Full Disclosure mailing list archives
Re: PenTestIT.com RSS feed suspicius
From: Andrew Farmer <andfarm () gmail com>
Date: Tue, 5 Jul 2011 22:41:49 -0700
On 2011-07-05, at 20:55, Nick FitzGerald wrote:
Andrew Farmer to ector dulac:Looks suspicious to meVery. That unescapes to: [something that trips a bunch of AVs] Which loads some amusingly obfuscated JS ...Really? That amused you? Maybe my irony detector is on the blink, but that was very ordinary several years ago.
Eh, I hadn't seen the with() { } trick before.
... which looks like it's *supposed* to be a plugin exploit of some sort, but which has no real payload. At least, not when I looked.Ummmm -- not what I got at all.
Perhaps it's UA sniffing -- the copy I got looked almost identical to the copy seen at: http://jsunpack.jeek.org/dec/go?report=c162b83bf99e26230f680b36ce63a215c1165334 including the empty redirect() function triggered by a chain of spl1/spl2/.../spl6 functions. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PenTestIT.com RSS feed suspicius ector dulac (Jul 05)
- Re: PenTestIT.com RSS feed suspicius Andrew Farmer (Jul 05)
- Re: PenTestIT.com RSS feed suspicius Nick FitzGerald (Jul 05)
- Re: PenTestIT.com RSS feed suspicius Andrew Farmer (Jul 05)
- Re: PenTestIT.com RSS feed suspicius Nick FitzGerald (Jul 05)
- Re: PenTestIT.com RSS feed suspicius The Security Community (Jul 05)
- Re: PenTestIT.com RSS feed suspicius The Security Community (Jul 05)
- <Possible follow-ups>
- Re: PenTestIT.com RSS feed suspicius Metahuman (Jul 06)
- Re: PenTestIT.com RSS feed suspicius Andrew Farmer (Jul 05)