Hi,
Yesterday I’ve released the following advisory on Bugtraq:
Issue can be tested, with my Process Memory Dumper, released yesterday on my WebSite.
The next week I’ll work on other suspect vulnerabilities of Hamachi.
See you to the next post.. π
Hamachi VPN Local Login Credentials Information Disclosure Vulnerability
March 25, 2008
Leave a Comment » | 
(In)Security | Tagged: Credential Informations Disclosure, Hamachi Vulnerability | 
Permalink
Posted by evilcodecave
Updated
March 24, 2008Hi,
ProcessMemoryDumper is available for download on my http://evilcry.altervista.org
See you to the next Post
Leave a Comment » | Blogroll | Permalink
Posted by evilcodecave
Forum Opened
March 24, 2008Hi,
Here rains, so I’m at home, I’ve opened on my WebSite a little forum
http://evilcry.altervista.org/phpbb/
and this afternoon I’ll publish the Process Memory Dumper.
I’m also waiting for SecuniaΒ response about an advisory written by me and Omni.
See you really soon π
Leave a Comment » | Blogroll | Tagged: Process Memory Dumper | Permalink
Posted by evilcodecave
Symbol Type Viewer 32Bit/64Bit Nice Tool
March 16, 2008Hi
Today I’ve finded a great tool,Symbol Type Viewer 32Bit/64Bi
Symbol Type Viewer is a tool which makes it possible to easily
visualize the types which can be defined in the symbols of the modules of the
systems Microsoft Windows 32/64bit. Moreover, it makes it possible to convert ( pdb, exe, sys)these informations for the C language (.h) and the disassembler IDA of DataRescue
(.idc).
Link here
See you to the next post.. π
Leave a Comment » | Debugging & Disassembling | Tagged: pdb, Symbol Type Viewer | Permalink
Posted by evilcodecave
Process Memory Dumper Finished
March 5, 2008Hi,
Today I’ve coded a little Process Memory Dumper, just to obtain the entire memory image of a running process.
This will help me to develop a series of applications that exploits a series of Password Disclosure Vulnerable Applications.
Surely, in some time, I’ll publish the source code of the Memory Dumper π
See you
Leave a Comment » | (In)Security | Tagged: Exploit, Memory Image, Password Disclosure, Process Memory Dumper, Vulnerable | Permalink
Posted by evilcodecave
Banca di Roma Fraud
March 1, 2008Hi,
Today my Mail-HoneyPot catched a new Fraud, that comes from Japan.
A classical tentive of Bank Fraud, the affected bank is Unicredit Banca di Roma, this is the mail that I’ve received
————————————————————
Gentile CLIENTE,
Nell’ambito di un progetto di verifica dei data anagrafici forniti durante la sottoscrizione dei
servizi di Banca di Roma e stata riscontrata una incongruenza relativa ai dati anagrafici in
oggetto da Lei forniti all momento della sottoscrizione contrattuale.
L’inserimento dei dati alterati puo constituire motivo di interruzione del servizio secondo gli
art. 135 e 137/c da Lei accenttati al momento della sottoscrizione , oltre a constituire reato
penalmente perseguibile secondo il C.P.P. ar. 415 del 2001 relativo alla legge contro il
riciclaggio e la transparenza dei dati forniti in auto certificazione.
Per ovviare al problema e necessaria la verificata e l’aggiornamento dei dati relativi
all’anagrafica dell’Intestatario dei servizi bancari.
Effetuare l’aggiornamento dei dati cliccando sul seguente collegamento sicuro:
Accendi a collegamento sicuro >>
Cordiali Saluti !
| Β© Banca di Roma S.P.A 2008 Partita Iva 01114601306
————————————————————-
The mail claims an incongruence into Account, so the victim is inducted to reconfirm his Account.
There is a link, for Secure Access, that points at http://www.rwell.co.jp/{Censored}.htm that obviously does not use any form of Secure Connection, suddenly we are redirected to http://oakadaa1.easyvserver.net/roma/{CENSORED}.html that emulates perfectly the Banca di Roma home page.
As usual there is an UserId and Password field to compile, let’s check the source code to know checks perfomed by the attacker..
———————————
if(signupFORM.userid.value == “”){
alert(“Non avete completato il UserID”);return false;
}
if(signupFORM.password.value == “”){
alert(“Non avete completato il Password”);return false;
}
if(signupFORM.userid.value.length <7){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI”);return false;
}
if(signupFORM.userid.value.length >7){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI”);return false;
}
if((signupFORM.password.value.length <6)){
alert(“INTI0565 IDENTIFICATIVO DEL CLIENTE O CODICE SEGRETO NON VALIDI “);
return false;
}
———————————————–
The function, accepts only numbers for both fields, Userid should be minimum 7 digits long, and password 6.
After clicking here we are driven to the second page..
Where we’re asked for Security Card Id, and Coordinates of Security Card (64 fields), let’s see what are the rules of insertion..
——————————-
if(signupFORM.email.value.length <6){
alert(“Il Numero della Tessera di Sicurezza non e corretto.”);return false;}
—————————–
Card Id, is a 6 digit long number, and .64 Input Boxes of Coordinates, expects 2 digit long value.
After compiling that, the information are completely stolen, and we’re automatically redirected to Real Banca di Roma.
…another stupid classical Bank Fraud..
See you to the next post.. π
Leave a Comment » | (In)Security, TechLife | Tagged: Banca di Roma, Bank Fraud, Fraud, Unicredit | Permalink
Posted by evilcodecave
Evilcodecave's Weblog 