::eSploit::

wikileaks indian blackmoney List

2011-08-06T19:02:00.000+05:30

"WikiLeaks and Indian black money: The following is a FAKE image and never appeared on WikiLeaks."

wish it were a real leak :( waiting for the day when the list will be out.

HTran and APT

2011-08-04T22:00:00.001+05:30

HTran and the Advanced Persistent Threat | Dell SecureWorks: "While researching one of the malware families involved in the RSA breach disclosed in March 2011, Dell SecureWorks CTU observed an interesting pattern in the network traffic of a related sample (MD5:53ba6845f57f8e9ef600ef166be3be14). When the sample under analysis attempted to connect to the C2 server at my.amazingrm.com (203.92.45.2), the server returned a succinct plain-text error message instead of the expected HTTP-formatted response:"

http://www.secureworks.com/research/threats/htran/

http://read.pudn.com/downloads199/sourcecode/windows/935255/htran.cpp__.htm

Internet Underground 2011

2011-08-04T21:41:00.001+05:30

"This paper aims to give an overall up-to-update review, evaluation and analysis of the underground scene of black hat hackers and/or cyber criminals."

Paper Download:
www.exploit-db.com/download_pdf/17334/

Pwnie winners

2011-08-04T21:36:00.000+05:30

Pwnie for Best Server-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

ASP.NET Framework Padding Oracle (CVE-2010-3332)

Credit: Juliano Rizzo, Thai Duong

Juliano and Thai showed that the ASP.NET framework is vulnerable to a padding oracle attack that can be used to remotely compromise almost any ASP.NET web application, often leading to remote code execution on the server.

Pwnie for Best Client-Side Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!

FreeType vulnerability in iOS (CVE-2011-0226)

Credit: Comex

Comex exploited a vulnerability in the interpreter for Type 1 font programs in the FreeType library used by MobileSafari. This exploit is a great example of programming a weird machine to exploit a modern system. Comex used his control over the interpreter to construct a highly sophisticated ROP payload at runtime and bypass the ASLR protection in iOS. Furthermore, the ROP payload exploited a kernel vulnerability to execute code in the kernel and disable code-signing. The exploit was hosted onjailbreakme.com and was successfully used by thousands of people to jailbreak their iOS devices.

Pwnie for Best Privilege Escalation Bug

Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. As more defense-in-depth systems like Mandatory Access Control and Virtualization are deployed, privilege escalation vulnerabilities are becoming more important. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

Windows kernel win32k user-mode callback vulnerabilities (MS11-034)

Credit: Tarjei Mandt

In the span of a few months, Tarjei found more than 40 vulnerabilities in the Windows kernel. In hispresentation at Infiltrate 2011, he described the details of these vulnerabilities and his kernel exploitation techniques.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

Securing the Kernel via Static Binary Rewriting and Program Shepherding

Author: Piotr Bania

To implement some of the ideas from pax-future.txt is one thing, to implement them through static analysis on Windows, rewriting drivers automagically, and have it all work preserving binary compatibility across a wide range of Windows versions: that's deserving of respect.

Pwnie for Lifetime Achievement

Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's fourth decade, it is time to put down the disassembler and consider a relaxing job in management. This award is to honor the previous achievements of those who have moved on to bigger and better things.

pipacs/PaX Team

The person that we are honoring this year with the lifetime achievement award has, surprisingly, contributed a lot to the defensive side of security. The winner has repeatedly innovated behind the scenes, avoided the conference circus and maintained a high level of personal and intellectual integrity.

His technical work has had an outsize impact on security: His ideas are fundamental to security improvements in all major operating systems in recent years, and his ideas have indirectly shaped most modern memory-corruption attack techniques. No attacker can be taken seriously nowadays that does not deal with defensive inventions pioneered by our winner.

In an environment where Microsoft awards 200k USD for mitigation ideas that they can then patent and monopolize, he has freely shared his ideas - out of intellectual openness, but also out of a rather endearing mixture of humility and incredulity at the general retardedness of others.

Aside from all this, his innovations had a major impact when they were first introduced: For quite a while after their introduction, his work made it difficult to hack other hackers, taking away the hackers favourite pasttime -- infighting -- and making sure that innocent third parties were hacked.

The winner of this years lifetime achievement award is pipacs/PaX Team, for creating PaX, giving birth to ASLR, impacting all modern operating systems, and, last but not least, for patching an mp3 player and a tetris clone into softIce.

http://pwnies.com/winners/

Analysis of ngrBot

2011-08-04T21:35:00.001+05:30

Analysis of ngrBot - Stop Malvertising: "Today we will have a closer look at ngrBot, an IRC bot with rootkit capabilities. The core of ngrBot is an advanced ring3 (usermode) system-wide injection and hooking engine similar to ZeuS and SpyEye."

http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html

Deobfuscate exploit kits using Malzilla

2011-08-04T18:34:00.001+05:30

Deobfuscate exploit kits using Malzilla: "I'll give you some examples how you can use Malzilla for deobfuscation of exploit packs.

My preferred method is using templates for various exploit kits.

Part 1 - Best Pack exploit kit

Create a new file in Malzilla's subdirectory 'templates' and name the file 'BestPack'.
Insert the following lines."

http://www.malwaredomainlist.com/forums/index.php?topic=4636.msg21853#msg21853

open sale hacked data Sqli !

2011-08-04T00:35:00.000+05:30

I stumbled upon this site (selling the below services ) in January this year, it was in the news then and many (including me )blogged, tweeted about it.

Thought it'll go down in a day or so. However, today after nearly 7 months saw the same news in imperva blog, checked the site and found that it's not only still up and running but even updating frequently !

Apart from selling the services above, this guy also discloses SQL injection vulnerabilities in major websites including banks, universities, large corporations and Government organizations like :

https://www.playstation.ru/

http://www.playstation.ca/
http://www.hartford.edu/
http://armani.com/
http://www.parliament.gov.bw/
http://www.nbc.org.kh/

http://www.bot-tz.org/

http://www.na.gov.pk/

http://www.presidentofpakistan.gov.pk/

http://www.cbp.gov/

http://www.ad.gov.ir/

http://www.tacp.toshiba.com/

http://labs.oracle.com/

The worst part is many of the disclosed SQLi vulnerabilities in the above sites may be still open and can be misused by someone. Recently, SONY had a bad time with series of hacks . It looks like the playstation vulnerabilities are updated recently (Yesterday August 2) so may be still live !

This guy also provides his contact information clearly:

Whois & Domain Info:

Some Additional Related snapshots and Links:

http://webcache.googleusercontent.com/search?q=cache:0NFyFEui4FcJ:www.hackforums.net/showthread.php%3Ftid%3D1289466+http://www.hackforums.net/showthread.php%3Ftid%3D1289466&cd=1&hl=en&ct=clnk&gl=in&source=www.google.co.in

http://www.youtube.com/watch?v=Ad62bfptGpQ

Now, the question is why|how the site is still up ? Good question...I don't know aswell :)

The Site:

http://www.srblche.com/

eSploit Post (Jan):

http://esploit.blogspot.com/2011/01/professional-hacker-website-hacking.html

Imperva posts: (Recent & Jan)

http://blog.imperva.com/2011/08/in-hollywood-sequels-are-tremendously-profitable-now-matter-how-bad-in-fact-in-2009-mathmaticians-even-came-up-with-a-f.html

http://krebsonsecurity.com/2011/01/ready-for-cyberwar/
http://blog.imperva.com/2011/01/major-websites-govmiledu-are-hacked-and-up-for-sale.html

non-alpha encoder online

2011-08-03T23:10:00.001+05:30

http://hackvertor.co.uk/hvurl/2p
http://www.thespanner.co.uk/2011/08/03/decoding-non-alphanumeric-code-with-hackvertor/

hodprod malware analysis

2011-08-03T23:08:00.000+05:30

http://www.eset.com/us/resources/white-papers/Hodprot-Report.pdf

Operation Shady RAT !

2011-08-03T22:56:00.000+05:30

"Operation Shady RAT - Biggest Cyber Attacks in history uncovered . McAfee publish a new report that it says is one of the most comprehensive analysis ever revealed of victim profiles from a five-year long targeted operation by a specific actor dubbed Operation Shady RAT."Paper:
http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
http://www.zdnet.com/blog/btl/operation-shady-rat-five-things-to-know/53928

China Blue Army !

2011-08-03T22:47:00.000+05:30

"China has recently announced the existence of the Blue Army, a government sponsored cyber warfare unit similar to those launched by theU.S, the United Kingdom, Australia and Israel."

http://www.zdnet.com/blog/security/chinas-blue-army-when-nations-harness-hacktivists-for-information-warfare/8686

Google Chrome 13.0.782.107 Update !

2011-08-03T22:45:00.000+05:30

"The Google Chrome team is pleased to announce the arrival of Chrome 13.0.782.107 to the Stable Channel for Windows, Mac, Linux, and Chrome Frame. Spanning 5200+ revisions, Chrome 13 contains some exciting new features like Instant Pages prerendering technology. To find out about other new features, check out the Official Chrome Blog. "

FIXES:

[75821] Medium CVE-2011-2358: Always confirm an extension install via a browser dialog. Credit to Sergey Glazunov.
[$1000 each] [78841] High CVE-2011-2359: Stale pointer due to bad line box tracking in rendering. Credit to miaubiz and Martin Barbella.
[79266] Low CVE-2011-2360: Potential bypass of dangerous file prompt. Credit to kuzzcc.
[79426] Low CVE-2011-2361: Improve designation of strings in the basic auth dialog. Credit to kuzzcc.
[Linux only] [81307] Medium CVE-2011-2782: File permissions error with drag and drop. Credit to Evan Martin of the Chromium development community.
[83273] Medium CVE-2011-2783: Always confirm a developer mode NPAPI extension install via a browser dialog. Credit to Sergey Glazunov.
[83841] Low CVE-2011-2784: Local file path disclosure via GL program log. Credit to kuzzcc.
[84402] Low CVE-2011-2785: Sanitize the homepage URL in extensions. Credit to kuzzcc.
[84600] Low CVE-2011-2786: Make sure the speech input bubble is always on-screen. Credit to Olli Pettay of Mozilla.
[84805] Medium CVE-2011-2787: Browser crash due to GPU lock re-entrancy issue. Credit to kuzzcc.
[85559] Low CVE-2011-2788: Buffer overflow in inspector serialization. Credit to Mikołaj Małecki.
[$500 each] [85808] Medium CVE-2011-2789: Use after free in Pepper plug-in instantiation. Credit to Mario Gomes and kuzzcc.
[$1000] [86502] High CVE-2011-2790: Use-after-free with floating styles. Credit to miaubiz.
[$1000] [86900] High CVE-2011-2791: Out-of-bounds write in ICU. Credit to Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences.
[$1000] [87148] High CVE-2011-2792: Use-after-free with float removal. Credit to miaubiz.
[$1000] [87227] High CVE-2011-2793: Use-after-free in media selectors. Credit to miaubiz.
[$500] [87298] Medium CVE-2011-2794: Out-of-bounds read in text iteration. Credit to miaubiz.
[$500] [87339] Medium CVE-2011-2795: Cross-frame function leak. Credit to Shih Wei-Long.
[87548] High CVE-2011-2796: Use-after-free in Skia. Credit to Google Chrome Security Team (Inferno) and Kostya Serebryany of the Chromium development community.
[$1000] [87729] High CVE-2011-2797: Use-after-free in resource caching. Credit to miaubiz.
[87815] Low CVE-2011-2798: Prevent a couple of internal schemes from being web accessible. Credit to sirdarckcat of the Google Security Team.
[$1000] [87925] High CVE-2011-2799: Use-after-free in HTML range handling. Credit to miaubiz.
[$500] [88337] Medium CVE-2011-2800: Leak of client-side redirect target. Credit to Juho Nurminen.
[$1000] [88591] High CVE-2011-2802: v8 crash with const lookups. Credit to Christian Holler.
[88827] Medium CVE-2011-2803: Out-of-bounds read in Skia paths. Credit to Google Chrome Security Team (Inferno).
[$1000] [88846] High CVE-2011-2801: Use-after-free in frame loader. Credit to miaubiz.
[$1000] [88889] High CVE-2011-2818: Use-after-free in display box rendering. Credit to Martin Barbella.
[$500] [89142] High CVE-2011-2804: PDF crash with nested functions. Credit to Aki Helin of OUSPG.
[$1500] [89520] High CVE-2011-2805: Cross-origin script injection. Credit to Sergey Glazunov.
[$1500] [90222] High CVE-2011-2819: Cross-origin violation in base URI handling. Credit to Sergey Glazunov.

http://googlechromereleases.blogspot.com/2011/08/stable-channel-update.html

WAF and SQL Injection

2011-08-03T22:39:00.001+05:30

WAFs And SQL Injection - Dark Reading: "The ModSecurity site is putting on the SQL Injection Challenge. Contestants are attempting to find successful SQL injection attacks against target applications. The four sample applications are from IBM, Cenzic, HP, and Acunetix, each with a slightly different host configuration and database platform."

http://www.darkreading.com/database-security/blog/231003041/wafs-and-sql-injection.html

Port 3389 terminal services scans

2011-08-03T22:36:00.001+05:30

ISC Diary | Port 3389 / terminal services scans:

"Port 3389 / TCP is used by Microsoft Terminal Services, and has been a continuing target of attacks."

http://isc.sans.edu/diary.html?storyid=11299&rss

thejester vs ANONYMOUSABU lulzsec

2011-08-03T01:17:00.002+05:30

Even Topiary Didn’t Know What He Was Getting Into «: "Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. Privacy is the power to selectively reveal oneself to the world.’

So folks continue to ask me why I am ‘after’ anon/lulzsec….

Well I’d like to address this.

I am not particularly ‘after’ anon (that’s not denying that we have had our run-ins), everyone knows their roots and anyone who can google knows mine.

However… Lulzsec, hmmm different beast. Lulzsec are threatening, and inciting and RECRUITING.

While Anonymous claim to be ‘leaderless’, Lulzsec is obviously not. And Anonymous in their desperation for the world to see them as anything other than what they really are… have allowed themselves to have a ‘leader’.

That ‘leader’ is known as ANONYMOUSABU"

http://th3j35t3r.wordpress.com/2011/08/01/even-topiary-didnt-know-what-he-was-getting-into/
http://www.scribd.com/doc/61211269/Anonymous-LulzSec-Terrorist-Ties

Host4africa Mass Compromise

2011-08-03T01:10:00.001+05:30

Host4africa Mass Compromise | Sucuri: "We are seeing a lot of sites hosted at host4africa.com compromised with Blackhat Spam SEO. Most of them are in the .co.za TLD (at 74.53.0.0/16 and 74.54.0.0/16) and have hidden links to generic drugs (common Pharma Spam)."

http://blog.sucuri.net/2011/08/host4africa-mass-compromise.html

30 China govt sites hacked Hitcher

2011-08-03T01:00:00.000+05:30

Mirror:
http://k0-ka.in/attack/?id=28212
http://k0-ka.in/attack/?id=28211
http://k0-ka.in/attack/?id=28210
http://k0-ka.in/attack/?id=28209
http://k0-ka.in/attack/?id=28211
http://k0-ka.in/attack/?id=28210
http://k0-ka.in/attack/?id=28209
http://k0-ka.in/attack/?id=28208
http://k0-ka.in/attack/?id=28207
http://k0-ka.in/attack/?id=28204
http://k0-ka.in/attack/?id=28203
http://k0-ka.in/attack/?id=28202
http://k0-ka.in/attack/?id=28201
http://k0-ka.in/attack/?id=28200
http://k0-ka.in/attack/?id=28199
http://k0-ka.in/attack/?id=28197
http://k0-ka.in/attack/?id=28196
http://k0-ka.in/attack/?id=28195
http://k0-ka.in/attack/?id=28194
http://k0-ka.in/attack/?id=28222
http://k0-ka.in/attack/?id=28221
http://k0-ka.in/attack/?id=28220
http://k0-ka.in/attack/?id=28219
http://k0-ka.in/attack/?id=28218
http://k0-ka.in/attack/?id=28217
http://k0-ka.in/attack/?id=28216
http://k0-ka.in/attack/?id=28215
http://k0-ka.in/attack/?id=28214
http://k0-ka.in/attack/?id=28213
------------------------------------------------------------------------------------------------------
Note: look at the domain names, not sure if they're really govt. sites (if yes, then no offense) but the domain names look like random dll/exe names of some malware , trojan vundo or sumthing :P.

Original:
http://pastebin.com/XDGRJ6BE

Anonware malware framework download github

2011-08-03T00:37:00.001+05:30

"download complete everything @ http://www.megaupload.com/?d=QKMY6HRW
UPDATE: GITHUB REPO AVAILABLE NOW! https://github.com/opendeveloper/anonware (^)_(^)

TO SET THE RECORD STRAIGHT:
as for allegations that my code is 'amaturish, lazy, etc.' i would like to say that it's completely true :) the code provided here *IS* just a C# compiler (with a little extra) and shouldn't be taken as some kind of super awesome virus released by a group of Anonymous hackers. it's something me, a bad programmer, threw together in a couple hours and decided to paste on pastebin.
oh, and fortherecord, i was a little high, and, retrospectively, the comments were definitely over-optimistic. and when the reporter from the tech herald contacted me, i assumed that he was a developer, and he took interest in the code. i naturally was like, well i guess it is pretty cool...and let my ego get ahead of myself. i would like to formally apologize to fellow Anonymous members for providing such a simple framework
and then acting inapropriately like it was an awesome new idea.

as for encryption/obfuscation
encryption/obfuscation was something i was assuming the devs could add to the framework; i didn't think it would be something i should put in the framework. besides; if i put a specific kind of obfuscation/encryption into the framework as it was, it would be pretty easy for the a/v vendors to just find a flaw in one part of my encryption code and then use that to exploit all future editions of it.
that doesn't allign well with what the 'framework' is, more of like the standard stuff so you can add on your own stuff so that a/v doesn't have one standard thing to go off.

as for existing malware frameworks
once again, alittle high, way to optimistic comments ^^_^^
as for the existing malware frameworks pointed out, all of them are either pay-to-use or really hard to find the source for. i provided AnonWare as a service that's simple to find and easy to modify

for the future:
i will release the FIRST version of AnonWare a couple days after #RefRef is released. hopefully, it will include encryption/obfuscation, a seperate edition for people that want to create rouge AV and other software. i have an idea for using it with #RefRef, and will get everything ready for integration with #RefRef while we wait for the #RefRef team to complete development. i emphasize FIRST because it seems some people misunderstood
the point of AnonWare...it was counterintuitive for the Sophos researcher to provide malware detection for it since what is provided here is nowhere near completed malware. also the tech hareld reporter may have misunderstood, partially by sending the code to the researches. i'm not blaming anyone for this; i acted like it was bigger than it was, and as a result reporters and the public may have been dissapointed when reading thru the code.

finally, please help AnonWare :P if you can do any type of development, i would love it if you could help improve the code, translate the code, etc.

ty. tyvm.

NOW BACK TO THE REST OF THE PASTE!

note - keep in mind that this is nowhere near a completed virus, just sumthing i threw together in a day ^_^
if you would like to use this at all, you're gonna need to add a lot to the code...it's just the absolute simplest parts of malware

https://github.com/opendeveloper/anonware
http://pastebin.com/MFc4SY3S

The Sun Scottish students poll Hacked

2011-08-03T00:31:00.002+05:30

The Sun - Hacked Scottish students poll - Pastebin.com: "The Sun - Scottish students poll
Released by batteye

Full CSV file: http://www.mediafire.com/download.php?77kkuvlm6c92exv"

http://pastebin.com/Ucy6Lj34

Free Tope Antisec Movement

2011-08-03T00:28:00.000+05:30

$$$$$$ /$$$$$$$$$$$$$

| $$$__/ |____ $$$____/

| $$$ | $$$

| $$$$$$ /$$$$$ /$$$$$ /$$$$$ | $$$ /$$$$$$ /$$$$$$ /$$$$$

| $$$__/ | $$$_/ | $$$_/ | $$$_/ | $$$ | $$$ $ | $$$ $ | $$$_/

| $$$ | $$$ | $$$$$ | $$$$$ | $$$ | $$$ $ | $$$ $ | $$$$$

| $$$ | $$$ | $$$_/ | $$$_/ | $$$ | $$$ $ | $$$ $ | $$$_/

| $$$ | $$$ | $$$$$ | $$$$$ | $$$ | $$$$$$ | $$$$$$ | $$$$$

|___/ |___/ |_____/ |_____/ |___/ |______/ | $$$__/ |_____/

| $$$

|___/

"To my dearest Lulz Lizards,

Jake Davis is perhaps the greatest digital graffiti artist of all time. A purveyor of many lulz, this swank garden hedge known as Topiary left his personal Twitter account with a quotation from famed civil rights activist Medgar Evers, "You cannot arrest an idea."

Jake wrote many lulzy press releases for both Anonymous and Lulz Security. He proved his value as a spokesperson by taking on Shirley Phelps of Westboro Baptist, slaying her hateful religious zeal with over 9,000 sins.

------

"Under a government which imprisons any unjustly, the true place for a just man is also a prison." ~ Henry David Thoreau"

You can help Topiary by donating bitcoins to whichever following address you trust most:

18NHixaoQekQJ3y52aBGJJwgBWX9X3myYR ~ Sabu

18zJouAQAMzX5sJygZ4M2QV7yb8FzxSbdq ~ Chronicle.SU

------

http://pastebin.com/NzsxhNXT

http://pastebin.com/yXmajXmv

Stuxnet memory analysis Volatility 2.0

2011-08-03T00:18:00.001+05:30

MNIN Security Blog: Stuxnet's Footprint in Memory with Volatility 2.0: "Stuxnet modifies an infected system in such ways that are perfect for showing off many of the new capabilities in Volatility 2.0. We won't cover all of Volatility's commands (for example you won't see idt, gdt, ssdt), because Stunet doesn't mess with those areas of the system, but you'll get a good summary. Second, although many people understand technical malware descriptions, not many people have the 'glue' knowledge to translate artifacts that they read about into Volatility commands. Sometimes you can capably determine if a system is infected by hunting for the artifacts eluded to in reports."

http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html

Practical C++ Decompilation REcon 2011

2011-08-03T00:11:00.000+05:30

Recon 2011: Practical C++ Decompilation | Hex Blog: "C++ decompilation and how to handle it in IDA and Hex-Rays decompile"

Slides:

http://www.hexblog.com/wp-content/uploads/2011/08/Recon-2011-Skochinsky.pdf

Washington University Students Staff emails Dumped

2011-08-02T23:28:00.001+05:30

Full Disclosure: Washington University Student and Staff Dump: "Washington University Student and Staff Dump"

http://www.washington.edu/home/peopledir/

http://pastebin.com/ALYtW4hA

CVE-2011-2357 Android Browser Cross Application Scripting !

2011-08-02T23:18:00.000+05:30

"A 3rd party application may exploit Android's Browser URL loading process in
order to inject JavaScript code into an arbitrary domain thus break Android's
sandboxing. There are two vectors that can achieve this:
1. The malicious application causes the Android's browser to reach the MAX_TAB
limit. From then on URLs are loaded under the current tab. The attacking
application can open MAX_TAB URLs by calling startActivity times
with the attacked domain. On the th call, the attacking app can
insert a javascript:// URI, which will be opened in the context of the
attacked domain. It should be denoted that the sent Intent should be
combined with the FLAG_ACTIVITY_BROUGHT_TO_FRONT flag because it is likely
that the Browser will have UI focus from the second intent and forward, in
which case Android won't attach this flag automatically and the crucial code
fragment under onNewIntent will not be executed.
2. Sending two consecutive startActivity calls. The first call includes the
attacked domain, and causes Android's browser to load it. The second call
contains the javascript code. If the time interval between the two intents
is small enough, then it is likely that the browser will have UI focus when
the second startActivity call is made, therefore the input intent won't have
the FLAG_ACTIVITY_BROUGHT_TO_FRONT flag and, as explained in the previous
vector, the JavaScript URI will be opened under the current tab, i.e. the
attacked domain."

http://blog.watchfire.com/files/advisory-android-browser.pdf
http://seclists.org/fulldisclosure/2011/Aug/9

Return Oriented Programming paper !

2011-08-02T23:00:00.000+05:30

Review: Buffer overflow, format string

• Return Oriented Programming

– Chain together sequences (‘gadgets’) ending in RET

– Can use good code chunks as ‘alphabet’, string

together to get for bad code

• Some similarities to an antigram (form of anagram)

Within earshot ‡ I won't hear this

– Build “gadgets” for load‐store, arithmetic,

logic, control flow, system calls

– Attack can perform arbitrary computation

using no injected code at all

http://cs.uno.edu/~dbilar/11CSCI6621-NetworkSecurity/04.07.11.ROP.CSCI6621/04.06.11.ReturnOrientedProgramming.CSCI6621.pdf