Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-17 Thread Valdis . Kletnieks 
On Sat, 17 Aug 2013 13:39:16 +0200, Jann Horn said:

> And yes, you're right, a DoS attack can be unsuccessful. My point was that
> this small amount of traffic shouldn't be called a DDoS because there's no
> way that the intention behind this amount of traffic was to take down that
> service with pure bandwidth.

How quickly they forget

Not all DDoS are pure bandwidth based.  Consider SYN flooding, where the
packets sent are relatively small and often not even all that frequent, but can
tie up large amounts of resources on the target machine. This sort of attack
works particularly well against sites that have a big blind spot because they
think that all DDoS attacks are massive bandwidth hosedowns.

How many connections/sec does it take to forkbomb your Apache server into
uselessness?  And if you rate limit your Apache so your system doesn't
forkbomb, how many does it take to prevent legitimate traffice from being
serviced?



pgpoSfuVwB418.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Defense in depth -- the Microsoft way (part 7): executable files in data directories

2013-08-17 Thread Stefan Kanthak 
Hi,

with Windows XP (about 12 years ago) Microsoft started to develop a
REALLY NASTY habit: they began to install executable files outside
of "%SystemRoot%\" and "%ProgramFiles%\", in "%ALLUSERSPROFILE%\"
(since Windows Vista: "%ProgramData%\") and even "%USERPROFILE%\".


Examples:

* "%ALLUSERSPROFILE%\DRM\INDIVBOX.KEY"

  a DLL, installed there when a user runs the DRM individualisation
  process of Windows Media Player, see
   alias
   alias
  

* "%COMMONAPPDATA%\Microsoft\PlayReady\Cache\...\MSPRindiv01.key"

  a DLL, used for Silverlight's PlayReady DRM

* "%APPDATA%\Microsoft\Virtual PC\VPCKeyboard.dll"

* "%LOCALAPPDATA%\Microsoft\SkyDrive\..."

...

While this is a violation of Microsoft's own, about 18 years old
"Designed for Windows" guidelines, it tears down the security boundary
created with NTFS permissions/access rights and "privilege separation":
unprivileged users cant write to "%SystemRoot%\" and "%ProgramFiles%\"
and below, so all executables installed there are protected against
tampering by unprivileged users (and programs/malware running under
unprivileged user accounts).

Executables installed in %USERPROFILE% are but NOT protected against
tampering and can undermine at least the users safety.


Marcus J. Ranum was SOO right, back in 2007, when he wrote in
"Execution Control: Death to Antivirus" (see
):

| It makes sense; security never has been important in Windows.


JFTR: unfortunately not only Microsoft shows this bad habit:
  crapware like the versions of Google Chrome or Google Drive
  that are offered to "end users" installs into
  "%LOCALAPPDATA%\Google\Chrome\Application\...",
  "%LOCALAPPDATA%\Google\Update\..." and even subdirectories
  of "%TEMP%", Dropbox installs into "%APPDATA%\Dropbox\...",
  SoftMaker Office creates a DLL with the user registration data
  in "%APPDATA%\SoftMaker" (and fails MISERABLY if execution is
  denied there), Mozilla Firefox and Thunderbird download their
  updaters to "%APPDATA%\Mozilla\..." (and fail MISERABLY if
  execution is denied there), extensions like Mozilla Lightning
  install DLLs below "%APPDATA%\Mozilla\..." (and fail MISERABLY
  if execution is denied there), ...


I recommend that the developers responsible for these crimes against
computer safety and security learn the meaning of the word "DATA"
before they are allowed to pester unsuspecting users with more of
their (by the very design) unsafe and insecure programs.


stay tuned
Stefan Kanthak


PS: it's getting worse^Wmore complicated (and as everybody with a
sane mind knows: complexity reduces/ruins safety and security)!

With Windows Vista Microsoft introduced "user account control"
(really: they surrendered to all those incapable and incompetent
developers who were and are unable and unwilling to write Windows
software that runs without administrative rights, as requested in
their own, then about 11 year old "Designed for Windows" guidelines)
and "UAC virtualization", which redirects write access failures
(and after that, read accesses too) of "legacy applications", i.e.
32-bit processes run by unprivileged interactive users (cf.

and )
below "%SystemRoot%\", "%ProgramFiles%\" and "%ProgramData%\" to
"%LOCALAPPDATA%\VirtualStore\".

| However, any file with an executable extension, including .exe,
| .bat, .scr, .vbs, and others, is excluded from virtualization.

The list of predefined "executable" extensions (as found within
%SystemRoot%\System32\Drivers\LUAFV.SYS) is:
.acm, .asa, .asp, .aspx, .ax, .bat, .cer, .chm, .clb, .cmd, .cnt,
.cnv, .com, .cpl, .cpx, .crt, .dll, .drv, .exe, .fon, .grp, .hlp,
.hta, .ime, .inf, .ins, .isp, .its, .js, .jse, .lnk, .msc, .msi,
.msp, .mst, .mui, .nls, .ocx, .pal, .pcd, .pif, .reg, .scf, .scr,
.sct, .shb, .shs, .sys, .tlb, .tsp, .url, .vb, .vbe, .vbs, .vsmacros,
.ws, .wsc, .wsf and .wsh

BUT: .key (see above) is missing!

To modify this list, edit

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Luafv\Parameters]
"ExcludedExtensionsAdd"=multi:
"ExcludedExtensionsRemove"=multi:

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] about ld-2.5.so security

2013-08-17 Thread x90c 
Hi Forks!

It's my review article for rtld security.
you may use it for future research.

http://www.x90c.org/articles/glibc/rtld_security.txt


...
- glibc 2.5 rtld security machanisms
- attack techniques
- payload injection vectors
...



x90c
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CS, XSS and FPD vulnerabilities in MCImageManager for TinyMCE

2013-08-17 Thread MustLive 

Hello list!

I want to warn you about vulnerabilities in Moxiecode Image Manager 
(MCImageManager). This is commercial plugin for TinyMCE. It concerns as 
MCImageManager, as all web applications which have MCImageManager in their 
bundle.


These are Content Spoofing, Cross-Site Scripting and Full Path Disclosure 
vulnerabilities. About Content Spoofing and Cross-Site Scripting 
vulnerabilities in flvPlayer I informed developer already in October 2011 
(it was part of Media plugin for TinyMCE) and disclosed them in November. 
After my informing he fixed these holes in November 2011 in Media plugin. 
But he forgot to fix them in MCImageManager plugin.


-
Affected products:
-

Vulnerable are Moxiecode Image Manager 3.1.5 and previous versions.

-
Affected vendors:
-

Moxiecode
http://www.moxiecode.com

--
Details:
--

Content Spoofing (WASC-12):

Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay 
and startImage, which allows to spoof content of flash - i.e. by setting 
addresses of video and/or image files from other site.


http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv

http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?autoStart=false&startImage=1.jpg

http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv&autoStart=false&startImage=1.jpg

Flash-file flvPlayer.swf accepts arbitrary addresses in parameter flvToPlay, 
which allows to spoof content of flash - i.e. by setting address of playlist 
file from other site (parameters thumbnail and url in xml-file accept 
arbitrary addresses).


http://site/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.xml

File 1.xml:







XSS (WASC-08):

If at the site at page with flvPlayer.swf (with parameter jsCallback=true, 
or if there is possibility to set this parameter for flv_player.swf) there 
is possibility to include JS code with function flvStart() and/or flvEnd() 
(via HTML Injection), then it's possible to conduct XSS attack. I.e. 
JS-callbacks can be used for XSS attack.


Example of exploit:




function flvStart() {
alert('XSS');
}
function flvEnd() {
alert('XSS');
}




height="50%" quality=high 
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"; 
type="application/x-shockwave-flash">





Full Path Disclosure (WASC-13):

Full path In cookies MCManager_im_lastPath and MCManagerHistoryCookie_im.


Timeline:
 


2011.10.20 - informed developer of flvPlayer.
2011.10.20 - informed developer of TinyMCE (which bundled with flvPlayer in 
Media plugin).

2013.06.11 - announced at my site.
2013.06.13 - informed developer of MCImageManager.
2013.08.16 - disclosed at my site (http://websecurity.com.ua/6562/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-17 Thread Jann Horn 
On Fri, Aug 16, 2013 at 02:58:41PM -0300, Luther Blissett wrote:
> On Fri, 2013-08-16 at 19:31 +0200, Jann Horn wrote:
> 
> > Let me google that for you. Hmm. Assigned to "Polipo Web proxy". So maybe
> > someone tried to connect to them through your exit node and they do 
> > proxyscans
> > on people who connect to them?
> > 
> > 
> 
> Sorry but I did not understand this. I had already said it was attempt
> on polipo. What exactly was so dumb in my phrasing that required you to
> rephrase it?

Nothing, I didn't see that you had already looked up what port that is. Sorry
about that.


> > > Before the packet storm,
> > 
> > Oooh, a storm!
> > 
> > 
> Ok, maybe it was just a light wind and my system is the most laughable
> one.

Or maybe it was a light but dangerous wind. :P


Anyway, sorry for the tone in my mail – as others pointed out, it was
inappropriate. :/

Well, I hope you can figure out what caused every pair of bytes to be swapped
in that logfile line (the one where you posted the hexdump).


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-17 Thread Luther Blissett 
On Fri, 2013-08-16 at 19:31 +0200, Jann Horn wrote:

> Let me google that for you. Hmm. Assigned to "Polipo Web proxy". So maybe
> someone tried to connect to them through your exit node and they do proxyscans
> on people who connect to them?
> 
> 

Sorry but I did not understand this. I had already said it was attempt
on polipo. What exactly was so dumb in my phrasing that required you to
rephrase it?

> > Before the packet storm,
> 
> Oooh, a storm!
> 
> 
Ok, maybe it was just a light wind and my system is the most laughable
one.


> Maybe your disk is just broken?
> 
> 
This may very well be the case. I'll recheck for badblocks. The disk is
a few years old.

> >
> Your systems were impacted by a DoS attack with 30 packets per second? You 
> might
> want to upgrade to hardware that is a few decades newer.
> 
I answered this on the other reply. It is certainly weird.

> > 74.63.255.118: 248 
> > 216.245.193.201: 235 
> > 208.115.232.205: 231 
> > 74.63.255.119: 225 
> > 216.245.193.200: 219
> [...]
> > O=TCP SPT=2216 : 1 
> 
> You were attacked by "O=TCP SPT=2216"? Cool story.

I'm glad you flagged this. I made up some quick dirty code to parse log
messages and though it seems to have worked fine on most lines, this one
got wrong on the regex. Thank you.


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-17 Thread Luther Blissett 
On Fri, 2013-08-16 at 09:54 +, Bart van Tuil wrote: 
> Luther,
> 
> Is it just me, or is this ddos of 19045 packets in three hours a really, 
> really sorry attempt at anything at all?? Even the peak of 30 pkts/sec
> wouldn't really disrupt -any- service on a modern system, or disrupt any
> self-respecting internet connection. I agree you shouldn't ignore the 
> action by itself, but what was the actual damage?
> 
> Also, I am not clear about where you found this binary. Was it on your 
> local fs? Was this just the content of the packages? If lfs, could the 
> packet storm be nothing more than a distraction?
> 
> And at least 216.245.220.56 (one of the major participants); and by 
> extension the rest in same subnet is not from limestone networks, and 
> from far outside of USA.
> 
> 
> I am very curious about the binary though :) if circumstance will 
> allow me ill take some time to look closer this weekend.
> 
> 
> Happy hunting,
> 
> Bart
> 
> 

Hello Bart, how's life today?!

Apart from this code I found and some offline hours, I could not
identify any real damage on my system. I agree with you this packet
storm shouldn't have succeeded on driving my machine offline and I still
don't know why it could do it.

To clarify the issue: (i) my ISP is not the most trusted one. The link
speed often changes and sometimes gets real lame. (ii) The attacker
might have tried to reach my tor server, but he could not do it. The
firewall that caught these transmissions is on a different guard
machine. (iii) there are more services and machines protected by this
guard machine and various of them were online at the time the attack
started. (iv) though I said the attack endured at least three hours, it
did not take me three hours to notice it and I unplugged the machine
much earlier, so the total packet count and max packet rate are not the
real picture, but just the representation of what the machine flagged
when it was connected. 

The binary is a corrupted part of "/var/log/messages". From what I know,
it could be the attack triggered some hidden bug and that's all. But it
could also be that the attacker had previously gathered useful info on
my system and new this would happen. So I won't leave much space to
chance.

That said, I'm no expert on assembly, hex and lowlevel computing. So it
may take quite some time before I understand the issue. If you find
something useful on happy hacking times, please do tell me.

Finally, I'm glad you found this address from outside limestone. Since
there were mani IP's, I randomly tested 20 or so and all of them were
inside limestone so I jumped to the conclusion that all addresses were
inside.

Happy debian b-day!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-17 Thread peter_toyota 
I remember as a youngling in the olden days of these internets you young 
fellows are so fond of, that a dial up analog modem connection actual 
throughput would max out at 53.3kb. Something about how encapsulation overhead 
would take a portion out of the total possible V.92 modulation and compression 
scheme.

Ah... the days of old, and the excitement every day to see if the connection 
would " train" past 50kb...
Such fond memories of yore...

 Original message 
From: Jann Horn  
Date: 08/16/2013  3:31 PM  (GMT-06:00) 
To: Jeffrey Walton  
Cc: Full Disclosure List  
Subject: Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on 
polipo(8123) 
 
On Fri, Aug 16, 2013 at 01:37:54PM -0400, Jeffrey Walton wrote:
> On Fri, Aug 16, 2013 at 1:31 PM, Jann Horn  wrote:
> > On Thu, Aug 15, 2013 at 05:29:52PM -0300, Luther Blissett wrote:
> >> Hello dear companions,
> >>
> >> Two days ago one of my tor exit nodes experienced something I'm now
> >> calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all
> >
> > DDoS? So you mean your systems were impacted by that?
> He may be running an exit node for the benefit of others on a low
> bandwidth connection.
> 
> Forgive me if you were joking with an old friend, or I missed something.

Let's check how massive that "attack" is.

He said above 30 packets per second, right? I'll just assume it's around 30.
And the sample packet from that "packet storm" contained this part: "LEN=52".
So that's around 1500 bytes per second, or 12 kilobits per second. And those
packets are downstream for him.

Now take a look at .
A good modem connection can give you up to 56kbit/s per direction as far as I
understand. So unless I made some weird calculation errors, someone on a good
modem connection should be able to take that "attack" without any problems.

An "attack" from one (!) bot on a normal DSL line should already be much bigger.

Calling this a DoS attack would be ridiculous, calling it a DDoS even more so.

(Of course, it might still be that he really was hacked and his systems were
attacked in a smarter way, but it's very clear that nobody tried to take him
out with pure bandwidth.)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-17 Thread Jann Horn 
On Fri, Aug 16, 2013 at 04:49:24PM -0500, adam wrote:
> Jann, you know what's even worse than someone being a dick for no
> reason? Someone being a _stupid_ dick for no reason.

Maybe I'm being a dick, and maybe I'm being a dick for no reason, but I
don't think I'm being a _stupid_ dick.


> In case you're
> unaware, the word "massive" was completely absent from this thread
> until YOU attempted to put it in someone elses' mouth. Beyond that,
> since you want to rip apart an innocent guy's post, let's see what
> happens when someone does it to yours.
> 
> "DDoS? So you mean your systems were impacted by that?"
> 
> Impacted is not the word you were looking for, since the answer to
> that would technically be a yes - not the no you were expecting. That
> aside, a denial of service attack is still a denial of service attack
> regardless of whether it succeeds or not. In fact, if you look up the
> definition - you'll see that it's _an attempt_ to make X unavailable.
> Not necessarily a successful one.

He was talking about a DDoS. Right, a DoS is just an attempt to make some kind
of service unavailable, but a DDoS is an attemt to make a system unavailable
by flooding it with an overwhelming amount of traffic from multiple sources.
IMO mentioning a DDoS implies "massive".

And yes, you're right, a DoS attack can be unsuccessful. My point was that
this small amount of traffic shouldn't be called a DDoS because there's no
way that the intention behind this amount of traffic was to take down that
service with pure bandwidth.


> "Let me google that for you. Hmm. Assigned to "Polipo Web proxy"."
> 
> Psst.. you may want to read the entire thread title.

Heh, you have a point.


> "Oooh, a storm!"
> 
> storm
> Verb
> Move angrily or forcefully in a specified direction: "she stormed off".
> 
> Whether you like it or not, it meets the definition.

Uh, he didn't use it as a verb. He used the noun "storm", and two times, he
said "packet storm". I read "packet storm" as "a storm of packets", so my
interpretation is that he was talking about a storm on the packet level.

If you have a look at the Jargon File, you'll see that in the context of
IT, a "storm" usually means something that is characterized by massive
amounts of network activity. A packet storm then would be something that looks
like a really big amount of activity on the network level, right?


> "Your systems were impacted by a DoS attack with 30 packets per
> second? You might
> want to upgrade to hardware that is a few decades newer."
> 
> How much of the original post did you actually read? Nowhere in it did
> the OP say that this attack succeeded. Again, just like above - YOU
> are the one who first used the word impact[ed]. It's funny how you put
> words in peoples' mouths, and then reply to them as though they
> actually said it.

Why would you call 30 packets per second an attack unless that actually impacts
your system? It was an ironic statement intended to hint at the possibility
that the OP was mistaken about what exactly impacted his system.


> More than that, the only thing the OP mentioned was
> that one of his log files were corrupted in the process of the attack.
> I didn't read that the attack succeeded, shut down the service, his
> machine, his network or anything else - and neither did you.

Right.


> "You were attacked by "O=TCP SPT=2216"? Cool story."
> 
> Oh my God, there was a line in there that didn't have an IP address?
> What a RETARD the OP must be. How can anyone be so stupid? I bet the
> earth stopped spinning when that happened. Think so?

Tough question. No, seriously, to me this means that he piped his firewall logs
or so into some command-line commands without making really sure that the
commands extract exactly the data he wants. Therefore, this line means for me
that there's a high possibility of totally unrelated IPs being in that list
that just happened to communicate with his system at the wrong time. For me,
this line makes the validity of that whole list very questionable.


> "He said above 30 packets per second, right? I'll just assume it's around 30.
> And the sample packet from that "packet storm" contained this part: "LEN=52".
> So that's around 1500 bytes per second, or 12 kilobits per second. And those
> packets are downstream for him."
> 
> You're randomly assuming that all of the packets were the exact same
> length, which makes anything derived from that assumption
> automatically flawed.

That's right. I assumed that the traffic was highly uniform because:
 - as far as I know, traffic usually is relatively uniform in attacks
 - he picked this one line and apparently thought that it was sufficient
   to give us an idea of what the attack traffic looked like (otherwise,
   he would have shown us a bunch of lines and not just one because his
   intent here obviously was to illustrate the nature of the attack,
   right?)
Well, maybe I jumped to conclusions here, but I don't think so.


> "A good modem connecti

Re: [Full-disclosure] Who's behind limestonenetworks.com AKA DDoS on polipo(8123)

2013-08-17 Thread Pascal Ernster 
Binary? The only "binary" thing I see in that hexdump are a bunch of
null bytes and the \n at the end.

regards
Pascal


On Thu, 15 Aug 2013 17:29:52 -0300
Luther Blissett  wrote:

> Hello dear companions,
> 
> Two days ago one of my tor exit nodes experienced something I'm now
> calling "limestonenetworks DDoS on polipo" ( $WAN_IP:8123 ), since all
> packets in the storm were flowing from a range of 514 different IP
> addresses, all of them inside limestonenetworks IP range and targeting
> port 8123 on my tor exit node WAN IP.
> 
> Before the packet storm, I could observe a huge increase on attempts
> to access my WAN domain through tor. I couldn't relate IP addresses
> from this first raise to those responsible for the actual packet
> storm nor could I identify some useful pattern there, but they were
> all coming from port 9001 and increased just some hours before the
> storm, so I'm guessing they are related somehow.
> 
> Also, throughout the storm, one of my log files got corrupted with
> some unreadable bin garbage. I do not know if it was intended/targeted
> exploit, but I'm reworking secrets and trying to figure out what is
> this binary.
> 
> Here is a sample line of a WAN attempt:
> 
> Aug 13 16:50:22 $USER user.warn kernel: [DROP INVALID WAN] : IN=vlan2
> OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
> SRC=77.56.151.190 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43
> ID=38787 DF PROTO=TCP SPT=40888 DPT=9001 SEQ=289854459 ACK=41163
> 
> Here is a sample line of packet storm:
> 
> Aug 13 20:39:14 $USER user.warn kernel: [hammer] : IN=vlan2 OUT=
> MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
> SRC=74.63.216.60 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=48
> ID=20269 DF PROTO=TCP SPT=1757 DPT=8123 WINDOW=65535 RES=0x00 SYN
> URGP=0 OP
> 
> The attack persisted for at least three hours and left this binary
> (hex represented):
> 
> 000        
> *
> b90       2067 3331
> ba0 3220 3a30 3135 303a 2034 6174 6567 7573
> bb0 7568 7520 6573 2e72 6177 6e72 6b20 7265
> bc0 656e 3a6c 5b20 6168 6d6d 7265 205d 203a
> bd0 4e49 763d 616c 326e 4f20 5455 203d 414d
> be0 3d43 3030 323a 3a31 3732 663a 3a61 6464
> bf0 343a 3a34 3030 313a 3a35 3966 323a 3a61
> c00 6639 643a 3a39 3830 303a 3a30 3534 303a
> c10 3a30 3030 333a 2034 5253 3d43 3132 2e36
> c20 3432 2e35 3232 2e31 3031 2037 5344 3d54
> c30 3831 2e39 3833 322e 3533 322e 3035 4c20
> c40 4e45 353d 2032 4f54 3d53 7830 3030 5020
> c50 4552 3d43 7830 3030 5420 4c54 343d 2038
> c60 4449 313d 3335 3431 4420 2046 5250 544f
> c70 3d4f 4354 2050 5053 3d54 3932 3635 4420
> c80 5450 383d 3231 2033 4957 444e 574f 363d
> c90 3535 3533 5220 5345 303d 3078 2030 5953
> ca0 204e 5255 5047 303d 000a   
> ca9
> 
> Attached is the list of participating IP addresses, line by line, with
> the count of packets received. The attacker started sending something
> like 4 packets per second and increased to over than 9000!!! - just
> kidding, over 30 per second.
> 
> JSYK, I welcome any comments.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] local color map firefox 1day exploit

2013-08-17 Thread x90c 
Hi Forks!

! PRIVATE! PRIVATE ! PRIVATE ! PRIVATE !

I share another my private exploit
It's exploited by firefox local color map parsing bug
(security bug) corrupt the heap. heap overflow!

* vulnerability:
CVE-2009-3373 Firefox local color map parsing heap overflow

* vulnerable:
- Firefox 3.5.4 <=
- Firefox 3.0.15 <=
- SeaMonkey 2.0 <=

! PRIVATE! PRIVATE ! PRIVATE ! PRIVATE !


local_color_map_exploit.tgz
Description: GNU Zip compressed data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] local color map firefox 1day exploit

2013-08-17 Thread x90c 
Hi Forks!

! PRIVATE! PRIVATE ! PRIVATE ! PRIVATE !

I share another my private exploit
It's exploited by firefox local color map parsing bug
(security bug) corrupt the heap. heap overflow!

* vulnerability:
CVE-2009-3373 Firefox local color map parsing heap overflow

* vulnerable:
- Firefox 3.5.4 <=
- Firefox 3.0.15 <=
- SeaMonkey 2.0 <=

! PRIVATE! PRIVATE ! PRIVATE ! PRIVATE !


x90c


local_color_map_exploit.tgz
Description: GNU Zip compressed data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] x90c WOFF Firefox 1day exploit

2013-08-17 Thread x90c 
Hi Forks!

I share my WOFF 1day exploit.

(dep bypass)

* vulnerability:
CVE-2010-1028 WOFF Heap Corruption due to Integer Overflow

* affacted Products:
- Mozilla Firefox 3.6 ( Gecko 1.9.2 )
- Mozilla Firefox 3.6 Beta1, 3, 4, 5 ( Beta2 ko not released )
- Mozilla Firefox 3.6 RC1, RC2


x90c


x90c_WOFF_exploit.tgz
Description: GNU Zip compressed data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MS Excel 2002/2003 CRN record 0day PoC

2013-08-17 Thread x90c 
Hi Forks!

It's ms excel poc I discovered.
I analyzed it to check the exploitability.
It's not exploitable!

If you may can, do exploit it!
and plz share the 0day exploit.


Vulnerable:
- Office XP ( Excel 2002 ) sp0 to sp3
- Office 2003 ( Excel 2003 ) sp0 to sp3



x90c


excel_crn_crash.xls
Description: MS-Excel spreadsheet
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/