Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re(2): An April Fools' Day Android Payload

From: アドリアンヘンドリック <unixfreaxjp22 () gmail com>
Date: Tue, 3 Apr 2012 03:42:31 +0900
Just for the curiosity of "April fool",
actually I did a double check the $payload in x86 ASM code.

00000000  add al,0xa0
00000002  sub byte[edi],ah
00000004  add bh,bl
00000006  or al,0xa0
00000008  add ah,byte[ecx+0xdf002753]
0000000e  add dword[edi],esp
00000010  add bh,bl
00000012  rol byte[esi+0x2f],0x64
00000016  popad
00000017  je 0x7a
00000019  das
0000001a  fs: popad .
0000001c  je 0x7f
0000001e  das
0000001f  arpl word[edi+0x6d],bp
00000022  cs: popad .
00000024  outs dx,byte[esi]
00000025  fs: jb 0x97
00000028  imul esp,dword[esi+ebp*1+0x62],0x73776f72
00000030  gs: jb 0x62
00000033  ins byte[es:edi],dx
00000034  imul esp,dword[edx+0x0],0x61642f00
0000003b  je 0x9e
0000003d  das
0000003e  popad
0000003f  jo 0xb1
00000041  add al,al
00000043  inc esi

----
 ZeroDay Japan http://0day.jp
 Hendrik ADRIAN /アドリアン・ヘンドリック


On Mon, Apr 2, 2012 at 7:59 PM, Dan Rosenberg <dan.j.rosenberg () gmail com> wrote:

Hendrik,

Well, they know about it now. ;-)

I figured it was appropriate for April Fools' Day in keeping with the
spirit of mischief. I wouldn't worry too much about seeing exploitation
of what amounts to a local DoS vulnerability that requires a compromised
browser session to exploit. It would be sort of silly to go through the
effort to own someone's phone with the end goal of being a minor
inconvenience to them.

And sorry about the bad formatting on the original post, seems my text
editor, email client, and this mailing list just didn't get along this
time. Clean version at:
http://vulnfactory.org/exploits/aprilfools.S

Regards,
Dan

On 04/02/2012 04:42 AM, ZeroDay.JP wrote:

Mr. Rosenberg,

I understand the PoC you coded and its affect to APT.
But for the April's fool connection, I just don't get it :-)

Does Google know it yet?

regards,

---
ZeroDay Japan http://0day.jp
Hendrik ADRIAN /アドリアン・ヘンドリック
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: