|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Dailydave] Cribs (and BABYBOTTLE)
From: Dave Aitel (dave
immunityinc.com)
Date: Thu Jul 27 2006 - 15:30:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So here's what someone pointed out in the blacksecurity.org posting on
Full-Disclosure for one of the MS bugs:
http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0471.html
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
Here's a corresponding snippet from
CANVAS/exploits/BABYBOTTLE/BABYBOTTLE.py:
a1="Ado"
a2="db."
a3="Str"
a4="eam"
document.write("DEBUG: INSIDE 3h <br>")
str1=a1&a2&a3&a4
str5=str1
document.write("DEBUG: INSIDE 3i <br>")
set S = df.createobject(str5,"")
document.write("DEBUG: INSIDE 3j <br>")
S.type = 1
Why, may you ask, is Adbodb.Stream split up exactly like that? It's
because a certain virus scanner triggers on it otherwise. This isn't
something you'd do by chance, even assuming your mental variable-name
generating PRNG was set to the exact same thing as mine.
Draw your own conclusions.
- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFEySJsB8JNm+PA+iURApKOAJ9zfAr8cJI5JHiTzRqh8IwKf0FvVgCcDtzA
9mRW+d602FAkDQsp/GQZgC4=
=Xq80
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]