Full Disclosure mailing list archives
Re: LSASS exploit win32 binary
From: Paul Tinsley <jackhammer () gmail com>
Date: Wed, 28 Apr 2004 23:53:18 -0500
look through the snort mailing lists or through the cvs rules, both have rules for the lsass exploit. On Wed, 28 Apr 2004 23:22:09 -0500, Chris Scott <cscott () fluidsmgmt com> wrote:
Does anyone have snort sigs or any means of defending against the worms that are exploiting this? Several acquaintances of mine which work for edu's are reporting their networks being affected by this in a big way. They have 2k machines which apparently broke when applied with the MS04-011 patch. Am I correct in saying that LSASS cannot be disabled completely because the Security Accounts Manager service which uses LSASS is required for normal operation of Windows? -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of bosborne () caltex com au Sent: Tuesday, April 27, 2004 10:36 PM To: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] LSASS exploit win32 binary for those who are testing... a "shutdown -a" will stop it shutting down although a manual shutdown after that displays a "You do not have permission to shut down this computer." tested it on 3 xp boxes without appropriate patch, all crashed. |---------+--------------------------------------> | | "Chris Scott" | | | <cscott () fluidsmgmt com> | | | Sent by: | | | full-disclosure-admin@lists| | | .netsys.com | | | | | | | | | 28/04/2004 01:00 PM | | | | |---------+-------------------------------------->--------------------------------------------------------------------------------------------------------------| | | | To: <Q.Long () city ac uk>, <full-disclosure () lists netsys com> | | cc: | | Subject: RE: [Full-disclosure] LSASS exploit win32 binary |--------------------------------------------------------------------------------------------------------------| Tested against Windows XP Pro without the appropriate patch, it crashes the service and initiates a shutdown timer. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Q.Long () city ac uk Sent: Tuesday, April 27, 2004 6:24 PM Subject: [Full-disclosure] LSASS exploit win32 binary hi kids. here's the compiled version of LSASS exploit from k-otik ... http://users.volja.net/exceed/RLsasrv.zip _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- LSASS exploit win32 binary Q.Long (Apr 27)
- RE: LSASS exploit win32 binary Chris Scott (Apr 27)
- <Possible follow-ups>
- RE: LSASS exploit win32 binary bosborne (Apr 27)
- RE: LSASS exploit win32 binary Chris Scott (Apr 28)
- Re: LSASS exploit win32 binary Paul Tinsley (Apr 28)
- RE: LSASS exploit win32 binary Chris Scott (Apr 28)
- RE: LSASS exploit win32 binary Stuart Fox (DSL AK) (Apr 29)