Re: [Full-Disclosure] Exploit Identification Request
From: Cedric Blancher (blancher_at_cartel-securite.fr)
Date: 04/29/04
- Previous message: insecure: "Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild"
- In reply to: System Administrator: "[Full-Disclosure] Exploit Identification Request"
- Next in thread: Thorolf: "Re: [Full-Disclosure] Exploit Identification Request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: root@transientimages.com Date: Thu, 29 Apr 2004 16:26:08 +0200
Le jeu 29/04/2004 à 15:34, System Administrator a écrit :
> One of our external systems (W2k, fully patched all components -
> sp4, sql sp4, mdac sp3, post hotfixes, etc) is being hit by what
> appears to be a buffer overflow of IIS : 4096 bytes cycling in
> what appears to be an attempt to execute code. The probe starts by
> obtaining an index.asp page, and then drops a "SEARCH / 411 210
> 42" before dropping the "AAAAA<n>" string.
[...]
> SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]
Looks like Windows ntdll.dll buffer overflow exploit :
http://www.securityfocus.com/bid/7116/
-- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: insecure: "Re: [Full-Disclosure] Heads up: Possible lsass worm in the wild"
- In reply to: System Administrator: "[Full-Disclosure] Exploit Identification Request"
- Next in thread: Thorolf: "Re: [Full-Disclosure] Exploit Identification Request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
