| New User, Welcome! Login |
Next Page >>
define
must be IP adres which we can controle in DNS server.
Look for this code:
"split.c"
#define MAX_LINE_SIZE 256
void split_redraw(void)
{
int max;
int at;
/* for forkpty(); will also need to link against -lutil */
#include <sys/ioctl.h>
#include <termios.h>
#include <libutil.h>
#define Ki 1024
#define Mi (1024 * Ki)
#define DUMP_NAME "dump"
#define DUMMY_NAME "dummy"
From first empirical tests we discovered that the universal path
normalization is "/.", these tests were lately expanded with deeper
analysis of the PHP source code.
PHP defines some stream wrapper functions and makes them available for
use by higher level functions like include, require, require_once,
file_get_contents, fopen and others.
In this paper only include/require behaviours are going to be analyzed.
using namespace std;
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define close closesocket
#define write(a,b,c) send(a, b, c, 0)
#define writeto(a,b,c,d,e) sendto(a, b, c, 0, d, e)
#define read(a,b,c) recv(a, b, c, 0)
#define readfrom(a,b,c,d,e) recvfrom(a, b, c, 0, d, e)
#else
using namespace std;
#ifdef WIN32
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define close closesocket
#define write(a,b,c) send(a, b, c, 0)
#define writeto(a,b,c,d,e) sendto(a, b, c, 0, d, e)
#define read(a,b,c) recv(a, b, c, 0)
#define readfrom(a,b,c,d,e) recvfrom(a, b, c, 0, d, e)
#else
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#define GET_UINT32(n,b,i) \
{ \
(n) = ( (uint32) (b)[(i) ] ) \
| ( (uint32) (b)[(i) + 1] << 8 ) \
| ( (uint32) (b)[(i) + 2] << 16 ) \
| ( (uint32) (b)[(i) + 3] << 24 ); \
This is where things get a little tricky. Since the loaded module
hash table is at different places in the data section depending on
the version of NTDLL.DLL, we have to search for it. Basically each
hash bucket that is empty contains a pointer to itself, so I made a
mask to place over memory that defined which buckets could be empty
vs. not, and defined that the last 6 had to be empty, because they
correspond to modules that don't start with an alphabetic character
in name. (This part could be made more effective and faster, but
for a PoC, it should work.) Once it finds memory that fits the
mask, I iterate the linked list at each of the 32 hash buckets and
+/* This is at least as big as the largest size of an integer that
+ encode_int can generate; it is sufficient for creating buffers for
+ it to write into. This assumes that integers are at most 64 bits,
+ and so 10 bytes (with 7 bits of information each) are sufficient to
+ represent them. */
+#define MAX_ENCODED_INT_LEN 10
+/* This is at least as big as the largest size for a single instruction. */
+#define MAX_INSTRUCTION_LEN (2*MAX_ENCODED_INT_LEN+1)
+/* This is at least as big as the largest possible instructions
+ section: in theory, the instructions could be SVN_DELTA_WINDOW_SIZE
+ 1-byte copy-from-source instructions (though this is very unlikely). */
/* */
/* Please use this code only to check your OWN cisco routers. */
/* */
/* Cisco bug ID: CSCin95836 */
/* */
/* The Next-Hop-Resolution Protocol (NHRP) is defined in RFC2332. It is used */
/* by a source host/router connected to a Non-Broadcast-Multi-Access (NBMA) */
/* subnetwork to determine the internetworking layer address and NBMA */
/* subnetwork addresses of the NBMA next hop towards the destination. */
/* NHRP is often used for dynamic multipoint VPNs (DMVPN) in combination with */
/* IPSEC. */
- --- 0.Description ---
The GNU C library is used as the C library in the GNU system and most systems with the Linux kernel.
# define RE_DUP_MAX (0x7fff)
regcomp() is used to compile a regular expression into a form that is suitable for subsequent regexec() searches.
- --- 1. RE_DUP_MAX overflow ---
I. Vulnerability Description
The OS X Software Update mechanism uses so called `distribution packages' [1],
which basically consist of two parts. The XML `catalog file', which lists the
available updates and the `distribution definition files' [1], which contain
information encoded in XML and JavaScript, defining every aspect of the
user experience, when installing an update.
When OS X checks for new updates, it first contacts swscan.apple.com
to receive the XML catalog file. This file references the distribution
BREG_DELETE_KEY BRegDeleteKey = NULL;
BREG_OPEN_KEY BRegOpenKey = NULL;
BREG_CLOSE_KEY BRegCloseKey = NULL;
REG_SET_VALUE_EX BRegSetValueEx = NULL;
#define AppPath "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\360safe.exe"
#define TestDeleteKey HKEY_LOCAL_MACHINE
#define TestDeleteRegPath "Software\\360Safe\\Update"
#define TestSetKey HKEY_LOCAL_MACHINE
DllRegisterServer PRIVATE
DllUnregisterServer PRIVATE
***************************************************************/
#define IEBSFIX1_CLSID_W L"{802af903-a984-4481-8376-c103ade582e6}"
#define WIN32_LEAN_AND_MEAN
#define _CRT_NON_CONFORMING_SWPRINTFS
#define _CRT_SECURE_NO_WARNINGS
=================
CVE-2008-0947: libgssrpc and kadmind, from krb5-1.4 through krb5-1.6.3
CVE-2008-0948: libgssrpc and kadmind, in krb5-1.2.2 and probably most
other versions before 1.3, on systems where <unistd.h> does not define
FD_SETSIZE.
FIXES
=====
> #include<unistd.h>
>
> /* How many bytes should we clear in our
> * function pointer to put it into userspace? */
> #ifdef __x86_64__
> #define SHIFT 24
> #define OFFSET 3
> #else
> #define SHIFT 8
> #define OFFSET 1
> #endif
#ifdef WIN32
#include <windows.h>
#include <io.h>
#else
typedef long long ULONG64;
#define TRUE (-1)
#define FALSE (0)
#endif
#include <stdio.h>
#include <time.h>
Vulnerability conditions
========================
After the initial WordPress instalation, the wp-config.php's SECRET_KEY
must remain as te default value: 'put your unique phrase here' or be
undefined, the default value remains untouched after installing via a
browser.
When the WordPress package is unpacked and the victim is ready to
install it, he will be asked to read the manual in order to create a
wp-config.php file, or to change permissions for the installation
directory to be writable. If he choose to change directory permissions,
DETAILS:
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
EXPLOIT CODE:
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
to monitor TCP connections on a Cisco IOS device. When Cisco IOS EEM
detects potential exploitation of this vulnerability, the policy can
trigger a response by sending a syslog message or a Simple Network
Management Protocol (SNMP) trap to clear the TCP connection. The example
policy provided in this document is based on a Tcl script that monitors
and parses the output from two commands at defined intervals, produces a
syslog message when the monitor threshold reaches its configured value,
and can reset the TCP connection.
The Tcl script is available for download at the "Cisco
Beyond: Embedded Event Manager (EEM) Scripting Community"
DETAILS:
Kavsafe.sys create a device called \Device\KAVSafe , and handles DeviceIoControl request IoControlCode = 0x830020d4 , which can overwrite arbitrary kernel module data
EXPLOIT CODE:
#define IOCTL_HOTPATCH_KERNEL_MODULE CTL_CODE(0x8300 , 0x835 , METHOD_BUFFERED ,FILE_ANY_ACCESS)
typedef LONG (WINAPI *PNT_QUERY_INFORMATION_PROCESS)(
HANDLE ProcessHandle,
DWORD ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
> #include <unistd.h>
>
> /* How many bytes should we clear in our
> * function pointer to put it into userspace? */
> #ifdef __x86_64__
> #define SHIFT 24
> #define OFFSET 3
> #else
> #define SHIFT 8
> #define OFFSET 1
> #endif
#include <unistd.h>
/* How many bytes should we clear in our
* function pointer to put it into userspace? */
#ifdef __x86_64__
#define SHIFT 24
#define OFFSET 3
#else
#define SHIFT 8
#define OFFSET 1
#endif
=================
CVE-2008-0947: libgssrpc and kadmind, from krb5-1.4 through krb5-1.6.3
CVE-2008-0948: libgssrpc and kadmind, in krb5-1.2.2 and probably most
other versions before 1.3, on systems where <unistd.h> does not define
FD_SETSIZE.
FIXES
=====
to the driver.
With specially constructed input, a malicious user can use functionality
within the driver to patch kernel addresses and execute arbitrary code
in kernel mode. When handling IOCTLs a communication method must be
pre-defined between the user-mode application and the driver module. The
selected method will determine how the I/O Manager manipulates memory
buffers used in the communication.
The 'METHOD_NEITHER' is a very dangerous method because the pointer
passed to 'DeviceIoControl' as input or output buffer will be sent
> #include<unistd.h>
>
> /* How many bytes should we clear in our
> * function pointer to put it into userspace? */
> #ifdef __x86_64__
> #define SHIFT 24
> #define OFFSET 3
> #else
> #define SHIFT 8
> #define OFFSET 1
> #endif
Cisco IOS EEM detects potential exploitation of this vulnerability,
the policy can trigger a response by sending a syslog message or a
Simple Network Management Protocol (SNMP) trap to clear the TCP
connection. The example policy provided in this document is based on
a Tcl script that monitors and parses the output from two commands at
defined intervals, produces a syslog message when the monitor
threshold reaches its configured value, and can reset the TCP
connection.
The Tcl script is available for download at the "Cisco Beyond:
Embedded Event Manager (EEM) Scripting Community" at the following
We've been seeing you keep mistakenly assuming RFI for constant variables.
For next releases of your great bug hunting journey, please note:
1. Constant variables are usually written Capital letter such as
ABSPATH, DB_USER, DB_PASSWORD, DB_HOST
2. Programmers define them in config file in advance/earlier with
define function like define( ABSPATH, ...) , define(DB_USER,...)
If this finding is automatically invoked by your own written audit
scripts, please fix it.
!
username <user ID> view <view name> secret <some secret>
!
ip scp server enable
In the above configuration snippet, the parser view command defines a
view that specifies what commands users in that view can execute. The
username command defines a local user and attaches, via the view
keyword, the previously defined view to the user. And finally, the ip
scp server enable command enables the Cisco IOS SCP server.
definition simply become definition number 2 in Webster?
Is it really the definition that is lacking or is the use of the word
at issue? Seems to me, from the beginning of this debate, that its the
usage. Far easier to reform the "zero day process" (disclosure, etc.)
than to redefine the term "zero day". The term is owned by the public,
the process is owned by those who follow it, the industry.
Couldn't a formal process be developed that does the defining/labeling
of a particular disclosure?
//
// BSD IPComp Kernel Stack Overflow Testcase
// -- Tavis Ormandy <taviso@cmpxchg8b.com>, March 2011
//
#define MAX_PACKET_SIZE (1024 * 1024 * 32)
#define MAX_ENCAP_DEPTH 1024
enum {
IPCOMP_OUI = 1,
IPCOMP_DEFLATE = 2,
Next Page>>
|
|
|
