Cribs (and BABYBOTTLE)

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So here's what someone pointed out in the blacksecurity.org posting on
Full-Disclosure for one of the MS bugs:
http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0471.html

    a1="Ado"
    a2="db."
    a3="Str"
    a4="eam"
    str1=a1&a2&a3&a4
    str5=str1
    set S = df.createobject(str5,"")
    S.type = 1


Here's a corresponding snippet from
CANVAS/exploits/BABYBOTTLE/BABYBOTTLE.py:
       a1="Ado"
        a2="db."
        a3="Str"
        a4="eam"
        document.write("DEBUG: INSIDE 3h <br>")
        str1=a1&a2&a3&a4
        str5=str1
        document.write("DEBUG: INSIDE 3i <br>")
        set S = df.createobject(str5,"")
        document.write("DEBUG: INSIDE 3j <br>")
        S.type = 1

Why, may you ask, is Adbodb.Stream split up exactly like that? It's
because a certain virus scanner triggers on it otherwise. This isn't
something you'd do by chance, even assuming your mental variable-name
generating PRNG was set to the exact same thing as mine.

Draw your own conclusions.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEySJsB8JNm+PA+iURApKOAJ9zfAr8cJI5JHiTzRqh8IwKf0FvVgCcDtzA
9mRW+d602FAkDQsp/GQZgC4=
=Xq80
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave