[Full-disclosure] (no subject)
http://www.lestes.net/wp-content/themes/default/life.html___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows is 100% self-modifying assembly code? (Interesting security theory)
On 12/9/2010 8:39 PM, John Jester Wilham Patrick III wrote: > >From Andrew Auernheimer's Diary / irc memories: > >Windows is written in pure, self-modifying assembly >code. Notice how you can install 15 gigs of data from >a >single Windows install DVD, which can only hold 5 >gigs? >This is because the code is dynamically generated >to > >minimize attack vectors. Any attempt to observe the >static files on the disk will change how it looks in >runtime. This is also why Windows needs to be updated >so > >often, so the running code never looks like it did >before. > >Does this sound true to you guys? Windows does seem to >have >updates that take forever and speed wise it always felt >there was something going on. Whenever I leave my laptop >alone, even when it's offline, indexing off, the computer >is > >always working on stuff and you new know what it is. > >Maybe all applications with Windows compile on runtime for >dynamic binaries, yet through .net's open, user-friendly >API > >are still compatible? > >Balmer said he wanted to make Vista and 7 an OS that would >not slow down after usage, but instead speed up. Windows >is >constantly reprogramming itself to suit the behavior of >it's > >users and performing security and performance auditing. > >This is likely true - Think about it: > >All viruses are just malicious scripts. It's like saying >*nix is insecure because script kiddies compile binaries >and > >bash scripts that rm /. > >No one ever has ever had an attack vector against Windows >7 >or Vista. Please confirm. > Rofl!!! Do you seriously think that something that cool would be so crappy? Ive heard of several attack vectors against windows 7 and vista, they are just 'new' and the whitehat scene hasn't caught up quite yet. As for the inconsistent storage size with installation, there is this nifty little thing called compression, and most operating systems I know of have to dynamically create certain files needed for post-installation, but that doesn't mean that it's 100% dynamic code. Just some of it is necessary dynamic data. Afterall any c program can get 'fat' during runtime by calling malloc one too many times :P Not to mention the documentation on PE would totally screw with the whole constant self-modification, you risk the chance of fucking with the binary portability windows loves to bed with so much. And it has to be updated so often cause of two reason 1.) It sucks and needs fixin or 2.) Operating systems simply go through lots of change. Didn't linux used to be called the 'kernel-of-the-month operating system'? End point: you fail, commit seppuku. Sincerely, Some Kid ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
>> I do not believe anyone is 'ptoposing' anything. All he said was that package >> signing should not be taken as a silver bullet, for experience has shown that > >the key's themselves are capable of being compromised if a vendor is >> successfully attacked. >> >> Exactly what I would expect from *.edu >I read differently, Then by all means, elaborate. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
>On Sun, Oct 31, 2010 at 10:36 AM, wrote: > >On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said: >> >> >Just signing the update packages prevents this attack, so it's not that hard >>> to fix. >> >> Except if a signing key gets compromised, as happened to one Linux vendor >> recently, causing a lot of kerfluffle... >??? Are you ptoposing to throw the baby out with the bath water ??? I >would not have expected that from *.edu. I do not believe anyone is 'ptoposing' anything. All he said was that package signing should not be taken as a silver bullet, for experience has shown that the key's themselves are capable of being compromised if a vendor is successfully attacked. Exactly what I would expect from *.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] New tool for pentesting
- Forwarded Message From: Jhfjjf Hfdsjj To: runlvl Sent: Fri, September 17, 2010 3:26:44 AM Subject: Re: [Full-disclosure] New tool for pentesting Are you expecting us to believe that a windows only supported penetration tool with absolutely zero information regarding true effectiveness or methods is supposed to compete with metasploit? For all I know I could be paying $500 for a shiny box that spits blinkenlights at me with a message saying "you just h4x0red y0urself! Trust meh1" umm yeahI think ill go back to reviewing that PoC args From: runlvl To: full-disclosure@lists.grok.org.uk Sent: Thu, September 16, 2010 7:02:06 PM Subject: [Full-disclosure] New tool for pentesting A new product was born, similiar to Core Impact, Metasploit and Immunity Canvas. INSECT is affordable, easy to use and it has a friendly user interface. It promises to be an excellent tool and it allows organizations of all sizes to conduct comprehensive penetration testing across their infrastructure and applications. INSECT's interface is designed to be usable by individuals both with and without specialized training in penetration testing and vulnerability assessment, and includes functions for generating reports from the gathered information. See more at: http://www.faltaenvido.org/ Watch videos at: http://www.youtube.com/user/FaltaEnvidoVideo Regards ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tuscl.net SQL injection with 30k Plain Text Passwords & 80k Email list
Well, one thing I will point out is that the link you submitted for the actual SQL injection doesnt seem to work. Either they fixed it or you messed up the link. From: Ben To: full-disclosure@lists.grok.org.uk Sent: Fri, September 3, 2010 11:09:04 AM Subject: [Full-disclosure] Tuscl.net SQL injection with 30k Plain Text Passwords & 80k Email list I found many sql injections on Tuscl.net (The ultimate strip club list) I tried notifying the site, no response. The server is ran on a vmware. So anything that is done to it is restored, apon reboot. This is a dump of usernames passwords and emails for the site. They are in plain text. I have removed records that had the system generated password that the user never changed. http://tinyurl.com/397rzqs http://bit.ly/bkVnPY http://is.gd/eTqna http://jump.fm/FOJRO http://www.mediafire.com/?l6i1vd25il61a6b http://www.megafileupload.com/en/file/265174/users-sql-zip.html http://www.4shared.com/file/w0qqRyDf/userssql.html http://rapidshare.com/files/416858410/users.sql.zip http://rapidshare.com/files/416860069/users.sql.zip http://www.speedyshare.com/files/24097837/users.sql.zip http://uploading.com/files/e1741mm9/users.sql.zip/ http://bit.ly/cFvd8B http://is.gd/eTsn5 http://www.tuscl.net/c.php?CID=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 Common Passwords and the number of accounts that shared them password - 269 123456 - 173 tuscl - 84 stripper - 67 qwerty - 62 12345 - 49 12345678 - 47 1234 - 42 baseball - 36 monkey - 36 princess - 34 stripclub - 33 strip - 32 jennifer - 32 abc123 - 32 mustang - 31 pussy - 29 lapdance - 27 andrew - 27 jmh1978 - 27 letmein - 27 fuckyou - 27 696969 - 27 michelle - 26 harley - 25 dallas - 25 11 - 25 shadow - 24 corvette - 24 trustno1 - 24 sunshine - 22 dragon - 21 jordan - 21 love - 21 butthead - 20 batman - 20 danielle - 20 buster - 20 password1 - 20 hello - 20 biteme - 20 gaydar - 20 Michael - 19 george - 19 hockey - 19 ginger - 19 6969 - 19 Bandit - 19 lasvegas - 18 taylor - 18 tigger - 18 yankees - 18 chicago - 18 fucker - 18 blahblah - 17 football - 17 1escobar2 - 17 - 17 Jessica - 17 123456789 - 16 testing - 16 phoenix - 16 badboy - 16 gemini - 16 ranger - 16 heather - 15 gateway - 15 secret - 15 welcome - 15 654321 - 15 aa - 15 tennis - 15 asshole - 15 maggie - 14 pepper - 14 charlie - 14 golfer - 14 strippers - 14 redskins - 14 summer - 14 peanut - 14 chicken - 13 jeremy - 13 hunter - 13 m0ntlure - 13 fuckoff - 13 dancer - 13 bitch - 13 lucky - 13 whatever - 13 killer - 13 prince - 13 robert - 13 orange - 13 thomas - 13 hawaii - 12 redsox - 12 tiger - 12 titties - 12 gators - 12 Password - cnt florida - 12 kitten - 12 austin - 12 merlin - 12 canada - 12 diamond - 12 boston - 12 master - 12 yellow - 12 falcon - 12 jasmine - 12 1234567 - 12 cookie - 12 superman - 12 midnight - 12 blowme - 12 jackass - 12 sparky - 12 peekaboo - 11 doctor - 11 brandy - 11 8675309 - 11 madison - 11 braves - 11 brooklyn - 11 money - 11 anthony - 11 samantha - 11 ashley - 11 lucky1 - 11 amanda - 11 booboo - 11 SOCCER - 11 tarheels - 11 bigdog - 11 pookie - 11 private - 11 tiffany - 11 martin - 11 silver - 11 lakers - 10 eatme - 10 junior - 10 platinum - 10 sex - 10 iloveyou - 10 nicole - 10 vegas - 10 wolfpack - 10 - 10 barney - 10 melissa - 10 molly - 10 passw0rd - 10 sexy - 10 nascar - 10 dietcoke - 10 chris - 10 boomer - 10 test123 - 10 johnny - 10 red123 - 10 asdfgh - 10 ncc1701 - 10 314159 - 10 internet - 10 jackson - 10 computer - 10 peaches - 10 horny - 10 sierra - 10 rush2112 - 10 Here is the complete list of email addresses registered. The site had no validated so, I am sure, some are fake. http://www.tuscl.net/emails.zip http://rapidshare.com/files/416871314/emails.zip http://www.mediafire.com/?67rzfbvmyr1c492 http://www.speedyshare.com/files/24098846/emails.zip http://www.megafileupload.com/en/file/265210/emails-zip.html The path to the working directory is: /home/httpd/vhosts/tuscl.net/httpdocs/ The SQL information is "localhost" - "tuscl" - "szg4wpl9" Also if you want to look at all the nudey photos uploaded here is where they are http://www.tuscl.net/pictures/ There are other sites that could have been comprimised as well: vanjonesthinksimanasshole.com tuscl.com onerun.com ecampguide.com (contains another 1200 plain text passwords) troopedge.com Well have fun! Owner or media if you want get ahold of me: auto595...@hushmail.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Day of bugs in WordPress 2
Ed is the standard text editor. On Fri, Jul 30, 2010 at 6:13 AM, Elazar Broad wrote: -BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >ed or nano? :) > > >On Thu, 29 Jul 2010 20:47:19 -0400 valdis.kletni...@vt.edu wrote: >>On Thu, 29 Jul 2010 17:18:28 PDT, Zach C said: >>> So if Drupal and WordPress, etc. are so terrible, what would you >>all recommend? >> >>vi or emacs. Take your pick, I'm not starting an editor war. ;) >-BEGIN PGP SIGNATURE- >Charset: UTF8 >Note: This signature can be verified at https://www.hushtools.com/verify >Version: Hush 3.0 > >wpwEAQECAAYFAkxSUVcACgkQi04xwClgpZgH2AP+MIN2ShokOCNPpUhwX1OH4SxzatZk >xbuu0eRzzmjGFarJ+O6xv/aRzSlbzHok3mIckL9qKPYk9mAE7G3uoe0ASbo2HtVnVHrY >BsxxPAIYrYjK4em7J89MvsTETTO68UsV687QmDLkeC8B8A8dCAeYPhHPyt+tb7t3AMqT >3WQOlEU= >=z8+c >-END PGP SIGNATURE- > > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ATTENTION FBI - Want the real names folks involved in the iPad hack???
Wow, way to be a fricken racist snitch. - Forwarded Message From: IRC FRAUD ALERT To: full-disclosure Sent: Thu, July 8, 2010 8:46:40 PM Subject: [Full-disclosure] ATTENTION FBI - Want the real names folks involved in the iPad hack??? Sam Hocevar aka sam, Debian developer who provides *.goatse.fr Kenneth Fister aka "Fister". Virginia resident. Martin Liland aka DiKKy. Norwegian citizen. Nick Price aka Rucas. Texas resident. Marc R. Uchniat aka feem, works for Colo4Dallas and 420chan moderator Mischa Spieglemock aka h8crime or jenk, was with weev at Toorcon. California resident. Zachary Deardoff aka l0de. New York resident. Timothy E. Copperfield aka timecop. Resident of Japan. Daniel Spitler aka JacksonBrown, provided iPad. San Francisco resident. Christopher Lolich Abad aka aemperi. California resident. Montel Deonte Edwards, aka montel - weev attempted to adopt this young negro like his younger brother ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Hey just wanted to say that my default installation of Windows 7 doesnt seem vulnerable~no hcp protocol handler. Just thought some people would like to take note :) - Original Message From: Tavis Ormandy To: full-disclosure@lists.grok.org.uk Cc: bugt...@securityfocus.com Sent: Wed, June 9, 2010 4:46:21 PM Subject: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Help and Support Centre is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp", a typical example is provided in the Windows XP Command Line Reference, available at http://technet.microsoft.com/en-us/library/bb490918.aspx. Using hcp:// URLs is intended to be safe, as when invoked via the registered protocol handler the command line parameter /fromhcp is passed to the help centre application. This flag switches the help centre into a restricted mode, which will only permit a whitelisted set of help documents and parameters. This design, introduced in SP2, is reasonably sound. A whitelist of trusted documents is a safe way of allowing interaction with the documentation from less-trusted sources. Unfortunately, an implementation error in the whitelist allows it to be evaded. URLs are normalised and unescaped prior to validation using MPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL escape sequences into their original characters, the relevant code from helpctr.exe 5.1.2600.5512 (latest at time of writing) is below. .text:0106684C Unescape: .text:0106684Ccmp di, '%' ; di contains the current wchar in the input URL. .text:01066850jnz short LiteralChar; if this is not a '%', it must be a literal character. .text:01066852pushesi ; esi contains a pointer to the current position in URL to unescape. .text:01066853callds:wcslen; find the remaining length. .text:01066859cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits. .text:0106685Dpop ecx ; this sequence calculates the number of wchars needed (4 or 2). .text:0106685Esetzcl ; i.e. %u (four needed), or %XX (two needed). .text:01066861mov dl, cl .text:01066863neg dl .text:01066865sbb edx, edx .text:01066867and edx, 3 .text:0106686Ainc edx .text:0106686Binc edx .text:0106686Ccmp eax, edx ; test if I have enough characters in input to decode. .text:0106686Ejl short LiteralChar; if not enough, this '%' is considered literal. .text:01066870testcl, cl .text:01066872movzx eax, word ptr [esi+2] .text:01066876pusheax .text:01066877jz short NotUnicode .text:01066879callHexToNum ; call MPC::HexToNum() to convert this nibble (4 bits) to an integer. .text:0106687Emov edi, eax ; edi contains the running total of the value of this escape sequence. .text:01066880movzx eax, word ptr [esi+4] .text:01066884pusheax .text:01066885shl edi, 4 ; shift edi left 4 positions to make room for the next digit, i.e. total <<= 4; .text:01066888callHexToNum .text:0106688Dor edi, eax ; or the next value into the 4-bit gap, i.e. total |= val. .text:0106688Fmovzx eax, word ptr [esi+6]; this process continues for the remaining wchars. .text:01066893pusheax .text:01066894shl edi, 4 .text:01066897callHexToNum .text:0106689Cor edi, eax .text:0106689Emovzx eax, word ptr [esi+8] .text:010668A2pusheax .text:010668A3shl edi, 4 .text:010668A6callHexToNum .text:010668ABor edi, eax .text:010668ADadd esi, 0Ah ; account for number of bytes (not chars) consumed by the escape. .text:010668B0jmp short FinishedEscape .text:010668B2 .text:010668B2 NotUnicode: .text:010668B2callHexToNum ; this is the same code, but for non-unicode sequences (e.g. %41, instead of %u0041) .text:010668B7mov edi, eax .text:010668B9movzx eax, word ptr [esi] .text:010668BCpusheax .text:010668BDcallHexToNum .text:010668C2shl eax, 4 .text:010668C5or edi, eax .text:010668C7add esi, 4 ; account for number of bytes (not chars) consumed by the escape. .text:010668CA .text:010668CA Finis
