats wrong with this ? i found my own, and, thats why i am happy to keep them. and, as i said, one, i have discussed and, made a working scanner binary for.. so, i guess that much, some people do know is true... so, thats not rare atall.. you want to wonder about just wibndows, imagine linux... and, there is , the imagination, is big there and there is plenty and plenty of attacks still available on fully patched NON grsec kernels :) and yes, i have 0days of those, also. enjoy.some get lucky, others just...suck.. On 12 November 2011 13:42, baqstabz baqst...@gmail.com wrote: Judging by your posts I would go out on the edge and say that you have about as much chance of having 0-day (yes, that is including xxs) as your mommy. face it lol Now please, stfu son, you're sounding like a total tardlump; otherwise we will have to unleash the dragons and let you see what a 10k botnet feels like. On 11/11/2011 23:26, xD 0x41 wrote: Indeeed. Seeing how the wolves are, i ceertainly would bnot release it. i am only saying, I am using cpp, and windows, and, the exploit bypasses all protections, but, since you guys dont have the actual real poc for it, i guess, i would not be saying anything more, and, ill be leaving it, for the proper poc author, to make that choice, wich, personally, i would never handout to a bunch of disrepectful people, as i see, when this is, nothing, i habve held onto, atleast 2 GOOd MS 0days for years, you rally think, i will handout the right way todo this ? pfft.. yer right, lets go hand everyone the ms bug :PP ofc, why would i ever not want a 10 k botnet up in a day... hell yea! i would neverm, give more about this, on this topic, because, i have seen how people are now on this list and, saddens me that half of you do not have a brain. unfortunately..and, saince i dont wish to break any deals made with ms etc, then, i cannot say anything, i dont know, why this is hard to understand..and, i will NOT handout a working scanner, regardless... and, believe it, it does NOT take 49days atall to exploit... theres alot, you dont know..yet. dont ask me further, please. i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. On 12 November 2011 10:17, Michal Zalewskilcam...@coredump.cx wrote: next time, i wont say shit, and, believe it. Well it's just that the attack you are describing will be thwarted by setting a sticky bit on /tmp, and you have not demonstrated otherwise. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
as ive stated, when the pudding is ready, it would been released, simple... it is not my fault, if a friend hands me papers, and i am not obliged to re release them... simple. I dont care to provide amusement for you, and any other idiot like you. So, go fk yourself to :) thx, and have a nice day. On 12 November 2011 16:02, Jon Kertz jon.ke...@gmail.com wrote: On Fri, Nov 11, 2011 at 6:26 PM, xD 0x41 sec...@gmail.com wrote: i should never have even said anything, again, i wont make that mistake again, the proof, will as always be n the pudding... later. Yes, it is. The only problem is you've failed to provide the pudding, so there is no proof. Back to your regularly scheduled huffing, panting, and closet drooling. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. Saying that we should use Impacket in order to craft *raw* UDP packet is definitively the dumbest thing I've heard today. Seriously. Anyone can confirm that ? Mario ? Carlos ? Anyways, This guy doesn't understand shit, talks a lot about shit he doesn't know about, why would you even spend time reading his shit ? This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Anyways, it's probably time for you to unsubscribe since you don't follow and S-K's like sec...@gmail.com are trying to act like they know. Yeah right, a UDP int overflow triggered via a refcount UDP overflow that you can trigger with 1 single TCP (with the right ACK) packet is the way to go. This mailing list is getting gay, seriously. Cheers, Antony. On Fri, Nov 11, 2011 at 3:10 PM, Dan Ballance tzewang.do...@gmail.comwrote: Okay, now I'm confused! From http://oss.coresecurity.com/projects/impacket.html Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapyhttp://oss.coresecurity.com/projects/pcapy.html. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies. Thanks for your input Antony. Can you explain why impacket has nothing to do with crafting UDP packets? Fascinating thread this. Thanks to all!! dan :) On 11 November 2011 22:42, Antony widmal antony.wid...@gmail.com wrote: You are definitely a lamer secn3t. Also for you little brain, impacket has nothing to do with crafting UDP packets.. Thanks for proving this again and again. On Fri, Nov 11, 2011 at 2:36 PM, xD 0x41 sec...@gmail.com wrote: well look at that :P not same author but , nice coding predelka! good one, i will add you to crazycoders.com coderslist... i guess there is a few codes you have now done wich might be useful... cheers. xd On 12 November 2011 05:43, Ryan Dewhurst ryandewhu...@gmail.com wrote: An attempt at a possible MS11-083 DoS/PoC exploit, by @hackerfantastic: http://pastebin.com/fjZ1k0fi On Fri, Nov 11, 2011 at 5:08 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: Yeah, I gotta say, I’m going to use it at some point ;) From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, November 11, 2011 9:02 AM To: Ryan Dewhurst Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516) I liked the heavy breather in the perv closet bit. On Fri, Nov 11, 2011 at 5:43 PM, Ryan Dewhurst ryandewhu...@gmail.com wrote: I think Jon just said what everyone else was thinking, he said what I was thinking at least. On Fri, Nov 11, 2011 at 1:54 PM, Jon Kertz jon.ke...@gmail.com wrote: On Thu, Nov 10, 2011 at 2:59 PM, xD 0x41 sec...@gmail.com wrote: About the PPS, i think thats a very bad summary of the exploit, 49days to send a packet, my butt. There is many people assuming wrong things, when it can be done with seconds, syscanner would scan a -b class in minutes, remember it only has to find the vulns, gather, then it would break scan, and trigger vuln... so in real world botnet, yes then, with tcpip patchers, like somany ppl i know myself, even use (tcpipz)patcher ) , wich rocks... and it is ONLY one wich actually works, when you maybe modify the src so the sys file, is dropped from within a .cpp file, well thats up to you but thats better way to make it work, this will open sockets/threads, as i could, easily proove with one exe, but, the goal is, to trigger the vuln then exploit it, less than 49days :P , so , iguess if this exploit, in real form, gathered 2 million hosts over 3 nights.. i guessing that the exploit, could possibly be triggered with ONE properly setup packet.. people forget that, a packet is one thing, and a crafted UDP packet, is quite another.. I'd really like to see you actually explain this bug with code. Either with a poc or with the disassembly. You seem to act like you know what's going on, but so far your description has been off base (from
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Sat, Nov 12, 2011 at 12:53 AM, Antony widmal antony.wid...@gmail.com wrote: Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. You can also try Dave Aitel's SPIKE. This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Is this related to the undisclosed MS09-048, which we were told did not require remediation because the Windows firewall (et al) mitigated the vulnerability? http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
On Fri, Nov 11, 2011 at 10:08 PM, Jeffrey Walton noloa...@gmail.com wrote: On Sat, Nov 12, 2011 at 12:53 AM, Antony widmal antony.wid...@gmail.com wrote: Dear Dan, Impacket was at first a Pysmb copy/update from Core Security in order to play with RPC. (look at the source) They've done some work on pysmb library in order to implement DCE/RPC functionality in this dinosaurus lib. You can also try Dave Aitel's SPIKE. Yeah sure; If you're passionate about medieval history and you are a fan of the Flintstones, you'll be happy with Dave's Aitel fuzzer. Regards, Antony This vulnerability is about sending a *huge fucking* stream of UDP packets on a closed port in order to trigger a int overflow via a ref count. Most of the people here didn't even understand what we are talking about/dealing with. Is this related to the undisclosed MS09-048, which we were told did not require remediation because the Windows firewall (et al) mitigated the vulnerability? http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
