[Full-disclosure] Re(2): An April Fools' Day Android Payload

Mon, 02 Apr 2012 11:49:46 -0700 

Just for the curiosity of "April fool",
actually I did a double check the $payload in x86 ASM code.

00000000  add al,0xa0
00000002  sub byte[edi],ah
00000004  add bh,bl
00000006  or al,0xa0
00000008  add ah,byte[ecx+0xdf002753]
0000000e  add dword[edi],esp
00000010  add bh,bl
00000012  rol byte[esi+0x2f],0x64
00000016  popad
00000017  je 0x7a
00000019  das
0000001a  fs: popad .
0000001c  je 0x7f
0000001e  das
0000001f  arpl word[edi+0x6d],bp
00000022  cs: popad .
00000024  outs dx,byte[esi]
00000025  fs: jb 0x97
00000028  imul esp,dword[esi+ebp*1+0x62],0x73776f72
00000030  gs: jb 0x62
00000033  ins byte[es:edi],dx
00000034  imul esp,dword[edx+0x0],0x61642f00
0000003b  je 0x9e
0000003d  das
0000003e  popad
0000003f  jo 0xb1
00000041  add al,al
00000043  inc esi

----
 ZeroDay Japan http://0day.jp
 Hendrik ADRIAN /アドリアン・ヘンドリック


On Mon, Apr 2, 2012 at 7:59 PM, Dan Rosenberg <[email protected]> wrote:
> Hendrik,
>
> Well, they know about it now. ;-)
>
> I figured it was appropriate for April Fools' Day in keeping with the
> spirit of mischief. I wouldn't worry too much about seeing exploitation
> of what amounts to a local DoS vulnerability that requires a compromised
> browser session to exploit. It would be sort of silly to go through the
> effort to own someone's phone with the end goal of being a minor
> inconvenience to them.
>
> And sorry about the bad formatting on the original post, seems my text
> editor, email client, and this mailing list just didn't get along this
> time. Clean version at:
> http://vulnfactory.org/exploits/aprilfools.S
>
> Regards,
> Dan
>
> On 04/02/2012 04:42 AM, ZeroDay.JP wrote:
>> Mr. Rosenberg,
>>
>> I understand the PoC you coded and its affect to APT.
>> But for the April's fool connection, I just don't get it :-)
>>
>> Does Google know it yet?
>>
>> regards,
>>
>> ---
>> ZeroDay Japan http://0day.jp
>> Hendrik ADRIAN /アドリアン・ヘンドリック
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to