Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Advisory 2006-03-12 Gay Slut Overflow CRITICAL dismallest in Immunitysec Dave Aitel

From: "Stan Bubrouski" <stan.bubrouski () gmail com>
Date: Sun, 12 Mar 2006 17:39:18 -0500
Too bad they didn't resolve the problem more than a week ago when the
first spoofed messages were sent out (only 1 made it to FD I think).

Thanks for the update ad,

-sb

On 3/12/06, ad () heapoverflow com <ad () heapoverflow com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

yep I have some little infos on this , the admin at c0replay showed me
an .sql

with a malicious script

********************************************************************************
- -- Dumping data for table `advisorytype`
- --

INSERT INTO `advisorytype` VALUES (1, 'Directory Transversal', 'Remote
exploitation of a directory traversal vulnerability in [product] could
allow attackers to overwrite or view arbitrary files with
user-supplied contents.');
INSERT INTO `advisorytype` VALUES (2, 'DoS Vulnerability', 'Sending a
specially crafted  malformed  packet to the services communication
socket can create a loss of service.');
INSERT INTO `advisorytype` VALUES (3, 'Integer Overflow', '[product]
incorrectly parses integer data, and this can be used to execute
arbitrary code.');
INSERT INTO `advisorytype` VALUES (4, 'Heap Overflow', 'It is possible
to make [product] crash or run arbitrary code by the use of malformed
input.');
INSERT INTO `advisorytype` VALUES (5, 'Buffer Overflow', 'It is
possible to make [product] crash or run arbitrary code by the use of
malformed input.');
INSERT INTO `advisorytype` VALUES (6, 'Off-by-one', 'It is possible to
make [product] crash by the use of malformed input.');
INSERT INTO `advisorytype` VALUES (7, 'Local Privilege Escalation
Vulnerability', '[product] incorrectly validates user input, making
privilege escalation possible.');

- -- --------------------------------------------------------

- --
- -- Table structure for table `fdmail`
- --

CREATE TABLE `fdmail` (
 `id` int(10) NOT NULL auto_increment,
 `Name` varchar(100) NOT NULL default '',
 `Email` varchar(100) NOT NULL default '',
 PRIMARY KEY  (`id`)
) TYPE=MyISAM AUTO_INCREMENT=2958 ;

- --
- -- Dumping data for table `fdmail`
- --

INSERT INTO `fdmail` VALUES (2078, 'Josh perrymon',
'perrymonj () networkarmor com');
INSERT INTO `fdmail` VALUES (2077, 'Valdis.Kletnieks () vt edu',
'Valdis.Kletnieks () vt edu');
INSERT INTO `fdmail` VALUES (2075, 'Dave Korn',
'davek_throwaway () hotmail com');
INSERT INTO `fdmail` VALUES (2076, 'str0ke', 'str0ke () milw0rm com');
INSERT INTO `fdmail` VALUES (2073, 'Morning Wood',
'se_cur_ity () hotmail com');
INSERT INTO `fdmail` VALUES (2074, 'Bipin Gautam',
'gautam.bipin () gmail com');

etc etc etc
***********************************************************************************

Im not sure but it looks like they have been hacked through the board
with an sql injection
, possible private bug I dunno but I know the maintainer of this
website and they aren't responsible of this.


Stan Bubrouski wrote:

Not to mention all the messages come through www.c0replay.net
assuming that part of the headersare accurate.  If you'll recall
the same domain was used to spoof a message from Steven Rakick on
March 4th. Seems some little kiddie in the UK (assumption warning!)
is going to be paying some fines.  I wouldn't exactly call it smart
to slander dozens of people... and moderation has never seemed more
necessary.

-sb

On 3/12/06, Nicob <nicob () nicob net> wrote:

Le dimanche 12 mars 2006 à 01:08 -0800, dismallest dismallest a
écrit :

APPENDIX B. - References
http://bantown.com/banforge/release.rar

http://bantown.com/ : "Our website was recently hacked [...]"

and

http://64.233.179.104/search?q=cache:1F21krhKFHEJ:bantown.com/banforge/


Index of /banforge

Parent Directory         23-Feb-2006 22:51      - BPL.txt
20-Aug-2005 15:08     4k LJiggaboo1.0.1rc2.tgz    21-Jan-2006
13:10   142k Ljflooder2.pl            07-Aug-2005 05:07     5k
PhpBBreg-FIXEDLOL.py     08-Aug-2005 23:11     1k banbot.pl
16-Aug-2005 11:36    15k fla.sh                   16-Aug-2005
11:22     2k flu.shot                 19-Aug-2005 11:04     3k
gaffler3.tar.gz          09-Aug-2005 02:30   123k
phpBBroke-0.1.tar.gz     09-Oct-2005 13:35   383k phpBBroke/
27-Sep-2005 16:47      - phpbb_captcha.c          24-Jan-2006
03:16    21k pw-lolercaust-0.2.tar.gz 10-Oct-2005 03:38     2k
rsshithead.tgz


Nicob

_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/


_______________________________________________ Full-Disclosure -
We believe in it. Charter:
http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
sponsored by Secunia - http://secunia.com/





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)

iD8DBQFEFJxBFJS99fNfR+YRAj5EAJ9CSGssylC2ErrXD+VmVKxmLOOzMQCcDJwQ
ESS9D2SCfNJ+phvLzenoCqQ=
=eQ8x
-----END PGP SIGNATURE-----



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: