[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Law11-OE23PJqfFkFKz0004248a@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Wood's Infinity Project 3.69a Remote Command Execution
1. that script is only a modification of a previous script , or do you
not read the read me?
2. Boinet logger is not mine either, again. I dont get what your point
is testing software that isnt mine?
3. My contact with a company that I contacted is party of why I chose
to start my open project.
You are trying to discredit me, I see you only making yourself look
bad, shame, I thought you of all people here would think twice before
making erouneous statements.
wood
----- Original Message -----
From: "badpack3t" <badpack3t@...urity-protocols.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Thursday, June 12, 2003 3:49 PM
Subject: [Full-Disclosure] Wood's Infinity Project 3.69a Remote
Command Execution
> This advisory is for "Wood's Infinity Project 3.69a" avaliable at:
> http://exploit.wox.org/thecore/W-infscan-369a.zip
>
> [17:10] * Now talking in #morning_wood
> [17:10] * Topic is ''
> [17:10] * Set by ChanServ on Wed Jun 11 04:19:51
> [17:10] <b0iler> morning_wood knows security well?
> [17:10] <b0iler> I need help.
> [17:11] <b0iler> is this morning_wood?
> [17:15] <{DWL}Vinyl> ya
> [17:15] <{DWL}Vinyl> wassup
> [17:15] <b0iler> you are any good at perl security?
> [17:16] <{DWL}Vinyl> some ya
> [17:16] <b0iler> I need help varifying if this vuln is exploitable.
> [17:16] <{DWL}Vinyl> hey
> [17:16] <{DWL}Vinyl> can you
> [17:16] <{DWL}Vinyl> go to
> [17:17] <{DWL}Vinyl> exploitlabs.com:6667
> [17:17] <{DWL}Vinyl> .#0sec
> [17:17] <{DWL}Vinyl> it my server
>
> [17:17] * Now talking in #0sec
> [17:17] * Topic is 'http://nothackers.org - 0day - Freedom of
Voice -
> Freedom of Choice'
> [17:17] * Set by MrWood on Tue Jun 10 22:13:11
> [17:17] <#0sec> Welcome to 0sec
> [17:18] <b0iler> @values = split(/\&/,$ENV{'QUERY_STRING'});
> [17:18] <b0iler> foreach $i (@values) {
> [17:18] <b0iler> ($varname, $mydata) = split(/=/,$i);
> [17:18] <b0iler> $FORM{$varname} = $mydata;
> [17:18] <b0iler> }
> [17:18] <b0iler> $host = "$FORM{'host'}";
> [17:18] <b0iler> $host =~ tr/+/ /;
> [17:18] <b0iler> $host =~ tr/\%/a/;
> [17:18] <b0iler> $host =~ tr/\;/b/;
> [17:18] <b0iler> $host =~ tr/</c/;
> [17:19] <b0iler> $host =~ tr/>/d/;
> [17:19] <b0iler> $host =~ tr/\|/e/;
> [17:19] <b0iler> $host =~ tr/\&/f/;
> [17:19] <b0iler> $host =~ tr/\^/g/;
> [17:19] <b0iler> $host =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
> hex($1))/eg;
> [17:19] <b0iler> $hostname = `$nslookuplocation $host`;
> [17:19] <MrWood> shell code?
> [17:19] <b0iler> ?
> [17:19] <b0iler> .cgi?host=$(echo 'h0n0!')
> [17:19] <MrWood> hehe
> [17:19] <b0iler> that would execute commands on this server.. right?
> [17:20] <MrWood> you want to run this on a remote server?
> [17:20] <b0iler> this is in a .cgi
> [17:20] <MrWood> havin the .pl on it first
> [17:20] <MrWood> ?
> [17:20] <b0iler> I want to find vulnerabilities in this .cgi
> [17:20] <b0iler> I believe this is one.
> [17:20] <MrWood> ahhh
> [17:20] <b0iler> you see.. the programmer of this .cgi is not very
> knowledgble.
> [17:20] <MrWood> do you have a httpd with perl?
> [17:21] <b0iler> I think they have problems in their code.
> [17:21] <MrWood> if you uploaded the cgi to me
> [17:21] <MrWood> i could let you access it on my box, but i run NT
> [17:22] <MrWood> wtf is $host =~
> s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> [17:22] <b0iler> that is converting url encoding into ascii
> [17:22] <b0iler> %hexhex into ascii
> [17:22] <MrWood> isint that hex for a serial port?
> [17:23] <b0iler> MrWood: you already have the .cgi.
> [17:23] <MrWood> i do?
> [17:23] <b0iler> it is nph-exploitscanget.cgi
> [17:23] <b0iler> you programmed it.
> [17:23] <MrWood> where?
> [17:23] <MrWood> url?
> [17:23] <b0iler> http://exploit.wox.org/thecore/W-infscan-369a.zip
> [17:24] <MrWood> the worst is'
> [17:24] <MrWood> oon that
> [17:24] <MrWood> there is a call
> [17:24] <MrWood> to local nslookup
> [17:24] <MrWood> if you replace
> [17:24] <MrWood> 'nslookup'
> [17:24] <MrWood> with ummm
> [17:24] <MrWood> lets say
> [17:25] <MrWood> tftp - yourhost.com get file.ext file.ext
> [17:25] <MrWood> it should execute local
> [17:25] <MrWood> :)
> [17:25] <b0iler> what you say makes no sense at all.
> [17:26] <MrWood> if you replace that call
> [17:26] <MrWood> then upload it to remote server
> [17:27] <b0iler> and get... *gasp* cgi privedges on a local server.
lol.
> [17:27] <MrWood> it will execute the call you replaced when the
script
> hits that functionm
> [17:27] <MrWood> yes
> [17:27] <b0iler> I will be posting this log to FD list.
> [17:30] <b0iler> your security list is a joke. your website is a
joke.
> your code is a joke.
> [17:30] <MrWood> i have 3 advisorries on hold
> [17:30] * Disconnected (Quit: joke.)
>
> There is a massive xss problem in the 404 script mrwood uses. here
is PoC
> for this 0day advisory: http://exploit.wox.org/<b>a</b>
> There is a serious plain text password and default password problem
in the
> script avaliable at: http://take.candyfrom.us/bionet-logger1
> -2.zip
>
> There is also an advisory on 0day (http://nothackers.org) list's use
of
> it's own "wood-discloser" (some kind of strange full-discloser
> mutation with no vendor notification, no exploit code, flakey
> vulnerabilities, and "0days" which do not compile - they only form
struct
> ures of poorly written English sentances). It claims it releases
> information immediately, but as the log shows mrwood himself is
withh
> olding vulnerability information from the public. According to
mrwood's
> own logic, this is putting 10trillion,billion,million people a
> t risk from 0days and attack. Wood-discloser will save us all from
> attack! Praise Ali!
>
> peace out,
>
> ---------------------------
> badpack3t
> founder
> www.security-protocols.com
> ---------------------------
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists