Re: [Full-Disclosure] Crash IE with 11 bytes ;)
IE 5.x , 6.x SP1. CSS memory corruption vulnerability. All you need to do is
[Full-Disclosure] Damb Beagles
Where are these damb Beagles coming from ? The Central Scroutinizer
Re: [Full-Disclosure] Damb Beagles
Todd, Err, I do not follow your English, the meaning or your reasoning to your repeated posting ? TCS - Original Message - From: Todd Towles To: 'The Central Scroutinizer' ; [EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 9:24 PM Subject: RE: [Full-Disclosure] Damb Beagles I dont know but I know the Netsky team has some work to do. I had the Netsky team and I am going to lose a RED BULL - if Beagle keeps going like it does. lol -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of The Central ScroutinizerSent: Tuesday, July 27, 2004 2:25 PMTo: [EMAIL PROTECTED]Subject: [Full-Disclosure] Damb Beagles Where are these damb Beagles coming from ? The Central Scroutinizer
Re: [Full-Disclosure] Damb Beagles
Presumably they are a variant Beagle itself on someones system who has Full Disclosure in their address book ? Or someone is playing lame hoping to infect a Full Disclosure reader ? - Original Message - From: Todd Towles To: 'The Central Scroutinizer' ; [EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 9:24 PM Subject: RE: [Full-Disclosure] Damb Beagles I dont know but I know the Netsky team has some work to do. I had the Netsky team and I am going to lose a RED BULL - if Beagle keeps going like it does. lol -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of The Central ScroutinizerSent: Tuesday, July 27, 2004 2:25 PMTo: [EMAIL PROTECTED]Subject: [Full-Disclosure] Damb Beagles Where are these damb Beagles coming from ? The Central Scroutinizer
Re: [Full-Disclosure] Crash IE with 11 bytes ;)
Here's a detailed description of what's going wrong with [STYLE]@;/*
The problem is the unterminated comment "/*"; IE computes the length of
the comment for a memcpy opperation by substracting the end pointer form
the start pointer. The comment starts behind "/*" and should end at "*/",
but since there is no terminator, the start of the string is used. IE
there for calculates the string to be -2 unicode characters long. The
subsequent memcpy will try to copy 0xFFFE bytes untill it gets a read
or write exception. (You will see the offending instruction is a REP
MOVSD)
Unfortunately for us hackers, I believe you cannot control the length
value for the memcpy other then setting it to -2. So you will always cause
a read or write exception. You will only overwrite a small part of the
heap before the exception is caused so overwriting the SEH to controlling
execution is also ruled out.
Conclusion: lame DoS
I did find another way to use this to cause an exception at a different
location:
[SCRIPT]
d = window.open().document;
d.write("x");
d.body.innerHTML = "
[Full-Disclosure] Exploit-InvCSS
>
[SCRIPT]> d = window.open().document;>
d.write("x");> d.body.innerHTML = "
Re: [Full-Disclosure] Damb Beagles
Wich shouldn't be so hard because there also idiots here and a lot of Windows-Users... does that imply that windows users are worse than idiots ? :) No, we are just a bit lame :) This is mainly due to WYSIWYG and other nicities... TCS ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Getting the lead out of broken virus / worm email meta-reporting
How fast is fast? The time it takes an av, spyware or firewall company to react to a real-time threat. I think there is going to have to be a pooling of anti-virus, mail sweeping and firewall protection knowledge. There should be a central policy that can be reported and distributed to the various vendors and clients that autoupdates the protecting software. Simply a crisis-mail-alert with appropriate information for translation into a protecting shield that updates all av, mail and firewall utilities. Has anyone written or read a spec. on standardizing worm, virus or other alerts with not just there's a'sploit, but a method of reporting the 'sploit or adware, malware in a way that the vendors and clients could instantly counter with a new filter or fix? See :- http://www.eeye.com/html/Research/Advisories/ http://www.cve.mitre.org/ I agree there should be an open standard and common public libraries of exploits and fixes. Aaron ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] The 'good worm' from HP
Would it not be better to have a standard secure backdoor provided by a security package that could downloaded or installed by disk and works hand in hand with port scanning software, if this is really necassary. I am supprised Microsoft have not released such a peice of software; maybe a third party have. Aaron - Original Message - From: "Todd Towles" <[EMAIL PROTECTED]> To: "joe" <[EMAIL PROTECTED]> Cc: "Mailing List - Full-Disclosure" <[EMAIL PROTECTED]> Sent: Sunday, August 22, 2004 7:15 PM Subject: RE: [Full-Disclosure] The 'good worm' from HP I hope it is a bad choice of words. He is a VP, should I say more? Even if it is a controlled worm that moves around in the internal network patching computers, it sounds like a very stupid idea. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 22, 2004 8:20 AM To: Todd Towles; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] The 'good worm' from HP Allan is right. I didn't notice people calling it a worm. From the article at InfoWorld... We've been working with (customers) for the last month now," said Tony Redmond, vice president and chief technology officer with HP Services in an interview. "This is a good worm," said Redmond. "It's turning the techniques (of the attackers) back on them." Possibly he used a bad choice of words. I definitely agree though that you probably shouldn't be "infecting" machines to patch them. In order to patch through a hole like that you are running code through that hole and that is the same as infecting in my book, you just aren't propogating. You could still make the machine unstable or cause other issues. I think my preference would be something along the lines of what the NetSquid project is doing mentioned previously but be more aggressive. Sure have the feed from SNORT to actively go out and pop the machines currently sending bad traffic, but also scan for machines that *could* get infected and shut them down as well. That would be a good use of this tech HP is working on, simply identify the machines. However others have done the similar in terms of detection so that wouldn't be nearly as new and daring. They could do a good thing by making it fully supported by a big name, stable, quick, and part of an overall framework for protecting the network environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles Sent: Saturday, August 21, 2004 8:58 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] The 'good worm' from HP ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] The 'good worm' from HP
>It's called WindowsUpdate? That cannot be used locally/internally by an organization. Aaron
[Full-Disclosure] Wanted: Sasser executable and derivatives
Hi, I am intending on studying Sasser and its derivatives and am after executables in order to disassemble and reconstruct back to source. As I say this is for study purposes only :) I am looking for :- avserve.exe - Sasser.A avserve2.exe - Sasser.B + plus any xxx_up.exe files Sasser.C executable skynetave.exe - Sasser.D lsasss.exe - Sasser.E napatch.exe - Sasser.F Sasser.G executable Either the compacted executables or decompacted or both. Many thanks in advance, The Central Scroutinizer
[Full-Disclosure] Wanted: Sasser executable and derivatives
Hi again, Would you please send any executables direct to me, zipped and encoded with a password in order to get through my e-mail anti virus software, Many thanks CS
