lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1057062018-1206810246-cardhu_decombobulator_blackberry.rim.net-1204573928-@bxe032.bisx.prod.on.blackberry>
Date: Sat, 29 Mar 2008 17:04:02 +0000
From: "josh" <mastahflank@...il.com>
To: "Tim Kunschke" <tim@...mey.homelinux.com>,
	full-disclosure-bounces@...ts.grok.org.uk,
	"zwell.nosec" <zwell.nosec@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd:  What's going on about Pangolin

Its pretty obvious if you unpack it and it comes off clean. UPX always sets off alerts with the majority of AVs.
Sent from my BlackBerry® smartphone with SprintSpeed

-----Original Message-----
From: Tim Kunschke <tim@...mey.homelinux.com>

Date: Sat, 29 Mar 2008 14:27:17 
To:"zwell.nosec" <zwell.nosec@...il.com>
Cc:full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Fwd:  What's going on about Pangolin


I have also tested, and with the UPX packer unpacked. Nothing. Nothing 
dangerous. ;)

-------------------------------------------------------------------------------------------------------------------
C:\>C:\upx302w\upx.exe -d C:\pangolin_bin\out\pangolin.exe

Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007
UPX 3.02w Markus Oberhumer, Laszlo Molnar & John Reiser Dec 16th 2007

File size Ratio Format Name
-------------------- ------ ----------- -----------
2834944 <- 879616 31.03% win32/pe pangolin.exe

Unpacked 1 file.
-------------------------------------------------------------------------------------------------------------------


Antivirus programs work with signatures. Matched the signature on the 
upx packed programs we have a problem. A false-positive.



°°°°snake°°°°



zwell.nosec schrieb:
>
> Hi, everyone:
>
> A friend told me that modify offset at 0x000D6BDF from 0x00 to 0xff, 
> then the world will be quiet. ; )
>
> ------------------------------------------------------------------------
>
> *From:* full-disclosure-bounces@...ts.grok.org.uk 
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *Nemes
> *Sent:* Saturday, March 29, 2008 1:18 AM
> *To:* full-disclosure@...ts.grok.org.uk
> *Subject:* [Full-disclosure] Fwd: What's going on about Pangolin
>
> This is not anykind of trojan or has it got anykind of backdoor in it.
>
> I've been using it for a few days now and its fine.
>
> I had a process monitor running and aTCP/IP UDP connections monitor 
> running when i unpacked the rar and ran pangolin for the first time, 
> NOTHING HAPPENED except for the application starting.
>
> I did an "upx.exe -d pangolin.exe" on my copy and I got 1 FILE UNPACKED..
>
> No trojans no abckdoors, no virus nothing!
> Its fine!
>
> N
>
> ---------- Forwarded message ----------
> From: *Tremaine Lea* <tremaine@...il.com <mailto:tremaine@...il.com>>
> Date: 28 Mar 2008 17:20
> Subject: Re: [Full-disclosure] What's going on about Pangolin
> To: mastahflank@...il.com <mailto:mastahflank@...il.com>
> Cc: full-disclosure@...ts.grok.org.uk 
> <mailto:full-disclosure@...ts.grok.org.uk>, 
> full-disclosure-bounces@...ts.grok.org.uk 
> <mailto:full-disclosure-bounces@...ts.grok.org.uk>
>
> Why should he show the source to his work?
>
> To allay valid concerns of the intended users.
>
> With some of the discussion at this point, it would certainly benefit
> the author if he wants to gain wider usage and discourage uninformed
> opinion.
>
> ---
>
> Tremaine Lea
> Network Security Consultant
> Intrepid ACL
> "Paranoia for hire"
>
>
>
> On 28-Mar-08, at 10:38 AM, josh wrote:
> > Why should he show the source to his work. I don't see him selling
> > it, he isn't twisting your arm to use it. He released it for free.
> > Either use it or don't.
> > Sent from my BlackBerry® smartphone with SprintSpeed
> >
> > -----Original Message-----
> > From: "Andreas Selvicki" <drsynack@...il.com <mailto:drsynack@...il.com>>
> >
> > Date: Fri, 28 Mar 2008 10:25:25
> > To:full-disclosure@...ts.grok.org.uk 
> <mailto:To:full-disclosure@...ts.grok.org.uk>
> > Subject: Re: [Full-disclosure] What's going on about Pangolin
> >
> >
> > Let's see the source please.
> >
> >
> > On 3/26/08, zwell@...u.com <mailto:zwell@...u.com> 
> <mailto:zwell@...u.com <mailto:zwell@...u.com>> <zwell@...u.com 
> <mailto:zwell@...u.com> <mailto:zwell@...u.com <mailto:zwell@...u.com>
> > > > wrote:
> > I've just read the discussion from here, seriously, I don't know
> > what's going on.
> > I've coded it since 2005 and never release it until this year. And I
> > really do not know why it be treated as a backdoor.
> >
> > If you think it is a backdoor, so please do a reverse engineering on
> > it. You can capture the network packet, you can list all the strings
> > in it, even you can hook APIs in it. Do anything you like to make
> > sure whether it's backdoor or not.
> >
> > BTW, I packeted it through UPX to reduce the size. And some people
> > focused on "http://www.nosec.org/web/index.txt 
> <http://www.nosec.org/web/index.txt
> > > ", which is used in ORACLE injection mode when the target database
> > is in intranet so we can use some store-procs to make the target to
> > visit our website then we can receive the internet address that is
> > mapped to outside. Anybody who is good at oracle injection should
> > know this.
> >
> > Really, I wanna know why!!!
> >
> >
> >
> > < div class="w134">
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ----------------
> >
> > 2008年薪水翻倍技巧 <http://doc.go.sohu.com/200802/5e1b674ab8183f3db8baba
> > 8ee4c6dd53.php>
> > *用搜狗拼音写邮件,体验更流畅的中文输入&gt;&gt; <http://goto.m
> > ail.sohu.com/goto.php3?code=mailadt-ta 
> <http://ail.sohu.com/goto.php3?code=mailadt-ta>>
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
> <http://lists.grok.org.uk/full-disclosure-charter.html
> > >
> > Hosted and sponsored by Secunia - http://secunia.com/ 
> <http://secunia.com/
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ