I may be rusty with knowledge about mirc (say almost 10 years out of
date)...but, in what situation would the pipe ('|') ever be processed from a
variable, even if it was read from a mp3 ID3?
> Although the vulnerabilities are hard to exploit, > it's not impossible.
> There are some restrictions to bypass:
>
> - The path name is formated in Unicode, so we have to find an opcode in an
> address with an unicode format
> - The shellcode has to be in the path name so we have to use an Alp
I actually looked into this when you posted this on milw0rm. I was able to get
it to run arbitrary code, however it was so unreliable it wasn't worth me
posting... however, it was informative.
you have control of several registers, however it's eax and edx(not ecx) that
are most interesting...
rflow exploit. ]*
* *
* by: vade79/v9 [EMAIL PROTECTED] (fakehalo/realhalo)*
* *
* co
just for fun...
original exploit references:
http://fakehalo.us/x3proxy-win32.c
http://fakehalo.us/x3proxy.c
example(win32 service):
-
[EMAIL PROTECTED] v9]$ gcc x3proxy-win32.c -o x3proxy-win32
[EMAIL PROTECTED] v9
Here are some dns servers I gathered/scanned during the time I researched
this months ago(that appear to still be up):
68.1.199.151
68.1.196.116
68.1.195.161
68.1.193.177
Just remember when you test/capture packets that the domain being
resolved must NOT exist(ie. "x").
On Thu, 2 Mar 2006, Gadi
Original reference:
http://fakehalo.us/xosx-passwd.pl
-
#!/usr/bin/perl
#
# /usr/bin/passwd[OSX]: local root exploit.
#
# by: vade79/v9 [EMAIL PROTECTED] (fakehalo/realhalo)
#
# (Apple) OSX's /usr/bin/passwd progra
While you're on the subject of the potentials of DOSing using DNS servers, I
noticed several months ago some possible abuses myself, although I soon lost
interest for some reason or another.
I noticed that a portion of the worlds DNS servers for some reason or another
send back large amounts of
ah, that would be what i did when testing("client"), sorry for the
false/confusion with that... anyways, great software i use it for my vpn
needs...nicely documented and easy to use--thanks for its existence.
> Vade79,
>
> Thanks for your efforts in finding this! I've just released OpenVPN 2.0.4
[EMAIL PROTECTED]: OpenVPN[v2.0.x]: foreign_option() format string
vulnerability.
1. BACKGROUND
OpenVPN is a robust and highly configurable VPN (Virtual Private Network)
daemon which
can be used to securely link two or more private networks using an encrypted
tunnel over
the Internet. OpenVPN'
xman doesn't drop privileges anywheres in the
program. but, does support suid installation. so,
exploiting via a system call is much easier than the
buffer overflow in MANPATH, mentioned in another
bugtraq posting. here is an example of such an
exploitation possibility:
-- xxman.sh -
> No news here.
>
> The author's site indicates that he found the
bug under IRIX 6.2.
> That release of IRIX is around 5 years old. SGI
released a Security
> Advisory on the netprint issue in December of
1996 which included
> information on a patch which fixes it. See
SGI's security site at:
>
i haven't audited anything in some time. well, i
just noticed this because i am doing a project
with a name similar to "netprint" and i was
wondering if it was at all related to what i was
doing. it wasn't. but, i noticed it was setuid
root and had a little bug.
this bug takes advantage of the
13 matches
Mail list logo