Working Exploit for MS05-039

[Phil Rodrigues <phil.rodrigues () NYU EDU>]

(First reported by the REN-ISAC and the Internet Storm Center, but I
didn't see anything about it posted here.)

There is a working exploit that attacks Tuesday's MS05-039
"Vulnerability in Plug and Play Could Allow Remote Code Execution and
Elevation of Privilege (899588)".  It attacks port 445/tcp on Windows
2000 computers, and returns a command prompt to the attacker, granting
them full control.  This is extremely similar to the vulnerability that
caused the Blaster, Welchia, and Sasser worms.

Windows XP SP1 and SP2 are also vulnerable, but only from authenticated
connections.  SP2's vulnerability can only be exploited locally (not
over the network) unless it is from an administrative user.  SP1's
vulnerability can be exploited over the network by an authenticated user.

The source code for the attack is readily available on your favorite
"network security" website.

Phil