[Full-disclosure] [ADVISORY] - +Thu Mar 16 14:11:43 EST 2006+ - Directory Transversal in Microsoft PowerPoint

2006-03-16 Thread Josh perrymon 



[ADVISORY] - +Thu Mar 16 14:11:43 EST 2006+ - Directory Transversal in 
Microsoft PowerPoint




8==D~~
[+] BACKGROUND
8==D~~
There was no background information about the vulnerability indentified.
8==D~~
[+] WORKAROUND
8==D~~
There has had been no identified workarounds regarding the issue in question.
8==D~~
[+] VENDOR RESPONSE
8==D~~
Microsoft PowerPoint had presented no identified commentary.
8==D~~
APPENDIX A VENDOR INFORMATION
8==D~~
http://www.microsoft.com

8==D~~
APPENDIX B REFERENCES
8==D~~
RFC 3662

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] -Advisory- | =Thu Mar 16 14:08:47 EST 2006= | Off-by-one in Tripwire

2006-03-16 Thread Josh perrymon 



-Advisory- | =Thu Mar 16 14:08:47 EST 2006= | Off-by-one in Tripwire




+++
[+] HISTORY
+++
2/22/2006 [+] Vendor Notification.
3/16/2006 [+] Public Disclosure.
+++
[+] WORKAROUND
+++
This issue has no identified workarounds on the problem.
+++
[+] CVE INFORMATION
+++
The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CVE-2006-246518 to this issue

+++
APPENDIX A VENDOR INFORMATION
+++
http://www.tripwire.com/

+++
APPENDIX B REFERENCES
+++
RFC 2615

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Advisory 2006-03-11 Directory Transversal in Apple MacOSX

2006-03-11 Thread Josh perrymon 
Advisory 2006-03-11 Directory Transversal in Apple MacOSX

I. BACKGROUND

Advisory marked for immediate release.

II. DESCRIPTION

Remote exploitation of a directory traversal vulnerability in Apple MacOSX 
could allow attackers to overwrite or view arbitrary files with user-supplied 
contents.

III. HISTORY

This advisory has no history.

IV. WORKAROUND

There are no known workarounds.

V. VENDOR RESPONSE

Apple MacOSX has not commented on this issue.

VI. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-442315 to this issue.

APPENDIX A. - Vendor Information
http://www.apple.com/macosx/
APPENDIX B. - References
NONE

CONTACT:
*Josh perrymon [EMAIL PROTECTED]
*1-888-LOL-WHAT
*CISSP GSAE CCE CEH CSFA GREM SSP-CNSA SSP-MPA GIPS GHTQ GWAS


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Re: 0-day for sale on ebay - New auction!

2005-12-13 Thread Josh Perrymon 
This guy is now selling an autographed poster...  You gotta be kidding
me ... WTF?

JP 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, December 12, 2005 5:46 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Re: 0-day for sale on ebay - New auction!

It looks like the same person opened another auction: 

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=6588680836 

--
Please do not reply to this address 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Requirements for Security Companies to Perform Federal Penetration Testing

2005-12-06 Thread Josh Perrymon 
Hey Guys,

I'm doing some research about performing federal level work.

Anyone have any resources listing requirements for a company to contract/ 
perform federal network security work? Pen-testing for example?

If I remember you have to pass certain clearance levels and pass an internal 
audit...  then it's off to the bidding process?

What would someone like the Fed gov. qualify the staff or skillets?

Thanks!

Joshua Perrymon
Sr. Security Consultant
perrymonj( at )networkarmor.com


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Hacking Boot camps!

2005-12-01 Thread Josh Perrymon 
Very True..

The BBS and door game back in the days kept me interested to learn and
luckily I get to down security full time now...  it's just fun.. (
mostly )

I remember back when we where all playing doom on 9600 modems and
hacking around with the USR robotic connection strings..  I really
enjoyed that.
It sparked a pure interest in learning about those damn computers :)

I learned my first hack setting up the same software and door games as
the BBS had at home and learning what files did what and where the
configs where :)

Not trying to get into some old skool kick or anything( I'm not even 30
yet )
I just got lucky enough to do something I really enjoy.

JP

ANSI IS STILL COOL

-Original Message-
From: bkfsec [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 01, 2005 3:42 PM
To: Josh Perrymon
Cc: xyberpix; wilder_jeff Wilder; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Hacking Boot camps!

Josh Perrymon wrote:

>WildCAT BBS Anyone  :)
>
>I remember playing tradewars and calling who knows where to get new
text
>files :)
>
>Used Tone-loC a lot more back then :)
>
>  
>
And Renegade, WWIV, MajorBBS + clones... Those were the days.  I 
remember Tradewars, but I was more of a BRE fan myself.  L.O.R.D. was 
good for a laugh.

Heh.   Satan and l0pht releases as well as quota-based download queues 
which required equal uploads to be able to get anything.

I have to say, the best way to get an education in hacking is to 
actually set up a private network and start banging on things.  I think 
that actual experience is worth so much more than degrees or reading 
text files.  The bottom feeder script kiddies couldn't hold a candle to 
what we were doing those days.

 -bkfsec





___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Hacking Boot camps!

2005-11-30 Thread Josh Perrymon 
Hey hey

Now your getting fancy...

I had a lot of fun in those days...  I was just a wee lad :)

-Original Message-
From: Christopher Carpenter [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 30, 2005 3:06 PM
To: Josh Perrymon; xyberpix; wilder_jeff Wilder
Cc: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Hacking Boot camps!

Don't forget WWIV and Vision-X. :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Josh
Perrymon
Sent: Wednesday, November 30, 2005 11:59 AM
To: xyberpix; wilder_jeff Wilder
Cc: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Hacking Boot camps!

WildCAT BBS Anyone  :)

I remember playing tradewars and calling who knows where to get new text
files :)

Used Tone-loC a lot more back then :)

JP

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of xyberpix
Sent: Tuesday, November 29, 2005 5:52 PM
To: wilder_jeff Wilder
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Hacking Boot camps!

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Wow!!

Now I feel really dated!
That was good fun to play with though ;-)

xyberpix

On 23 Nov 2005, at 05:57, wilder_jeff Wilder wrote:

>
> Speaking of script kiddie stuff... bbs's and the like...
>
> anyone remember VCL?.. virus creation labratory?
>
>
> -Jeff Wilder
> CISSP,CCE,C/EH
>
>
>
> -BEGIN GEEK CODE BLOCK-
>  Version: 3.1
>   GIT/CM/CS/O d- s:+ a C+++ UH++ P L++ E- w-- N+++ o-- K- w O- M--
>   V-- PS+ PE- Y++ PGP++ t+ 5- X-- R* tv b++ DI++ D++
>   G e* h--- r- y+++*
> --END GEEK CODE BLOCK--
>
>
>
>
>
>> From: ReK2GNULinux <[EMAIL PROTECTED]>
>> To: "Ivan ." <[EMAIL PROTECTED]>
>> CC: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] Hacking Boot camps!
>> Date: Tue, 22 Nov 2005 20:14:05 -0500
>> MIME-Version: 1.0
>> Received: from lists.grok.org.uk ([195.184.125.51]) by mc10- 
>> f28.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 22 Nov  
>> 2005 17:14:58 -0800
>> Received: from lists.grok.org.uk (localhost [127.0.0.1])by  
>> lists.grok.org.uk (Postfix) with ESMTP id 11F78FC2;Wed, 23 Nov  
>> 2005 01:14:26 + (GMT)
>> Received: from stargate.binaryfreedom.info(207-172-223-37.c3-0.wob- 
>> ubr3.sbo-wob.ma.cable.rcn.com[207.172.223.37])by lists.grok.org.uk  
>> (Postfix) with ESMTP id B2903EA3for > [EMAIL PROTECTED]>;Wed, 23 Nov 2005 01:14:16 + (GMT)
>> Received: from localhost (localhost [127.0.0.1])by  
>> stargate.binaryfreedom.info (Postfix) with ESMTP id  
>> 2C0475419D;Tue, 22 Nov 2005 19:52:00 -0500 (EST)
>> Received: from stargate.binaryfreedom.info ([127.0.0.1])by  
>> localhost (stargate.binaryfreedom.info [127.0.0.1]) (amavisd- 
>> new,port 10024)with ESMTP id 25639-01; Tue, 22 Nov 2005 19:51:50  
>> -0500 (EST)
>> Received: from [127.0.0.1] (209-6-98-146.c3-0.wob-ubr3.sbo- 
>> wob.ma.cable.rcn.com[209.6.98.146])by stargate.binaryfreedom.info  
>> (Postfix) with ESMTP id BF00C54034;Tue, 22 Nov 2005 19:51:50 -0500  
>> (EST)
>> X-Message-Info: JGTYoYF78jGmv6T0JK0gGy+lZZ4AeY+/bvh5CXzmlN8=
>> X-Original-To: full-disclosure@lists.grok.org.uk
>> Delivered-To: full-disclosure@lists.grok.org.uk
>> User-Agent: Thunderbird 1.5 (Windows/20051025)
>> References:  
>> <[EMAIL PROTECTED]

>> > 
>> <[EMAIL PROTECTED]><6450e99d

>> [EMAIL PROTECTED]>
>> X-Virus-Scanned: by amavisd-new at stargate.binaryfreedom.info
>> X-BeenThere: full-disclosure@lists.grok.org.uk
>> X-Mailman-Version: 2.1.5
>> Precedence: list
>> List-Id: An unmoderated mailing list for the discussion of  
>> security issues
>> List-Unsubscribe: <https://lists.grok.org.uk/mailman/listinfo/full- 
>> disclosure>, <mailto:[EMAIL PROTECTED] 
>> subject=unsubscribe>
>> List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
>> List-Post: <mailto:full-disclosure@lists.grok.org.uk>
>> List-Help: <mailto:[EMAIL PROTECTED] 
>> subject=help>
>> List-Subscribe: <https://lists.grok.org.uk/mailman/listinfo/full- 
>> disclosure>, <mailto:[EMAIL PROTECTED] 
>> subject=subscribe>
>> Errors-To: [EMAIL PROTECTED]
>> Return-Path: [EMAIL PROTECTED]
>> X-OriginalArrivalTime: 23 Nov 2005 01:15:02.0075 (UTC) FILETIME= 
>> [543F20B0:01C5EFCB]
>>
>>
>>
>>
>>
>>
>>
>>
>> I agree that is how we did it 10 + years a go there were no  
>> courses, no
>> books, just BBS's with docs and ezines.
>>
>> and still the bes

RE: [Full-disclosure] Hacking Boot camps!

2005-11-30 Thread Josh Perrymon 
WildCAT BBS Anyone  :)

I remember playing tradewars and calling who knows where to get new text
files :)

Used Tone-loC a lot more back then :)

JP

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of xyberpix
Sent: Tuesday, November 29, 2005 5:52 PM
To: wilder_jeff Wilder
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Hacking Boot camps!

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Wow!!

Now I feel really dated!
That was good fun to play with though ;-)

xyberpix

On 23 Nov 2005, at 05:57, wilder_jeff Wilder wrote:

>
> Speaking of script kiddie stuff... bbs's and the like...
>
> anyone remember VCL?.. virus creation labratory?
>
>
> -Jeff Wilder
> CISSP,CCE,C/EH
>
>
>
> -BEGIN GEEK CODE BLOCK-
>  Version: 3.1
>   GIT/CM/CS/O d- s:+ a C+++ UH++ P L++ E- w-- N+++ o-- K- w O- M--
>   V-- PS+ PE- Y++ PGP++ t+ 5- X-- R* tv b++ DI++ D++
>   G e* h--- r- y+++*
> --END GEEK CODE BLOCK--
>
>
>
>
>
>> From: ReK2GNULinux <[EMAIL PROTECTED]>
>> To: "Ivan ." <[EMAIL PROTECTED]>
>> CC: full-disclosure@lists.grok.org.uk
>> Subject: Re: [Full-disclosure] Hacking Boot camps!
>> Date: Tue, 22 Nov 2005 20:14:05 -0500
>> MIME-Version: 1.0
>> Received: from lists.grok.org.uk ([195.184.125.51]) by mc10- 
>> f28.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 22 Nov  
>> 2005 17:14:58 -0800
>> Received: from lists.grok.org.uk (localhost [127.0.0.1])by  
>> lists.grok.org.uk (Postfix) with ESMTP id 11F78FC2;Wed, 23 Nov  
>> 2005 01:14:26 + (GMT)
>> Received: from stargate.binaryfreedom.info(207-172-223-37.c3-0.wob- 
>> ubr3.sbo-wob.ma.cable.rcn.com[207.172.223.37])by lists.grok.org.uk  
>> (Postfix) with ESMTP id B2903EA3for > [EMAIL PROTECTED]>;Wed, 23 Nov 2005 01:14:16 + (GMT)
>> Received: from localhost (localhost [127.0.0.1])by  
>> stargate.binaryfreedom.info (Postfix) with ESMTP id  
>> 2C0475419D;Tue, 22 Nov 2005 19:52:00 -0500 (EST)
>> Received: from stargate.binaryfreedom.info ([127.0.0.1])by  
>> localhost (stargate.binaryfreedom.info [127.0.0.1]) (amavisd- 
>> new,port 10024)with ESMTP id 25639-01; Tue, 22 Nov 2005 19:51:50  
>> -0500 (EST)
>> Received: from [127.0.0.1] (209-6-98-146.c3-0.wob-ubr3.sbo- 
>> wob.ma.cable.rcn.com[209.6.98.146])by stargate.binaryfreedom.info  
>> (Postfix) with ESMTP id BF00C54034;Tue, 22 Nov 2005 19:51:50 -0500  
>> (EST)
>> X-Message-Info: JGTYoYF78jGmv6T0JK0gGy+lZZ4AeY+/bvh5CXzmlN8=
>> X-Original-To: full-disclosure@lists.grok.org.uk
>> Delivered-To: full-disclosure@lists.grok.org.uk
>> User-Agent: Thunderbird 1.5 (Windows/20051025)
>> References:  
>> <[EMAIL PROTECTED]

>> > 
>> <[EMAIL PROTECTED]><6450e99d

>> [EMAIL PROTECTED]>
>> X-Virus-Scanned: by amavisd-new at stargate.binaryfreedom.info
>> X-BeenThere: full-disclosure@lists.grok.org.uk
>> X-Mailman-Version: 2.1.5
>> Precedence: list
>> List-Id: An unmoderated mailing list for the discussion of  
>> security issues
>> List-Unsubscribe: > disclosure>, > subject=unsubscribe>
>> List-Archive: 
>> List-Post: 
>> List-Help: > subject=help>
>> List-Subscribe: > disclosure>, > subject=subscribe>
>> Errors-To: [EMAIL PROTECTED]
>> Return-Path: [EMAIL PROTECTED]
>> X-OriginalArrivalTime: 23 Nov 2005 01:15:02.0075 (UTC) FILETIME= 
>> [543F20B0:01C5EFCB]
>>
>>
>>
>>
>>
>>
>>
>>
>> I agree that is how we did it 10 + years a go there were no  
>> courses, no
>> books, just BBS's with docs and ezines.
>>
>> and still the best way of doing it.
>>
>>
>>
>> Chris Fernandez
>>
>>
>>
>>
>>
>>
>>
>> Ivan . wrote:
>>
>>
>> nicely said.
>>
>> Set up your own lab at home, using vmware or alike and hack, crack  
>> all you like.
>>
>> On 11/22/05, InfoSecBOFH <[EMAIL PROTECTED]> wrote:
>>
>>
>>
>> In my opinion all of the so called "hacking training" out there is
>> horrible and nothing more than a money grab.  Look at the SANS
>> courseware, it is out of date and shit. The best training is to read,
>> google, and play on your own.
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>>
>>
>>
>>
>> --
>>  ---
>> | I WON'T TRADE HUMANISM FOR PATRIOTISM |
>>  ---
>> dias que se acuesta uno sin aprender algo es un dia malgastado
>> Microsoft is not the answer, Microsoft is the question, the answer  
>> is

[Full-disclosure] ICMP injection

2005-10-31 Thread Josh Perrymon 
Anyone familiar with injecting ICMP or DNS packets with NC?

I heard HPING or Juggernaut may be the way to go?

JP 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Publicly Disclosing A Vulnerability

2005-10-05 Thread Josh Perrymon 
Ok,

I have already worked with the Client and Vendor and the vendor is providing a 
free upgrade to the customer for no charge to correct the vulnerable issue. 
My focus is to protect the customer first...   The customer agreed that the 
vulnerability could be disclosed after they upgrade...

So I guess the only part of this I didn't care for was the vendor saying that 
they did not want me to release this information to the public I think it's 
because the client would get the upgrade for free instead of paying for it.

JP


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Perrymon
Sent: Wednesday, October 05, 2005 10:52 AM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Publicly Disclosing A Vulnerability

Ok,

I believe in working with the Vendor to inform then of vulnerable software upon 
finding it in the wild so on...
But I have a question...

While performing a pen-test for a large company I found a directory transversal 
vulnerability in a search program-
I used Achilles and inserted the DT attack in a hidden field and posted it to 
the web server. This returned the win.ini..
Cool..

Well... I called the company up and got the lead engineer on the phone.. He 
seemed a little pissed.
He told me that they found the hole internally a couple months ago but they 
don't want it public and they said I should not tell anyone about it because 
they don't want their customers at risk.

So I ask the list- what is more beneficial to the customer? Not publicly 
disclosing the risk and hoping that they follow the suggestions of the vendor 
to upgrade?  Or waiting 30 days and send it out?



Joshua Perrymon
Sr. Security Consultant
Network Armor
A Division of Integrated Computer Solutions
perrymonj( at )networkarmor.com
Cell. 850.345.9186
Office: 850.205.7501 x1104


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Publicly Disclosing A Vulnerability

2005-10-05 Thread Josh Perrymon 








Ok,

 

I believe in working with the Vendor to inform then of
vulnerable software upon finding it in the wild so on…

But I have a question…

 

While performing a pen-test for a large company I found a
directory transversal vulnerability in a search program—

I used Achilles and inserted the DT attack in a hidden field
and posted it to the web server. This returned the win.ini..

Cool..

 

Well… I called the company up and got the lead
engineer on the phone.. He seemed a little pissed.

He told me that they found the hole internally a couple
months ago but they don’t want it public and they said I should not tell
anyone about it because they don’t want their customers at risk.

 

So I ask the list- what is more beneficial to the customer?
Not publicly disclosing the risk and hoping that they follow the suggestions of
the vendor to upgrade?  Or waiting 30 days and send it out?

 

 

 

Joshua Perrymon

Sr. Security Consultant

Network Armor

A Division of Integrated Computer Solutions

perrymonj( at
)networkarmor.com

Cell. 850.345.9186

Office: 850.205.7501 x1104

 






___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] CORE-Impact license bypass

2005-09-26 Thread Josh Perrymon 
I just think that too many consultants are relying on automated tools to
do their job.  Don't get me wrong...  I use them on every project-

Nmap
Nessus
AMAP
MetaSploit
HPING2
VomiT
Acunetix
Etc.

For me I use the tools to help spot a vulnerable system then exploit the
system using Metasploit or with a known safe exploit I have collected.

I just don't know if I could pay 15k to have access to exploits.

-Original Message-
From: Marc Maiffret [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 26, 2005 4:50 PM
To: Exibar; c0ntex; Josh Perrymon; full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] CORE-Impact license bypass
Importance: Low


>   As far as automated tools go, bah, manually exploiting the 
> holes is certainly the way to go.  But, the automated tools 
> usually produce nice pretty reports that you can show the 
> client.  They just LOVEE pretty reports with many 
> bright colors and such for the good stuff and dark "hacker 
> like" colors for the bad stuff :-)
> 
>   Exibar

Why is manually exploiting holes the way to go? More so what do you mean
by manually? Writing the exploit yourself? (Few consultants can do that,
and even fewer can do that good). So maybe manually means downloading
hax0rw4ng495's exploit off bugtraq and using that? Or?

So I am curious what was the last SMB/RPC exploit that you saw that took
advantage of SMB/RPC fragmentation for stealth purposes of evading
IDS/IPS systems? I cant think of any that have done that but I can think
of an automated exploit system (Canvas) that does just that.

Or when was the last time you saw a good RPC remote exploit that was
able to take advantage of all known attack vectors?
139,445,dynamicport,rpc over http, bla bla bla. But again both of the
automated attack systems (canvas/core) do just that.

I'm playing devils advocate so its not that I completely disagree but I
think for the average consultant (99% of consultants) using an automated
solution like Core/Canvas is going to do far more for them.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Blink - End-Point Vulnerability Prevention
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities 

Important Notice: This email is confidential, may be legally privileged,
and is for the intended recipient only. Access, disclosure, copying,
distribution, or reliance on any of it by anyone else is prohibited and
may be a criminal offense.  Please delete if obtained in error and email
confirmation to the sender.  



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] CORE-Impact license bypass

2005-09-26 Thread Josh Perrymon 
While on the topic of Impact...

What do you see as the real value of the program?
Is it just because it has all the exploits in there and it's GUI based?

What can you do with it you cant do by hand?

Also- how does it compare to CANVAS?

JP

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of c0ntex
Sent: Monday, September 26, 2005 3:27 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] CORE-Impact license bypass

On 26/09/05, c0ntex <[EMAIL PROTECTED]> wrote:
> Sure, but you would hope that once your yearly license key had
> expired, you would not be able to use the program again, at least to
> exploit remote boxen.
>
> It's not a big deal and I don't want people thinking I am saying this
> is some 0day or anything, it's dumb but I thought it might be
> interesting.. to CORE in particular, since I guess they might be
> inadvertently loosing money that is rightfully theirs, CORE is a great
> product and deserves the $$$. hence the reason I have uninstalled it.
>
> Anyway, any more comments on this issue, send them to CORE.  :-)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] CORE-Impact license bypass

2005-09-26 Thread Josh Perrymon 
But the only way to get a copy of the pgm is if you buy it right?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of c0ntex
Sent: Monday, September 26, 2005 2:22 PM
To: Morning Wood
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] CORE-Impact license bypass

A 4. version  :-)

On 26/09/05, Morning Wood <[EMAIL PROTECTED]> wrote:
> been known since at least v3.2
> are you using a 3.x or a 4.x series?
> i belive the 4.x requires an auth from core before use
>
> - Original Message -
> From: "c0ntex" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, September 26, 2005 3:30 AM
> Subject: [Full-disclosure] CORE-Impact license bypass
>
>
> I seem to have stumbled over a bug in Core Impact
> licensing mechanisms that will allow anyone to continually use the
> Core Impact product even after the license has expired.
>
> This is not a security issue but it is, I feel, either an oversight or
> a "feature" which can be abused to utilise the Core Impact product for
> longer than designed / desired.
>
> In my "business funded" Core Impact install on this machine, the
> license expired at the end of last month and the usualy "Your license
> has expired" pop-up appears, however it is easy to re-enable Core to a
> working install by merely changing the system date on the PC to say a
> month before the product was due to expire. Oops  ;) I guess Core is
> using a very simplistic license mechanism.
>
> Emailed CORE two times, 1 week ago, no reply.
> --
>
> regards
> c0ntex
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


--

regards
c0ntex
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Exploiting an online store

2005-09-14 Thread Josh Perrymon 
I know that bad programming habits exist on some of the sites out there and 
still use Hidden fields to pass prices over.. Although not very commonI 
found one this morning after sending the email...
 
My question is more on the theory I suppose...  What laws are out there to 
protect against this after-the-fact? Is it true that if the seller closes the 
deal by sending you the merchandise then they have no case and can't go back 
and charge you?
 
Seems there should be something out there providing protection is the system is 
automated... Even though there should be checks in place people do have small 
budgets and rush a lot of the smaller E-com stores out.
 
JP

-Original Message- 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Wed 9/14/2005 7:35 PM 
To: Gadi Evron 
    Cc: Josh Perrymon; full-disclosure@lists.grok.org.uk 
Subject: Re: [Full-disclosure] Exploiting an online store 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Exploiting an online store

2005-09-14 Thread Josh perrymon 








I was reading an article about an attacker that could have changed
a price in an online shopping cart-

 

Snip

 

Next,
Reshef performed a little number he calls ``electronic 
shoplifting'': He edited the site's online order form to reduce the price 
of a book from $22.95 to $2.95. Had he gone a few steps farther, Reshef 
actually could have purchased the book for the reduced price, adding a 
whole new spin to Priceline.com's ``name-your-own-price'' marketing 
campaign. 



Reshef's exploits didn't
require any sophisticated software or 
particularly detailed knowledge of computer code. ``The only thing you 
need is an HTML editor that comes bundled with your Netscape or Internet 
Explorer browser,'' he said. ``There is no magic to this.'' 



 

What are laws on this??  What if the guy did make the
transaction using his credit card? Since it is just a web transaction sending
html from the client to the server what proof would they have?  

 

 

 

Joshua Perrymon

 






___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Massive Enumeration Toolset

2005-08-30 Thread Josh perrymon 
I think you would specify python google web --key=obuffuscated from the
command line and not within the interpreter.. Like most *nix
interpreters you are passing google web --key=obuffuscated as a
variable..

Probably have to add the python dir into your path statement.

JP

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of y0himba
Sent: Tuesday, August 30, 2005 2:31 PM
To: full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Massive Enumeration Toolset

 Python 2.4.1 (#65, Mar 30 2005, 09:13:57) [MSC v.1310 32 bit (Intel)]
on
win32
Type "help", "copyright", "credits" or "license" for more information.
>>> python google web --key=obuffuscated
  File "", line 1
python google web --key=obuffuscated
^
SyntaxError: invalid syntax
>>>

Weird?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Morning
Wood
Sent: Tuesday, August 30, 2005 2:28 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Massive Enumeration Toolset

works for me

C:\Python23\Scripts>python google web --key=obuffuscated
URL: http://www.ets.org/toefl/
URL: http://community.sparknotes.com/
URL: http://www.test.com/
URL: http://www.act.org/
URL: https://grc.com/x/ne.dll?bh0bkyd2
URL: http://www.sentex.net/~mmcadams/spelling.html
URL: http://www.bandwidthplace.com/speedtest/
URL: http://www.iqtest.com/
URL: http://www.collegeboard.com/
URL: http://www.politicalcompass.org/

C:\Python23\Scripts>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.17/84 - Release Date:
8/29/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.17/84 - Release Date:
8/29/2005
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

RE: [Full-disclosure] Massive Enumeration Toolset

2005-08-30 Thread Josh perrymon 
I had the same issue. There is a windows installer but the directions I
think where based on *nix referencing /usr/bin. 

TO me it sounds like script based utilities due to all the arguments
passed but I had no luck locating it yet.. but I haven't had time to
look.
'

JP

-Original Message-
From: CrittendenIV [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 30, 2005 1:07 PM
To: 'Petko Petkov'; Josh perrymon; pen-test@securityfocus.com;
full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Massive Enumeration Toolset

Very cool. However, I am having issues getting it to run on Windows. I
have
python installed. Is there a quickstart?

Thanks
CrittendenIV

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Petko
Petkov
Sent: Tuesday, August 30, 2005 8:24 AM
To: Josh perrymon; pen-test@securityfocus.com;
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Massive Enumeration Toolset

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Massive Enumeration Toolset is a collection of python based scripts.
However, you can use it
as a library if you want to code your own tools. I hope it is easy to
use.

The main Google tool is called google. After installation this tool
should be in /usr/bin/ ...
You can use the tool in many different ways:

* Download all VPN configuration files from the net and hack into them
google web --tool=mobile -r100 -d5 -l:10 'main filetype:pcf'
- --exec='wget -x %(URL)'

* Test via GHDB
google ghdb --database=ghdb.xml --tool=mobile
- --filter='querystring.find("asp")>=0' 'site:microsoft.com'

* Download cache via Google API
google cache http://www.microsoft.com --key=your_key
google cahce http://www.microsoft.com --ouput=index.html --key=you_key

* Download cache via Google Mobile (you don't need license key)
google cache http://www.micorosft.com --tool=mobile

* Get Google Sets
google sets microsoft linux

* Get Google Spell
google spell 'icorosft indows'

* Google Images (similar to WEB) - get all images from microsoft.com
sleeping every one second, getting 100 results per query, running on 6
levels (0 - 5)
google images --tool=mobile 'site:microsoft.com' -d1 -r100 -l:5

* Google Web
google web --key=your_key 'pentesting'

* Google Web - get snips
google web --tool=mobile 'pentesting' -S -T -U -s

* Google Web - download pages
google web --tool=mobile 'site:microsoft.com' --exec='wget -x %(URL)'

There are many more options that I cannot discuss here. I should write
a tutorial. :)

Josh perrymon wrote:

> I think this is of great use to pen-testers. How do you use the
> software? If is a separate pgm or script based?
>
> JP
>
> -Original Message- From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Petko Petkov Sent: Tuesday, August 30, 2005 9:34 AM To:
> pen-test@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: [Full-disclosure] Massive Enumeration Toolset
>

> Hello everybody,
>
> I've been playing around with Google and Googles' API in the last
> two months. I found out that Google is extremely powerful when it
> comes to passive enumeration. This is the reason why I put myself
> into coding a small tool, or library if you like, that can perform
> various information-gathering techniques. So far, I have
> implemented Google. I have other interesting ideas that I will put
> into code latter.
>
>
> The tool can be downloaded from:
> http://www.gnucitizen.org/met/download/
>
>
> You need python in order to execute it. I want to make it clear
> that this is POC. Do not use it for hacking, and pleas read
> Google's Terms of Service first from the following address:
> http://www.google.co.uk/intl/en/terms_of_service.html
>
> On the other hand I am very interesting to know how do you find the
> tool. I am open to any suggestions and contributions as long as
> they match my initial idea.
>
> Thanks and have fun.
>
>
>
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/






-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFDFHn7Ff/6vxAyUpgRApc8AJ9tvyKEOE3+CQvKo9Gg00CxS6vZuACgpGbA
OtYGMRBi/TelxpOp7tFm1w8=
=GqxR
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/