lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 3 Apr 2012 03:42:31 +0900
From: アドリアンヘンドリック
	<unixfreaxjp22@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re(2):  An April Fools' Day Android Payload

Just for the curiosity of "April fool",
actually I did a double check the $payload in x86 ASM code.

00000000  add al,0xa0
00000002  sub byte[edi],ah
00000004  add bh,bl
00000006  or al,0xa0
00000008  add ah,byte[ecx+0xdf002753]
0000000e  add dword[edi],esp
00000010  add bh,bl
00000012  rol byte[esi+0x2f],0x64
00000016  popad
00000017  je 0x7a
00000019  das
0000001a  fs: popad .
0000001c  je 0x7f
0000001e  das
0000001f  arpl word[edi+0x6d],bp
00000022  cs: popad .
00000024  outs dx,byte[esi]
00000025  fs: jb 0x97
00000028  imul esp,dword[esi+ebp*1+0x62],0x73776f72
00000030  gs: jb 0x62
00000033  ins byte[es:edi],dx
00000034  imul esp,dword[edx+0x0],0x61642f00
0000003b  je 0x9e
0000003d  das
0000003e  popad
0000003f  jo 0xb1
00000041  add al,al
00000043  inc esi

----
 ZeroDay Japan http://0day.jp
 Hendrik ADRIAN /アドリアン・ヘンドリック


On Mon, Apr 2, 2012 at 7:59 PM, Dan Rosenberg <dan.j.rosenberg@...il.com> wrote:
> Hendrik,
>
> Well, they know about it now. ;-)
>
> I figured it was appropriate for April Fools' Day in keeping with the
> spirit of mischief. I wouldn't worry too much about seeing exploitation
> of what amounts to a local DoS vulnerability that requires a compromised
> browser session to exploit. It would be sort of silly to go through the
> effort to own someone's phone with the end goal of being a minor
> inconvenience to them.
>
> And sorry about the bad formatting on the original post, seems my text
> editor, email client, and this mailing list just didn't get along this
> time. Clean version at:
> http://vulnfactory.org/exploits/aprilfools.S
>
> Regards,
> Dan
>
> On 04/02/2012 04:42 AM, ZeroDay.JP wrote:
>> Mr. Rosenberg,
>>
>> I understand the PoC you coded and its affect to APT.
>> But for the April's fool connection, I just don't get it :-)
>>
>> Does Google know it yet?
>>
>> regards,
>>
>> ---
>> ZeroDay Japan http://0day.jp
>> Hendrik ADRIAN /アドリアン・ヘンドリック
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ