Re: [Full-disclosure] Exploit Pack - Happy new year!
Just out of curiosity, exactly how do you measure that? On Wed, Jan 18, 2012 at 8:25 PM, nore...@exploitpack.com wrote: +20k active users -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Pack - Happy new year!
logon counter i womder.. you bring something interesting though to something wich that guy said... yea, i wonder how he is counting and, i know that shit, dont have 20k, more like 20 if luky... it has what, 10 ftp bsitty 10ftp in the world b0f,all from the same kid to... hes happy todo it but.. they know it goes in the pack, so, i guess if there was 20k ever of them, id not pity a single one :) have a nice day. On 19 January 2012 21:42, Mario Vilas mvi...@gmail.com wrote: Just out of curiosity, exactly how do you measure that? On Wed, Jan 18, 2012 at 8:25 PM, nore...@exploitpack.com wrote: +20k active users -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploit Pack - New release
So anyhow... came across this... for anyone interested in it.. this is seemingly abit old but, i will actually check it out, and then make my judgement, altho, i see msf2 and, recall there was problemos, specially with the whole smb session setup and nt session stuffs, and cpl other areas, dcerpc in any form seemed abit tricky them days of msf2 when it was crossing, from i think .py or .rb to customised rb with a really GREAT Dcerpc FPhost application, so, i see that is there but, is msf2/ , so, if he riped them off, well, i guess this is not a payback atall but, finally, im going to fucking end this topic ok, so, this guy is decent, or not decent, can be for once maybe put to bloody rest, i mean, the guy is trying, albeit, he sucks, atm...but, maybe this will show more, who knows, i have seen miracles happen. http://hotfile.com/dl/142661738/73422d5/INSECTProFull.zip.html -- 122meg , unchecked,untested.. probably others of it around but, this seems workable... enjoy but, please, rate it atleast afterwards...as i will delete it after people have given the 'complete' exploitpack.com works,wich, this is also part of, so i would assume that exploitpack files should work on insectpro, or not... this is what we can now ask and, well, he can try sell it and scream Copyrght all he likes, then, i will just move it to my website, and makesure it is updated... so, i guess it is, leave it till i say, or, itll be online, free,forever, with updates :) ok. have a lovely fucking FD wank day arseholes. On 19 January 2012 06:26, nore...@exploitpack.com wrote: Exploit Pack is a Security Tool that will assist you while you test the security of your workstations or networks. With a friendly and easy to use interface, it has an update manager to keep you up to date and an IDE for develop or modify it’s modules. Also we provide you with technical support if you need it. Try it out and purchase a subscription now. Make your computer safe using Exploit pack. Make your workstation safe by testing it security before hackers do, virus or malware do. Mitigate, monitor and manage the latest security threats vulnerabilities and implement active security policies by performing penetration tests across your infrastructure and applications. Visit us: http://exploitpack.com Exploit Pack Team Juan Sacco Dev Lead ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Hello xD, sorry I don't understand a word you are talking about. To put everything together about what you were ranting would take too much time for me. Did I offend you in any way ? It's just a PoC for people to test their systems nothing else... I cannot check each every system if it works, I just checked two boxes and thats enough for me. Regards, Kc Am 19. Januar 2012 04:56 schrieb xD 0x41 sec...@gmail.com: Now, heres the one wich works, without in_chksum bug ;) http://pastebin.com/x1ShKAUT now, sorry but, had to try it remotely, sheesh, and, you dont cripple, code of old bugs and, half of this code is from an old bug anyhow, so why the heck not leave it... i guess now your starting to look like Jon Oberheldie the king of fucked up cripples... lol... ewnjoy folks. this version, may even work! omg isnt this amazing!! XD says to FD a BIG FUCKS YOU ,well cept kcope and few other decent guys like me :P ,and nme, and tropic and well, #Haxnet :) now go fucking shoot yourselves away with your newbie working undeadattack.. dont know why someone did not inform me they would cripple it, and maybe forward a copy to me but, now this file, goes where the rest go, to the shame files... On 18 January 2012 08:11, HI-TECH . isowarez.isowarez.isowa...@googlemail.com wrote: Demonstration of the Exploit: http://www.youtube.com/watch?v=78nAxh70yZE (thanks ClsHack) see attached content /Kingcope ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reflection Scan: an Off-Path Attack on TCP
On 01/17/2012 04:45 PM, Jan Wrobel wrote: Abstract: The paper demonstrates how traffic load of a shared packet queue can be exploited as a side channel through which protected information leaks to an off-path attacker. C.f. The Thing http://en.wikipedia.org/wiki/Thing_%28listening_device%29 - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory 01/2012: Suhosin PHP Extension Transparent Cookie Encryption Stack Buffer Overflow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Suhosin PHP Extension Transparent Cookie Encryption
Stack Buffer Overflow
Release Date: 2012/01/19
Last Modified: 2012/01/19
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Suhosin Extension = 0.9.32.1
Severity: A possible stack buffer overflow in Suhosin extension's
transparent cookie encryption that can only be triggered
in an uncommon and weakened Suhosin configuration can
lead to arbitrary remote code execution, if the
FORTIFY_SOURCE compile option was not used when Suhosin
was compiled.
Risk: Medium
Vendor Status: Suhosin Extension 0.9.33 was released which fixes this
vulnerability
Reference: http://www.suhosin.org/
https://github.com/stefanesser/suhosin
Overview:
Quote from http://www.suhosin.org
Suhosin is an advanced protection system for PHP installations.
It was designed to protect servers and users from known and
unknown flaws in PHP applications and the PHP core. Suhosin comes
in two independent parts, that can be used separately or in
combination. The first part is a small patch against the PHP
core, that implements a few low-level protections against
buffer overflows or format string vulnerabilities and the second
part is a powerful PHP extension that implements all the other
protections..
During an internal audit of the Suhosin PHP extension, which is
often confused with the Suhosin PHP Patch, although they are not
the same, a possible stack based buffer overflow inside the
transparent cookie encryption feature was discovered.
If successfully exploited this vulnerability can lead to arbitrary
remote code execution. However further investigation into the
vulnerability revealed that it can only be triggered if the admin
has not only activated transparent cookie encryption, but also
explicitly disabled several other security features of Suhosin.
In addition to that remote exploitation requires a PHP application
that puts unfiltered user input into a call to the header()
function that sends a Set-Cookie header.
Furthermore most modern unix systems compile the Suhosin extension
with the FORTIFY_SOURCE flag, which will detect the possible buffer
overflow and abort execution before something bad can happen.
Details:
The transparent cookie encryption of Suhosin is disabled by default
because it stops applications using JavaScript to access cookies,
which would break these applications. In order to activate it an
admin has to enable this feature in the configuration file:
suhosin.cookie.encrypt = On
Once activated all incoming cookies will be decrypted and all
outgoing Set-Cookie HTTP headers will be rewritten to only contain
encrypted data. When this happens the following code of Suhosin
extension will be triggered.
char *suhosin_encrypt_single_cookie(char *name, int name_len, char
*value, int value_len, char *key TSRMLS_DC)
{
char buffer[4096];
char buffer2[4096];
char *buf = buffer, *buf2 = buffer2, *d, *d_url;
int l;
if (name_len sizeof(buffer)-2) {
buf = estrndup(name, name_len);
} else {
memcpy(buf, name, name_len);
buf[name_len] = 0;
}
...
if (strlen(value) = sizeof(buffer2)-2) {
memcpy(buf2, value, value_len);
buf2[value_len] = 0;
} else {
buf2 = estrndup(value, value_len);
}
The problem with this code is that the second call to mempcy()
uses strlen() to check if there is enough buffer space but
uses the variable value_len to determine the amount of bytes
to copy. The problem is that there could be a NUL byte inside
the value of the cookie, which will result in a stack based
buffer overflow. While the same code can also be found inside
the suhosin_decrypt_single_cookie() function the problem cannot
be exploited, because in that case there cannot be a NUL byte.
To understand the limited impact of this vulnerability it is
important to know that NUL bytes are not allowed inside HTTP
headers in a default Suhosin installation. In order to be
vulnerable it is therefore required that the admin explicitly
weakened security by disabling the HTTP response splitting
protection of Suhosin by using the following configuration:
suhosin.multiheader=On
The next thing to know is that PHP applications normally use
the functions setcookie() and setrawcookie() to set cookies.
Both functions are however not affected by the problem
because both functions will eliminate a possible NUL byte
when constructing the Set-Cookie header. Therefore the only
way to
Re: [Full-disclosure] Reflection Scan: an Off-Path Attack on TCP
Frickin k1dz1es On Thu, Jan 19, 2012 at 01:22:35PM +1100, xD 0x41 wrote: On 18 January 2012 09:45, Jan Wrobel w...@mixedbit.org wrote: Hi, This TCP session hijacking technique might be of interest to some of you. Abstract: The paper demonstrates how traffic load of a shared packet queue can be exploited as a side channel through which protected information leaks to an off-path attacker. The attacker sends to a victim a sequence of identical spoofed segments. The victim responds to each segment in the sequence (the sequence is reflected by the victim) if the segments satisfy a certain condition tested by the attacker. The responses do not reach the attacker directly, but induce extra load on a routing queue shared between the victim and the attacker. Increased processing time of packets traversing the queue reveal that the tested condition was true. The paper concentrates on the TCP, but the approach is generic and can be effective against other protocols that allow to construct requests which are conditionally answered by the victim. A proof of concept was created to asses applicability of the method in real-life scenarios. The paper in ps and pdf is available at http://mixedbit.org and http://arxiv.org/abs/1201.2074 Proof of concept: https://github.com/wrr/reflection_scan Thanks, Jan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Very cool :) Thanks for showing this as a 'type' ofsequencing,id love to test this with winBITS and see what makes a difference in there...but yea, nice stuff from the snippets i have read and could comprehend without making a packetting app :P hehe..great work, and great paper for ANY hat to wear. Might have to try it oneday and see if it is as effective as it seems! great stuff tho, anything todo with bugs within TCP-IP stacks, should be al;ways encouraged... thanks for the encouragement :-) Cheers,and Ill maybe add more on this and another persons pi3.com.pl ) tcp ip session hijacking, wich people have even said, is impossible... i guess they should find and watch that video, or just ask the author of the blog, to explain it more...nmaybe would have them something to actually see as a 'p0c' anyhow, many thanks in your input and, again any futher addons and appendices to the papers just, let the list know, and ill makesure the topic maybe gets a better coverage, as, this is also a topic many ppl called me a wanker on...or maybe one of them :s megh, i dont count now,. i just read the msgs from 3 ppl and delete the rest :) best way to use fd, is to take what your iven, and stfu... i dont know why somany ppl seem to call me this, whebn, i am only interested, in bugs i can actually exploit...yet, somuch bullsh1t on this forum, they have forgotten what a bug is, and,. what a poc is./and now, these are 'design flaws' lolanyhow, pease keep up the ressearch, we like it! Oh thats, the ppl like, 3 of ypou (maybe) who actually, seem cool ;) You also do, and your on a great topic, dont let idiots pick out any flaws in anything on this subject, coz believe me, behind every trolling ive been thru, that was the worst when i spoke about, methods of hijacking tcp ip stackand did not give out the poc...well, now, the poc is available to see on video for those who are not idiots and abuse, but actually, want to see it working :) Ok, thats my 2bob, dont expect any answers, unless your a VERY well known person, i will auto delete it, so, i hope to see you in my channel, anytime online... and there, we could discuss ANYTHING :) Why some of you are there, and see what i do, i guess are not the haters on this list but, also, they get what 'theyre given' ,wich is ALO in the cases where people are coolso, i guess the moral of the story is, dont smash the stack t hard enjoy budddy, im probably one of few who would even understand it but anyghow :P Thanks!I Drew. PS: NOT a top poster anymore, omg, whats this, not using Glow XD , what is this, madness!! omg! Seriously folks, you should all read more of people like this's work, and then maybe, contribute some of your own frigging srcs, instead of relying on ppl like kcope to fist fuck you, wich is fine bvy me : i hope he fucks this list over, nonstop till your arses bleed, but hey, thats JUST me! love you all long fucking time arseholes, goto hell, and dont even try taklkin to me, ever, if your not already in the addy book, you will fkn known about it and oh, i CAN ddos you, and i WILL, so, anytime you like to shit me, in private, and wish to test your fwall, go hard, i dun care, i should say, we...but,. it really doesnt matter, coz, i dont even have to press the buttons for the wankers who have al;ready flamed me in past anymore, you will only
Re: [Full-disclosure] Avast Antivirus
On Tue, 17 Jan 2012, Floste wrote: Hello, Avast Antivirus also comes with sandbox and a SafeZone. But both can be circumvented using simple dll-injection and they seem to do nothing about it: http://forum.avast.com/index.php?topic=82291.0 Maybe this post here will encourage them to fix it. In my understanding a sandbox is not supposed to prevent you from getting in from the outside but from escaping from the inside. So if a sandboxed process injects a DLL in say a running IE process outside -- then we are talking about vulns bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Karl-Wiechert-Allee 10 , D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail j...@heisec.de GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Thanks again for re-enforcing my paranoia with another one of your exploits. The apache killer one was particularly disturbing and at the same time, another great eye-opener, much respect to you. I tested this on a custom compiled kernel for PXE booting, version 2.6.37.6-x86_64, running Debian Squeeze, and I can't seem to get it to work. Root is mounted read-only over NFS. I don't recall any special config options I did for networking or IGMP requests, other then building my NIC drivers and NFS into the kernel. Did I just get lucky? Thanks, Morgus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] usb_modeswitch/pppd -detach
morrn, Impact == Low Summary === When using usb_modeswitch and invoking pppd from wvdial in -detach mode. a /tmp/debug file is created. Local Attacker could overwrite arbitrary files. Example === ,file /tmp/debug debug: broken symbolic link to `/etc/nologin' Insert stick and connect: ,su Password: ,sh connect /dev/null ,file debug debug: symbolic link to `/etc/nologin' ,cd /etc cat nologin symlink-name: /devices/pci:00/:00:1a.7/usb1/1-3/1-3:1.0/ttyUSB0/tty ,ls -l nologin -rw-r--r-- 1 root root 84 Jan 19 01:11 nologin Software archlinux: community/usb_modeswitch 1.2.1-1c archlinux: core/ppp 2.4.5-3 (base) Please verify. YMMV. Greetings srm ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Hi XD, Am 19. Januar 2012 15:27 schrieb xD 0x41 sec...@gmail.com: Oh and btw, that coding style, just aint you dude... you know, everyone has theyre own fingerprint, i find it really hard to think that, you just made this mistakes in cksum area,wich was area wich actually does the exploiting :P , so why release crap ? why not make I release it because it worked for me INSIDE TWO VM's, I had no clue about the checksum error. I didnt cripple it. It worked in my tests because I bet the vmware did adjust the checksums to be correct. Why release that crap? Because I wanted to be the first to release an exploit for it for fame and glory and it was coded in a hurry, I was thinking it actually works (I am doing more tests now on real hardware so I can be sure) it half decent, and as i said, it was not even your coding style so im finding this really hard to believe it wwas yours, maybe was modified , from many many similars, but, i guess thats normal... you tend to It is modified code from other coders as stated in the header. use perl, and bash alot, within your bash, is the .c, and that is your style... like zx2c has, like dan rosenberg and JO, all kep the same style, because it is habit for any coder.. you dont just change styles this fast, or did you get some reay good ebooks coz, show me where you found so i can catch up to it :P) I didnt change my coding style, it was just done in a hurry so Dan or Jon wouldnt beat me on that BWHAHAHA. Love you long time pal, but, find this one abit shitty, and, i do like everything in past, your codes going back to you know when, but this is bs, and if you were gonna rls it, you shulda fucked with the numbers maybe, but, let it fkn run, it was made as poc for lan test right, so why cripple it, thats just silly... thats why i attack it, and, i dont really care a shit who coded it, but, i doubt it was anyone in that code. You can attack it its your opinion and thats totally fine. I didnt cripple the code actually. have a good day and, no offence over this but, it just shits me when people, who know better, go out of theyre way and release publically, shit wich is fucked up and, in this case, would waste a persons time, and, you even put tested on, and, now, how would it be tested with that cksum, please explain that then, your saying you dont have time but stop bullshit man, you crippled it, just fkn admit it, it could NOT work setup, without the damn cksum, as it was part of sento! how could this, be any use, even with the settings back to old, without my edit you show me one fucking real test, i mean, compile the code, infront of people, then go make your fYT vids, seriously, I have told Jon Oberheldie this, and others, str8 up, if you release crippled shit, your as shit as what you cripple mate. You forget about all the codes I rlsed before. As I said this was done in a hurry. You had a look at roaring beast ? How can you tell me I send crippled codes out? Buddy I m human too and do mistakes. thats just my point of view and really, this is d0s, wich, i dont care for..im saying, you dont see AB release some fucked up exploit every AB? whos that ? 2months, and makeSURE it dont work , you dont see anyone release shit like this anymore with such blatant errors, its just shitty, luckily i nano'd it, yea, i like nano ok, or i would have wasted time wtf ? come on.. nano.. this is getting silly kcope...its just that simple, and no offences atall, i was able to spot this, but, do not sit there, telling me and everyone else, that it was working, tested... coz, we both know that was NOT the same code released, you cannot deny the code simple. you screwed this one up. go back to exploiting :P itsd better and your better at it! :P As I said I tested it with two VMS in a testbed and both Ubuntu and OpenSUSE crashed instantly. I like your shit, but, i really prefer, when kxcope, is thinking of b0f and new methods etc, like i know the one from 2009 did, and found the biggest remote hole ever,and you even released this , and people can hate you and whatever but there is no denying it, your damn skilled, so im just saying, i dont like crippled work, nowdays, and when it is released with a mark of approval, from someone i trust. Its 2011 and I found a bug in FreeBSD ftpd. Which is better than ProFTPD coz it rocks, have you ever seen a bug in FreeBSD ftpd since ~10 years ? this is private, and, stays here but, this is why i attacked you dude, and, nothing bad about it, it stays here, and, thats it... i wont say shit, i have said what i wanted, your a nice guy, i like you, so, thats all, i just dont want to see you ending up like them other fags, they have 0 respect UG... you do atleast have that... fuck fd lists respect... but still, you just had to leave out that line 'tested' ;) I like the public scene more than the dark one. ok, sorry for any confusion etc but, thats all i think and, i want you to
Re: [Full-disclosure] Avast Antivirus
Here is your post taken from the forum, it was not really taken to wellbut, nomatter, im just stating the facts as i see them, and hope you understand this, but, i also giving you the chance to please try a real sandboxie, then load some bot.exe into it, and watch what it does... would maybe explain abit better what a sandbox is about. [..] Then I just wondered: What is that SafeZone and how does it work? I opened Process Explorer and noticed, that the processes run under the same user account o.O I tried some simple dll-injection into the browser and the first attempt worked. This really made me laugh. --- this is standard for a sandbox, try SandBoxie,it is abit neater for a sandbox, and maybe what your after When I tried to save some screenshots I noticed that the file is created but empty afterwards, when I place it on the system drive. But saving to another drive was no problem at all. Could you please tell me what this feature is supposed to prevent? Re: Safezone vs DllInjection From what I read and already used, SAFEZONE BROWSER is a Google browser without toolbars that can access your info. Nothing else. Nothing goes from out into but you can go from in to out,so that's why they call it safezone. What's a dll injection and how do you do it? Yes, dude they wont bother todo anything because thats actually what you 'can' do in the safezone, is inject a dll, and then yes, it should showup virtually tho, not actually running on your main box right... coz, it is injection INTO the sandboxwhen you use say, SandBoxie for example, you would load the app up and, simply right-click on any file and open within sandboxie, then, you can watch it drop and dump a million exes, thats exactly what it is supposed to be doing, is not letting this oout. now, if your saying you injected, into the AV dll itself, wich, i see nothing here of, then there would be a vuln, wich would eed attending, but, your injecting into this safezone, wich is, what nearly every AV nowdays comes with,simply a processkiller/sandbox, so in some cases, it can be of use to you in making sure your safe,... anyhow, seems like, normal functioning sandbox to me, you should have this powers to inject anything into it, and, then trace that ll you injected. Cheers dude..hope you have a good time playing with sandbox, dirtying them is definately fun :) drew On 19 January 2012 22:04, Juergen Schmidt j...@ct.de wrote: On Tue, 17 Jan 2012, Floste wrote: Hello, Avast Antivirus also comes with sandbox and a SafeZone. But both can be circumvented using simple dll-injection and they seem to do nothing about it: http://forum.avast.com/index.php?topic=82291.0 Maybe this post here will encourage them to fix it. In my understanding a sandbox is not supposed to prevent you from getting in from the outside but from escaping from the inside. So if a sandboxed process injects a DLL in say a running IE process outside -- then we are talking about vulns bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Karl-Wiechert-Allee 10 , D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail j...@heisec.de GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Try fixing the in_cksum() function, it has been intionally crippled,also,look at both of the 'ips' both should really be argvs,as theyre set in saddr/daddr;) this should be easy to fix, or read the pasted one i think is in one of my posts in reply to it, it will show where i had to adjust it, as the sendto, will never work with the in_cksum not functional, lan, or no lan... anyhow, you could ignore me, but in the end, read the code... later dude. drew On 19 January 2012 09:43, Morgus Magnificent morgusdamagnific...@gmail.com wrote: Thanks again for re-enforcing my paranoia with another one of your exploits. The apache killer one was particularly disturbing and at the same time, another great eye-opener, much respect to you. I tested this on a custom compiled kernel for PXE booting, version 2.6.37.6-x86_64, running Debian Squeeze, and I can't seem to get it to work. Root is mounted read-only over NFS. I don't recall any special config options I did for networking or IGMP requests, other then building my NIC drivers and NFS into the kernel. Did I just get lucky? Thanks, Morgus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
I release it because it worked for me INSIDE TWO VM's, I had no clue about the checksum error. I didnt cripple it. It worked in my tests because I bet the vmware please... dude, it does not work without it, so, there is one person thats already come forward, howmany more, before you just admit that, you released it, knowing that bug was there, or, you simply got setup maybe ? by not being the actual coder ? who knows, i did not read what you just sent me, as, really that was private, you put it up there...but, your not in the right this time dude, i mean, i still love ya work and all but, you cannot tell me this crap, worked, as is, i think maybe, you werre gioven perhaps a binary to use and used it, and then maybe, did not bother to fix the codeor, you knew, and ignored it. you cannot bullshit, a bullshitter :P drew ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
Hi, You already have a good reputation as a bug-finder. IMHO, releasing additional research in a hurry like this can only tarnish that reputation and feed the trolls. Providing a kernel stack trace ( http://imgur.com/klC4k ) or a more reliable PoC can't take more than an hour, and it will greatly enhance the quality of the report. If you are worried several people has founded a particular bug and publication is imminent, then maybe was not such a great find to begin with :) On 01/19/2012 02:32 PM, HI-TECH . wrote: Hi XD, Am 19. Januar 2012 15:27 schrieb xD 0x41 sec...@gmail.com: Oh and btw, that coding style, just aint you dude... you know, everyone has theyre own fingerprint, i find it really hard to think that, you just made this mistakes in cksum area,wich was area wich actually does the exploiting :P , so why release crap ? why not make I release it because it worked for me INSIDE TWO VM's, I had no clue about the checksum error. I didnt cripple it. It worked in my tests because I bet the vmware did adjust the checksums to be correct. Why release that crap? Because I wanted to be the first to release an exploit for it for fame and glory and it was coded in a hurry, I was thinking it actually works (I am doing more tests now on real hardware so I can be sure) it half decent, and as i said, it was not even your coding style so im finding this really hard to believe it wwas yours, maybe was modified , from many many similars, but, i guess thats normal... you tend to It is modified code from other coders as stated in the header. use perl, and bash alot, within your bash, is the .c, and that is your style... like zx2c has, like dan rosenberg and JO, all kep the same style, because it is habit for any coder.. you dont just change styles this fast, or did you get some reay good ebooks coz, show me where you found so i can catch up to it :P) I didnt change my coding style, it was just done in a hurry so Dan or Jon wouldnt beat me on that BWHAHAHA. Love you long time pal, but, find this one abit shitty, and, i do like everything in past, your codes going back to you know when, but this is bs, and if you were gonna rls it, you shulda fucked with the numbers maybe, but, let it fkn run, it was made as poc for lan test right, so why cripple it, thats just silly... thats why i attack it, and, i dont really care a shit who coded it, but, i doubt it was anyone in that code. You can attack it its your opinion and thats totally fine. I didnt cripple the code actually. have a good day and, no offence over this but, it just shits me when people, who know better, go out of theyre way and release publically, shit wich is fucked up and, in this case, would waste a persons time, and, you even put tested on, and, now, how would it be tested with that cksum, please explain that then, your saying you dont have time but stop bullshit man, you crippled it, just fkn admit it, it could NOT work setup, without the damn cksum, as it was part of sento! how could this, be any use, even with the settings back to old, without my edit you show me one fucking real test, i mean, compile the code, infront of people, then go make your fYT vids, seriously, I have told Jon Oberheldie this, and others, str8 up, if you release crippled shit, your as shit as what you cripple mate. You forget about all the codes I rlsed before. As I said this was done in a hurry. You had a look at roaring beast ? How can you tell me I send crippled codes out? Buddy I m human too and do mistakes. thats just my point of view and really, this is d0s, wich, i dont care for..im saying, you dont see AB release some fucked up exploit every AB? whos that ? 2months, and makeSURE it dont work , you dont see anyone release shit like this anymore with such blatant errors, its just shitty, luckily i nano'd it, yea, i like nano ok, or i would have wasted time wtf ? come on.. nano.. this is getting silly kcope...its just that simple, and no offences atall, i was able to spot this, but, do not sit there, telling me and everyone else, that it was working, tested... coz, we both know that was NOT the same code released, you cannot deny the code simple. you screwed this one up. go back to exploiting :P itsd better and your better at it! :P As I said I tested it with two VMS in a testbed and both Ubuntu and OpenSUSE crashed instantly. I like your shit, but, i really prefer, when kxcope, is thinking of b0f and new methods etc, like i know the one from 2009 did, and found the biggest remote hole ever,and you even released this , and people can hate you and whatever but there is no denying it, your damn skilled, so im just saying, i dont like crippled work, nowdays, and when it is released with a mark of approval, from someone i trust. Its 2011 and I found a bug in FreeBSD ftpd. Which is better than ProFTPD coz it rocks, have you ever seen a bug in
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
BTW you bug is a division by zero and it's here:
Linux/net/ipv4/igmp.c
178 static void igmp_start_timer(struct ip_mc_list *im, int max_delay)
179 {
180 int tv = net_random() % max_delay; --- max_delay==0
181
182 im-tm_running = 1;
183 if (!mod_timer(im-timer, jiffies+tv+2))
184 atomic_inc(im-refcnt);
185 }
186
On 01/19/2012 08:49 PM, root wrote:
Hi,
You already have a good reputation as a bug-finder.
IMHO, releasing additional research in a hurry like this can only
tarnish that reputation and feed the trolls.
Providing a kernel stack trace ( http://imgur.com/klC4k ) or a more
reliable PoC can't take more than an hour, and it will greatly enhance
the quality of the report.
If you are worried several people has founded a particular bug and
publication is imminent, then maybe was not such a great find to begin
with :)
On 01/19/2012 02:32 PM, HI-TECH . wrote:
Hi XD,
Am 19. Januar 2012 15:27 schrieb xD 0x41 sec...@gmail.com:
Oh and btw, that coding style, just aint you dude... you know,
everyone has theyre own fingerprint, i find it really hard to think
that, you just made this mistakes in cksum area,wich was area wich
actually does the exploiting :P , so why release crap ? why not make
I release it because it worked for me INSIDE TWO VM's, I had no clue about
the
checksum error. I didnt cripple it. It worked in my tests because I
bet the vmware
did adjust the checksums to be correct.
Why release that crap? Because I wanted to be the first to release an
exploit for it
for fame and glory and it was coded in a hurry, I was thinking it
actually works (I am doing
more tests now on real hardware so I can be sure)
it half decent, and as i said, it was not even your coding style so im
finding this really hard to believe it wwas yours, maybe was modified
, from many many similars, but, i guess thats normal... you tend to
It is modified code from other coders as stated in the header.
use perl, and bash alot, within your bash, is the .c, and that is your
style... like zx2c has, like dan rosenberg and JO, all kep the same
style, because it is habit for any coder.. you dont just change styles
this fast, or did you get some reay good ebooks coz, show me where
you found so i can catch up to it :P)
I didnt change my coding style, it was just done in a hurry so Dan or
Jon wouldnt beat me on that BWHAHAHA.
Love you long time pal, but, find this one abit shitty, and, i do like
everything in past, your codes going back to you know when, but this
is bs, and if you were gonna rls it, you shulda fucked with the
numbers maybe, but, let it fkn run, it was made as poc for lan test
right, so why cripple it, thats just silly... thats why i attack it,
and, i dont really care a shit who coded it, but, i doubt it was
anyone in that code.
You can attack it its your opinion and thats totally fine. I didnt
cripple the code
actually.
have a good day and, no offence over this but, it just shits me when
people, who know better, go out of theyre way and release publically,
shit wich is fucked up and, in this case, would waste a persons time,
and, you even put tested on, and, now, how would it be tested with
that cksum, please explain that then, your saying you dont have time
but stop bullshit man, you crippled it, just fkn admit it, it could
NOT work setup, without the damn cksum, as it was part of sento! how
could this, be any use, even with the settings back to old, without my
edit you show me one fucking real test, i mean, compile the code,
infront of people, then go make your fYT vids, seriously, I have told
Jon Oberheldie this, and others, str8 up, if you release crippled
shit, your as shit as what you cripple mate.
You forget about all the codes I rlsed before. As I said this was done
in a hurry. You had a look at roaring beast ? How can you tell me I send
crippled codes out? Buddy I m human too and do mistakes.
thats just my point of view and really, this is d0s, wich, i dont care
for..im saying, you dont see AB release some fucked up exploit every
AB? whos that ?
2months, and makeSURE it dont work , you dont see anyone release shit
like this anymore with such blatant errors, its just shitty, luckily i
nano'd it, yea, i like nano ok, or i would have wasted time
wtf ? come on.. nano.. this is getting silly
kcope...its just that simple, and no offences atall, i was able to
spot this, but, do not sit there, telling me and everyone else, that
it was working, tested... coz, we both know that was NOT the same code
released, you cannot deny the code simple.
you screwed this one up. go back to exploiting :P itsd better and your
better at it! :P
As I said I tested it with two VMS in a testbed and both Ubuntu and
OpenSUSE crashed
instantly.
I like your shit, but, i really prefer, when kxcope, is thinking
of b0f and new methods etc, like i know the one from 2009 did, and
[Full-disclosure] Facebook seems to think my Arch Linux box has malware on it
So there I was, innocently posting anti-SOPA links on my wall. I close my facebook tab temporarily, open a new one a few minutes later, and I’m logged out of my account. “Well that’s odd” I think. So I log back in. “Your computer has malware!” Facebook says to me. They tell me that my computer has malware, okay, well I am very skeptical of that since I run Arch Linux, my kernel and all of my software is up-to-date, and I don’t remember running any strange shell scripts as root. They then proceed to force me to certify that I’ve run Anti-Virus software, and link to several Windows and OS-X programs. “Well that’s offensive to me, both as a Linux user and a Programmer” I think. Why would they not even bother to check my user-agent to see what OS I am running? Why does Facebook even have an algorithm to try and detect if someone has malware on their computer? How do you even say “You have malware on your computer” with any confidence when the only interface between you and the user is HTTP? Facebook doesn’t have access to my computer’s hard disk. They have no right to tell me if I do or do not have any malware. So now I am completely locked out of making any changes to my account or posting on my wall, or anyone else’s. All because Facebook was too lazy to check for false positives. This will supposedly last for around two days. I ended up sending a bug report that will most likely be ignored, and not even looked at. I will most likely end up waiting the two days for my account to be re-instated because I don’t know anyone who personally works for facebook that can fix the issue. The message here for Facebook is that they shouldn’t implement systems that they can’t support when they fail. Apparently (this is according to people who I’ve talked to) there is a virus program going around in the Windows world called the “Carberp” Trojan. The lesson here is also that even if you refuse to use Windows, you can still be affected by the mediocrity of Windows. You are not 100% safe even on Linux, BSD, or Haiku. Good job Facebook! You just impeded someone who was trying to help you stay around! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it
Hello, “Your computer has malware!” Facebook says to me. I am really curious to know, assuming that everything you've said is accurate, how they determine you've got malware. This is rather curious. The more I think about it, the more I wonder if something's come between you and facebook pretending to be official, hoping to trick you into downloading something. Cheers -- freebyron.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook seems to think my Arch Linux box has malware on it
+1 this was the first and biggest hack ever done on myspace, wich simply, pretended you needed the 'java flash' plugin, to view the 'wall' of your friend..now, they killed it but by then, it was suicide...and, they had no idea for many months... this, is known, and also that FB has added new features, but, not being a user of it, i guess, id rather not learn and, all im thinking is, the virus i will endup having to remove from my sisters PC in the next day or so :) cheers... but, yea, i agree, i think it is a simple page trickery, FB, theyre own security, would be used against them, it is that new :P,. so, everything new...well...lets say, has teething probs eh...well, many of major sites did...and, this worm for myspace, was simple, it prentended to be the actual, legit page, but, it was just simply hiding a vuln in myspace wich let you still, eceute a 'plugin' wich, was your url to malware, but, you had to use the actual 'plugfin' to succeed, so, not the official one ofc, but, it seemed VERY offcial...and, took solong to detect, i think thats what killed MSpace..forsure...and will be same, for Fb, if they dont keep up with the times...as, people , even as big as cisco, now see... that, it is very very important, to update code :) have a great day. On 20 January 2012 14:57, Byron Sonne byron.so...@gmail.com wrote: Hello, “Your computer has malware!” Facebook says to me. I am really curious to know, assuming that everything you've said is accurate, how they determine you've got malware. This is rather curious. The more I think about it, the more I wonder if something's come between you and facebook pretending to be official, hoping to trick you into downloading something. Cheers -- freebyron.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
