An Xploit I havn't seen B4.
Results 1 to 4 of 4

Thread: An Xploit I havn't seen B4.

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    324

    An Xploit I havn't seen B4.

    Another gem from my log file --

    Has anyone seen any advisory relating to an attack against ADSAdClient31.dll? I don't have this .dll (I wrote my own banner software ) and I have never seen it in the wild. Parameters of the GET request passed to the (non-existant) .dll were:
    GetAd?PG=HOTBOS?SC=LG? HM=04514b47584b101e551e3b4719110440696909163a45132
    44d125c515a5244194149616e?LOC=I?TF=adframe?PUID=00014C60E6AC87BE?UC=1
    Does this look like an attempted buffer-overflow attempt to anyone? Am I now dealing with someone a bit more serious or is this another cook-book expoit that I've just not seen before? Opinions? Only one hit in the log so I guess this attempt wasn't up close and personal - it was probably some sort of vulnerability scanner iterating through an IP range.

    IP origonates in Germany - Any ideas before I turn him in?

    TIA for any help or ideas.

    Note to script kiddies: Before you attempt this exploit to see what it does on a box with ADSAdClient31.dll installed you should know that I have subtley changed the parameters, so whatever it was meant to do it it doesn't do now .
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Looks like a "legitimate ad-type referral" or something, but I took a quick peek at Google:

    http://www.kuro5hin.org/story/2001/8/17/11541/1217

    This one seems to be a whole bunch of references back to MSN...

    http://www.dshield.org/pipermail/lis...ry/002821.html
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    draziw --

    Thanks - Good job - I tried all sorts of searches on google but ended up drowning in logfiles with similar entries every time. However...

    In the fist document the guy is talking about what he descibes as 'yet another MS spyware program', because this file was automatically downloaded to his machine from a site.

    But as I don't have the .dll on my webserver, and the request was inbound I was wondering if someone has figured out a buffer overflow expliot against what must be a fairly common (if it provides ads on MS sites) .dll

    Also, in the second link you gave, (thanks again btw ) the url is in the format:
    I thought that it may be an exploit because of the additional obfuscated parameters (especialy the hm parameter which just looks stuffed) which I got in the request. The other point is that I received this request on my W3SVC1 - which is restricted to 127.0.0.1 and is not set up under DNS - so the request was coming in against the box IP rather than a specific domain.

    Still - if the .dll is 'yet another MS spyware program' I can't see them fessing up and patching it anytime soon, even if a buffer overflow /was/ found in it.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Hmmm... yeah, perhaps a probe against a "known issue" -- that is, someone looking for the routine for some sort of devilish activies (an old thing similiar to ftp-bounce would be what comes to mind first - let me know if you need more useful information on that one).

    In any case, you're right... it looks suspicious.

    But, the parameter to HM is 72 characters long... 16 more than a 56-bit type DES key (and the UID field's 16). Doesn't really look like an overflow - at least not a completely blatant one. Looking for something a bit more innocuous (HOTBOS), I found this:

    http://lists.w3.org/Archives/Public/...nMar/0026.html

    Looks like a SPAM pointing people at IP'd servers, mostly again at MSN servers.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •