Re: [Full-Disclosure] Exploit code Available for previously announced MS Vulnerabilities
From: Stephen Jimson (alf1num3rik_at_yahoo.com)
Date: 10/21/04
- Previous message: Andrey Bayora: "[Full-Disclosure] cPanel check only the first 8 characters of webmail password"
- In reply to: Jesse Valentin: "[Full-Disclosure] Exploit code Available for previously announced MS Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Thu, 21 Oct 2004 20:24:42 +0200 (CEST)
you're probably talking about those sploits
Microsoft IIS WebDAV XML Denial of Service Exploit
(MS04-030)
http://www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php
Microsoft Windows Metafile (.emf) Heap Overflow
Exploit (MS04-032)
http://www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php
stph
--- Jesse Valentin <jessevalentin@yahoo.com> wrote :
> As per www.incidents.org
>
>
> MS04-030 POC
>
> A proof-of-concept (POC) exploit for MS04-030 has
> been
> made available. The exploit, a perl script, claims
> to
> trigger the DOS condition. While we are still
> working
> to verify the exploit, here some signatures to look
> for:
>
> The exploit will send the following header:
>
> (the 'Host' field will hold the IP address of the
> attacked host. In this example, we used '127.0.0.1')
> ---------------------------
>
> PROPFIND / HTTP/1.1
> Content-type: text/xml
> Host: 127.0.0.1
> Content-length: 188963
>
>
> <?xml version="1.0"?> <a:propfind xmlns:a="DAV:"
> xmlns:z1="xml:" xmlns:z2="xml:" xmlns:z3="xml:"
> xmlns
>
> (... repeating 'xmlns:z???="xml:", where '???' keeps
> incrementing ...)
>
> xmlns:z9995="xml:" xmlns:z9996="xml:"
> xmlns:z9997="xml:"
> xmlns:z9998="xml:" >
> <a:prop><a:getcontenttype/></a:prop>
> </a:propfind>
>
> --------------------------------
>
> For Apache servers, the exploit will leave the
> following log entries:
>
> Access Log:
> 10.1.0.13 - - [20/Oct/2004:14:57:15 +0000] "PROPFIND
> /
> HTTP/1.1" 400 31 "-" "-"
>
> Error Log:
> [Wed Oct 20 14:57:15 2004] [error] [client
> 10.1.0.13]
> request failed: error reading the headers
>
> (your apache install may use a different log format)
>
> If working "as advertised", the exploit will crash
> unpatched IIS servers.
>
> MS04-032 Windows XP Metafile Overflow POC
>
> Looks like the kids are finally catching up with all
> the MSFT vulnerabilities released this month. A POC
> (proof-of-concept) exploit was released to exploit
> the
> Windows XP Metafile overflow vulnerability.
> The malicious file will start a remote shell or
> connect back to a URL.
> This functionality goes beyond what is typically
> considered a 'proof-of-concept' as it allows full
> remote control to the system with all the privileges
> of the user that opened the image.
>
> The good thing is that some AV vendors already
> detect
> it:
> From VirusTotal website:
> BitDefender 7.0 10.20.2004 Exploit.FPSE.A
> Sybari 7.5.1314 10.20.2004 Exploit-MS03-051
> Symantec 8.0 10.19.2004 Trojan.Moo
>
> The Manager's Briefing at
> http://isc.sans.org/presentations/MS04Oct.ppt has
> been
> updated to reflect the existence of these exploits.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>
Vous manquez d’espace pour stocker vos mails ?
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/
Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A télécharger gratuitement sur http://fr.messenger.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Andrey Bayora: "[Full-Disclosure] cPanel check only the first 8 characters of webmail password"
- In reply to: Jesse Valentin: "[Full-Disclosure] Exploit code Available for previously announced MS Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
