Re: Working Exploit for MS05-039

[Herrera Reyna Omar <omar_herrera () BANXICO ORG MX>]

In fact, there are already at least 2 variants of a worm exploiting this
vulnerability (appeared on Sunday); the worm is called Zotob. 

Regards,

Omar Herrera

----------------------
From: Phil Rodrigues 
 
(First reported by the REN-ISAC and the Internet Storm Center, but I 
didn't see anything about it posted here.)

There is a working exploit that attacks Tuesday's MS05-039 
"Vulnerability in Plug and Play Could Allow Remote Code Execution and 
Elevation of Privilege (899588)".  It attacks port 445/tcp on Windows 
2000 computers, and returns a command prompt to the attacker, granting 
them full control.  This is extremely similar to the vulnerability that 
caused the Blaster, Welchia, and Sasser worms.

Windows XP SP1 and SP2 are also vulnerable, but only from authenticated 
connections.  SP2's vulnerability can only be exploited locally (not 
over the network) unless it is from an administrative user.  SP1's 
vulnerability can be exploited over the network by an authenticated
user.

The source code for the attack is readily available on your favorite 
"network security" website.

Phil