Dailydave mailing list archives
Cribs (and BABYBOTTLE)
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 27 Jul 2006 16:30:36 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So here's what someone pointed out in the blacksecurity.org posting on Full-Disclosure for one of the MS bugs: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0471.html a1="Ado" a2="db." a3="Str" a4="eam" str1=a1&a2&a3&a4 str5=str1 set S = df.createobject(str5,"") S.type = 1 Here's a corresponding snippet from CANVAS/exploits/BABYBOTTLE/BABYBOTTLE.py: a1="Ado" a2="db." a3="Str" a4="eam" document.write("DEBUG: INSIDE 3h <br>") str1=a1&a2&a3&a4 str5=str1 document.write("DEBUG: INSIDE 3i <br>") set S = df.createobject(str5,"") document.write("DEBUG: INSIDE 3j <br>") S.type = 1 Why, may you ask, is Adbodb.Stream split up exactly like that? It's because a certain virus scanner triggers on it otherwise. This isn't something you'd do by chance, even assuming your mental variable-name generating PRNG was set to the exact same thing as mine. Draw your own conclusions. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEySJsB8JNm+PA+iURApKOAJ9zfAr8cJI5JHiTzRqh8IwKf0FvVgCcDtzA 9mRW+d602FAkDQsp/GQZgC4= =Xq80 -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Cribs (and BABYBOTTLE) Dave Aitel (Jul 27)