Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Dave Aitel (daveimmunityinc.com)
Date: Fri Oct 24 2008 - 11:38:53 CDT
-----BEGIN PGP SIGNED MESSAGE-----
Is that exploit reliable? It doesn't look like it's using the reliable
variant (according to our very brief RE efforts here - and by "our", I
Why would someone find such a cool exploit and then not make it
reliable? Does it even work on XP SP2/3?
>> That said, it won't take much for someone to write self-replicating code
>> exploiting this vulnerability.
> I can now confirm what has been stated on the ThreatExpert blog. I
> found shellcode at
> file offset 0x4712A (or address 0x1004712A in IDA). Simple "sub 1"
> payload decoder,
> imports urlmon/UrlDownloadToFileA and WinExec to download a copy of
> the Trojan.
> MD5 of basesvc.dll: 82ba009746da8603c463f37e381a42a4
> Dailydave mailing list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Dailydave mailing list