lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: exibar at thelair.com (Exibar)
Subject: [inbox] RE: 3 new MS patches next week...

>
> This really long 'form action' item
> http://www.citibank.com:achaaa9uwdtyazjwvwaaaa9p398haaa9uwdtyazjwv
> waboundpyw
> wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaou
> ndpywwgc2l
> 6zt00pjxtvgc2l6zt00pjxvgc2l6zt00pjxt@....239.150.170/login/form.php
>
> obviously contains the 0x01 exploit. What I'm curious about is the HUGE
> amount of crap in between the : and the @ sign. I mean, if the
> 0x01 exploit
> is 'good enough', what's with the extra characters?
>


The above http: line doesn't make use of the 0x01 exploit.  In order to make
use of that exploit, you NEED "0x01" in there just before the @ symbol.  The
above link only makes use of of a "feature" of using the @ symbol to pass
credentials.  All the gibberish that you see in the link is a poor attempt
to mask the actual address it's going to.  When you click on the link,
you'll see "211.239.150.170/login/form.php" in the browser's address bar.
If it was using the 0x01 expoilt you'd see "http://www.citibank.com" in the
address bar.

 Exibar

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ