[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <NMEAJDJMDLJLOIOCIKJJOENAEMAA.exibar@thelair.com>
From: exibar at thelair.com (Exibar)
Subject: [inbox] RE: 3 new MS patches next week...
>
> This really long 'form action' item
> http://www.citibank.com:achaaa9uwdtyazjwvwaaaa9p398haaa9uwdtyazjwv
> waboundpyw
> wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaou
> ndpywwgc2l
> 6zt00pjxtvgc2l6zt00pjxvgc2l6zt00pjxt@....239.150.170/login/form.php
>
> obviously contains the 0x01 exploit. What I'm curious about is the HUGE
> amount of crap in between the : and the @ sign. I mean, if the
> 0x01 exploit
> is 'good enough', what's with the extra characters?
>
The above http: line doesn't make use of the 0x01 exploit. In order to make
use of that exploit, you NEED "0x01" in there just before the @ symbol. The
above link only makes use of of a "feature" of using the @ symbol to pass
credentials. All the gibberish that you see in the link is a poor attempt
to mask the actual address it's going to. When you click on the link,
you'll see "211.239.150.170/login/form.php" in the browser's address bar.
If it was using the 0x01 expoilt you'd see "http://www.citibank.com" in the
address bar.
Exibar
Powered by blists - more mailing lists