|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Dave Aitel (dave
immunityinc.com)
Date: Fri Oct 24 2008 - 11:38:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Is that exploit reliable? It doesn't look like it's using the reliable
variant (according to our very brief RE efforts here - and by "our", I
mean "Kostya's").
Why would someone find such a cool exploit and then not make it
reliable? Does it even work on XP SP2/3?
- -dave
dennisbacktrace.de wrote:
>> That said, it won't take much for someone to write self-replicating code
>> exploiting this vulnerability.
>
>
> I can now confirm what has been stated on the ThreatExpert blog. I
> found shellcode at
> file offset 0x4712A (or address 0x1004712A in IDA). Simple "sub 1"
> payload decoder,
> imports urlmon/UrlDownloadToFileA and WinExec to download a copy of
> the Trojan.
>
> MD5 of basesvc.dll: 82ba009746da8603c463f37e381a42a4
>
> Cheers
>
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJAfodtehAhL0gheoRAgfRAJ4ic1KT/O4CULl6KGW6INQkwWsC6ACeLu3n
e69eB8w23tu6WsebmIVcufE=
=5SgP
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]