Since years, I'm actively participating in CTFs (mostly playing but also
organizing some of them) and I'm member of a well-known CTF team... So let
me throw some constructive words about CTFs in general and Defcon's in
particular. Inline response/comments following:
Vulcan DDtek escribió:
> DT ask
Folks at @vupen seems to have it exploited the hard way.
"We successfully exploited the recent Sudo local root / format string vuln
including full bypass of FORTIFY_SOURCE #GotRoot"
Src:
https://twitter.com/#!/VUPEN/status/165454997444767745
Cheers,
-Román
joernchen of Phenoelit escribió:
> Hi,
Hi,
For those interested in CTFs, wargames, etc... This is the complete
walkthrough to one of them: the Spanish SbD wargame held ~1 month ago.
Written by the winning team: int3pids.
http://www.rs-labs.com/papers/int3pids_SbD2011_write_up.pdf
Cheers,
-Román
__
ss-release).
Thanks to all who played with us :)
PD: Again, this has nothing to do with current RootedCON congress/organization.
Cheers,
-Roman
Roman Medina-Heigl Hernandez escribió:
> Hello,
>
> Next Friday I will be running a web-based challenges contest. Winner will
> be awarded with t
Hello,
Next Friday I will be running a web-based challenges contest. Winner will
be awarded with the new iPod touch from Apple. Thanks to Hispasec Sistemas
(you probably know them as the makers of VirusTotal service) from
sponsoring the prize.
Full info (registration currently open):
http://www.r
===
- Rooted CON 2010 -
C A L L F O R P A P E R S
===
.: [ ABOUT ]
Rooted CON is a Security Congress to be held in Madrid (Spain) on
March 2010. Our goal is to p
bs.com/exploitsntools/rs_pocfix.sh
[EMAIL PROTECTED]:~$ chmod a+x rs_pocfix.sh
[EMAIL PROTECTED]:~$ ./rs_pocfix.sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <[EMAIL PROTECTED]>
#
# Tested: Ubuntu / Debia
Pen Testing escribió:
> I've launched AppScan against a web application and I'm being
> blocked/banned (since I have a dynamic IP I can reboot my router and
> get another IP, which is shortly banned again, as long as the attack
> persists). Since AppScan doesn't have any kind of IDS evasion (AFAIK
Hello ppl,
Could somebody provide a good link (ftp mirror) containing past
presentations&videos of known security conferences? (defcon, ccc, etc).
Some kind of sorted archive would help :)
I used "opensores.thebunker.net" in the past but it seems not to exist now...
--
Saludos,
-Roman
PGP Fin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello,
I've been playing with DHCPd bug in *Ubuntu Linux*. According to the
analysis by Core it could be theoretically possible to get a shell ("the
possibility of using it to execute arbitrary code on vulnerable systems was
not investigated in-depth
rofile/s of enterprise/s buying exploits? (without naming
particular enterprises, of course).
Simon Smith escribió:
> Oh,
> About your ROI question, that varies per buyer. I am not usually told
> about why a buyer needs something as that's none of my business.
>
>
Simon Smith escribió:
> Amen!
> KF is 100% on the money. I can arrange the legitimate purchase of most
> working exploits for significantly more money than iDefense, In some cases
> over $75,000.00 per purchase. The company that I am working with has a
> relationship with a legitimate buyer, al
racism. But, I
> remember this bug from a while back and I think there was a pointer
> dereferenced before the function returns (which is common with most of
> the CDE bugs). The 64 bit pointer is of course 8 bytes of the string you
> use to smash the buffer, and it requires some NULL b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
PERFECT.MATERIAL escribió:
> Correction, TRU64 runs on Alphas in LSB mode. However, this bug is still
> not exploitable. Sorry for the NETRAGARD-like fuckup :D
I didn't have time enough to test this, but at first sight it seems
perfectly exploitable.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Roman Medina-Heigl Hernandez escribió:
>>> Product Name: dtmail
>>> Product Version : 5.1b
>>> Vendor Name : Hewlet Packard
>>> Criticality : Local Root Compromise
&g
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> Product Name : dtmail
> Product Version : 5.1b
> Vendor Name : Hewlet Packard
> Criticality : Local Root Compromise
> Effort: Easy
> Operating System : Tru64
> Type
Hello str0ke,
I reviewed the exploits listed. Yes, all of them use the shell but they
exploit trivially shell-exploitable bugs (like race conditions, ld-preload,
etc) or include other "external" programs (like cc, perl, etc) or assume
Linux/bash as well as other more or less recent environments.
Alice Bryson escribió:
> hi there
>http://www.lwang.org provide free online code and decode service
> website, including base64, hashes, cipher analyze and etc.
Which is your preferred/most complete *Windows* toolkit for performing a
similar task? Ideally a simple .exe including a GUI and feat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Maybe this is obvious for Paul Starzetz (as well as many other people) but
full-disclosure is not really "full" without exploit code.
Working exploit attached. You can also download it from:
http://www.rs-labs.com/exploitsntools/rs_prctl_kernel.c
Gre
Lucien Fransman wrote:
> I often wondered about this. An assessment is only as good as the assesser.
> What is the use of a "i can break and exploit $foo application, and have
> shown this in my tests", if it is done by a private exploit? Again, i'm
[...]
> It only shows that the application
Hello,
Last week I was thinking about the possibility for an external attacker to
influence over the following PHP variable:
$_SERVER['SCRIPT_NAME']
The former variable contains the remote path (URI) to a PHP script, so if
for instance you access with a browser to:
http:///aa/bb/cc/script.php
The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
===
- RS-Labs Security Advisory -
===
Tittle: Multiple flaws in VHCS 2.x
ID: RS-2006-1
Severity: Critical
Date: 11.Feb.2006
Author: Román M
-Román (aka the "stupid asshole" :-))
Alexander Kotov [moleSoftware] wrote:
> If you want to go public in the furute fiest conatact someone of the dev
> team
> Wait at least 1 day and then go public ... stupid asshole
>
> here the results of your activiy
> http://securitywizardry.
lded the tarball and the problem is fixed.
>
> I think it is not necessary to post such kind of messages in public
> mailinglists
> before you contact someone of the development team and wait at least
> some hours.
>
> cheers
> Alex
>
>
> Roman Medina-Heigl Her
Hi,
I've just visited VHCS main page and noticed the following "security patch":
http://vhcs.net/new/modules/news/article.php?storyid=23
It reads:
"This patch is for all VHCS versions.
You have to update only one GUI file - /vhcs2/gui/include/login.php
Just replace the file
"
Well, just do N
devy wrote:
> It worked for me and it will work for you, if you're not a script-kiddie.
> *
This sentence sounds familiar to me... :-) (tip: google for it)
Cheers,
-Roman
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/ful
Medina-Heigl Hernandez
Sent:
-268036956,29675210
Subject:
TWiki exploit (search.pm / CAN-2004-1037)
Attachment Details:-
Attachment Name: tweaky.pl
File: tweaky.pl
Infected? Yes
Repaired? No
Virus Name: Perl/Exploit-TWiki
<>--- End Message ---
--- Begin Message ---
Action Tak
Hi,
Am I the only one receiving error messages like these since 1+ year ago?
Attempts to contact postmaster at Radware were useless. Perhaps some
more responsible ppl at Radware can help...
PS: My apologies to the list. I couldn't find another method for trying
to stop this.
--
Saludos,
-Roma
Bojan wrote:
> The libsldap library obviously can decrypt this, so it should be easy to
> write a tool which will do this (once you know how encryption/decryption
> works). But, from the text above, it's pretty clear that this is not a
> one way function.
Since NS1 mechanism is pretty old, I canno
Hi,
I've been told that Solaris' NS_LDAP_BINDPASSWD could be decrypted. For
instance:
$ ldapclient -l
NS_LDAP_FILE_VERSION= 1.0
NS_LDAP_BINDDN=
cn=proxyagent,ou=profile,dc=blr03-01,dc=india,dc=sun,dc=com
NS_LDAP_BINDPASSWD= {NS1}3d1a48x
...
The pass is {NS1}3d1a48xxx
Francisco Sáa Muñoz wrote:
> You can get the Securityfocus exploits collection in the latest versions
> from Whax distribution ;)
Whax is great. It also contains ExploitTree, if I remember correctly (or
it was Auditor? Or both? ...) Btw, does anybody know when Auditor+Whax
"merge" is going to be r
http://www.milw0rm.com/
-R
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Hi,
Is there any recommended tool which helps to get databases tables,
entries, structure, etc, given a particular SQL injection bug in one
application? I mean, it should *automatically* try different sentences
to figure out the names of the columns and in general, other useful info
from the datab
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sanjay Rawat wrote:
> I too observed the same thing. i am running a windows 2K, SP4. i found
> that base address of UMPNPMGR.DLL is 0x767a. however, when i run the
> attack with this address, the target machine got rebooted (a crash).
> this may be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
I tested existing exploits for PnP bug on my W2k SP4 machine (Spanish)
and they didn't work ("services" process is crashing but I got no
shell). So I did a quick review with Olly and I realized that
umpnpmgr.dll is being loaded at a different base
Hi,
Fernando Gont wrote:
> At 09:04 a.m. 03/08/2005, Joxean Koret wrote:
>
>> SHUT THE FUCK UP!!! AND FIX YOUR FUCKING WEBSITE!!! WE ARE ALL SICK
>> OF YOUR BORING E-MAILS MOTHERFUCKER!
>>
>> http://thor.prohosting.com/fgont/cgi-bin/whois.pl
Well, not precisely an example of politeness but
36 matches
Mail list logo