RE: [inbox] RE: [Full-Disclosure] 3 new MS patches next week...

["Exibar" <exibar@thelair.com>]

>
> This really long 'form action' item
> http://www.citibank.com:achaaa9uwdtyazjwvwaaaa9p398haaa9uwdtyazjwv
> waboundpyw
> wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaou
> ndpywwgc2l
> 6zt00pjxtvgc2l6zt00pjxvgc2l6zt00pjxt@211.239.150.170/login/form.php
>
> obviously contains the 0x01 exploit. What I'm curious about is the HUGE
> amount of crap in between the : and the @ sign. I mean, if the
> 0x01 exploit
> is 'good enough', what's with the extra characters?
>


The above http: line doesn't make use of the 0x01 exploit.  In order to make
use of that exploit, you NEED "0x01" in there just before the @ symbol.  The
above link only makes use of of a "feature" of using the @ symbol to pass
credentials.  All the gibberish that you see in the link is a poor attempt
to mask the actual address it's going to.  When you click on the link,
you'll see "211.239.150.170/login/form.php" in the browser's address bar.
If it was using the 0x01 expoilt you'd see "http://www.citibank.com"; in the
address bar.

 Exibar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html