| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAhuQpPrmtc5ze=3d2YZr_nK5bewUsZ8J_KxvZn-JoY7sSF62Q@mail.gmail.com> Date: Tue, 3 Apr 2012 03:42:31 +0900 From: アドリアンヘンドリック <unixfreaxjp22@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re(2): An April Fools' Day Android Payload Just for the curiosity of "April fool", actually I did a double check the $payload in x86 ASM code. 00000000 add al,0xa0 00000002 sub byte[edi],ah 00000004 add bh,bl 00000006 or al,0xa0 00000008 add ah,byte[ecx+0xdf002753] 0000000e add dword[edi],esp 00000010 add bh,bl 00000012 rol byte[esi+0x2f],0x64 00000016 popad 00000017 je 0x7a 00000019 das 0000001a fs: popad . 0000001c je 0x7f 0000001e das 0000001f arpl word[edi+0x6d],bp 00000022 cs: popad . 00000024 outs dx,byte[esi] 00000025 fs: jb 0x97 00000028 imul esp,dword[esi+ebp*1+0x62],0x73776f72 00000030 gs: jb 0x62 00000033 ins byte[es:edi],dx 00000034 imul esp,dword[edx+0x0],0x61642f00 0000003b je 0x9e 0000003d das 0000003e popad 0000003f jo 0xb1 00000041 add al,al 00000043 inc esi ---- ZeroDay Japan http://0day.jp Hendrik ADRIAN /アドリアン・ヘンドリック On Mon, Apr 2, 2012 at 7:59 PM, Dan Rosenberg <dan.j.rosenberg@...il.com> wrote: > Hendrik, > > Well, they know about it now. ;-) > > I figured it was appropriate for April Fools' Day in keeping with the > spirit of mischief. I wouldn't worry too much about seeing exploitation > of what amounts to a local DoS vulnerability that requires a compromised > browser session to exploit. It would be sort of silly to go through the > effort to own someone's phone with the end goal of being a minor > inconvenience to them. > > And sorry about the bad formatting on the original post, seems my text > editor, email client, and this mailing list just didn't get along this > time. Clean version at: > http://vulnfactory.org/exploits/aprilfools.S > > Regards, > Dan > > On 04/02/2012 04:42 AM, ZeroDay.JP wrote: >> Mr. Rosenberg, >> >> I understand the PoC you coded and its affect to APT. >> But for the April's fool connection, I just don't get it :-) >> >> Does Google know it yet? >> >> regards, >> >> --- >> ZeroDay Japan http://0day.jp >> Hendrik ADRIAN /アドリアン・ヘンドリック >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists