RE: [Full-Disclosure] MS04-028 Shell Exploit[Scanned]

From: Todd Towles (toddtowles_at_brookshires.com)
Date: 09/23/04

  • Next message: GuidoZ: "Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses"
    To: <postmaster@netsys.com>
    Date: Thu, 23 Sep 2004 17:45:57 +0100
    
    

    FYI, Symantec uses the Bloodhound name on heuristic detection. Therefore
    IMHO, this detection can work but shouldn't be trusted as protection,
    just yet.

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Andy Silva
    Sent: Thursday, September 23, 2004 8:16 AM
    To: Adam@shockwave.systems.pipex.net
    Cc: Mailing List - Full-Disclosure; Mailing List - Patch Management
    Subject: Re: [Full-Disclosure] MS04-028 Shell Exploit[Scanned]

    Well, on my WinXP SP1 machine, the shellcode will not excecute when
    displayed in a web browser (firefox PR1 and IE 6 SP1).
    It will however excecute when windows opens the folder that it's in
    (trying to make a thumbnail i would assume.) A few seconds after the
    command window opens, explorer crashes.
    (un)Fortunately none of the email accounts that I had up and running let
    the attatchment through... they thought it was Bloodhound.Exploit.13.
    I didn't have enough time to try anything fancy immediately before i
    left work so I left it at that. I wonder if this could potentially turn
    into an email worm.

    -andy

    Todd Towles wrote:

    >MS04-028 Exploit
    >
    >Launches local cmd.exe (not port bound)
    >
    >http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php
    >
    >
    >-----Original Message-----
    >From: full-disclosure-admin@lists.netsys.com
    >[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Josh L.
    >Perrymon
    >Sent: Wednesday, September 22, 2004 1:48 PM
    >To: full-disclosure@lists.netsys.com
    >Subject: [Full-Disclosure] New GDI exploit
    >
    >Game over...
    >
    >So the exploit is out that will open a local command prompt on the
    >machine exploiting the GDI library..
    >
    >This thing allows 2500 bytes of shellcode..
    >
    >How long before this turns nasty?
    >
    >Seems easy to me to make it reverse shell...
    >
    >
    >--------
    >
    >The problem I have is patching with SMS. MBSA won't pickup the needed
    >patched in SMS so you have to push out to all machines in a container
    >for a certain software type-
    >
    >IE
    >XP
    >VIsio
    >
    >
    >blah blah so on....
    >
    >------------
    >
    >The cycle continues..
    >
    >JP
    >
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >
    >

    ---
    To unsubscribe send a blank email to
    leave-patchmanagement@patchmanagement.org
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    ---
    To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: GuidoZ: "Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses"

    Relevant Pages

    • RE: [Full-Disclosure] MS04-028 Shell Exploit[Scanned]
      ... Symantec uses the Bloodhound name on heuristic detection. ... Subject: Full-Disclosure] MS04-028 Shell Exploit[Scanned ... It will however excecute when windows opens the folder that it's in ... Charter: http://lists.netsys.com/full-disclosure-charter.html --- ...
      (Full-Disclosure)
    • RE: [Full-Disclosure] MS04-028 Shell Exploit[Scanned]
      ... Symantec uses the Bloodhound name on heuristic detection. ... Subject: Full-Disclosure] MS04-028 Shell Exploit[Scanned ... It will however excecute when windows opens the folder that it's in ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
      (Full-Disclosure)
    • RE: [Full-Disclosure] MS04-028 Shell Exploit[Scanned]
      ... Symantec uses the Bloodhound name on heuristic detection. ... Subject: Full-Disclosure] MS04-028 Shell Exploit[Scanned ... It will however excecute when windows opens the folder that it's in ... Charter: http://lists.netsys.com/full-disclosure-charter.html --- ...
      (Full-Disclosure)