Full Disclosure mailing list archives
Re: Exploit Identification Request
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Thu, 29 Apr 2004 16:26:08 +0200
Le jeu 29/04/2004 à 15:34, System Administrator a écrit :
One of our external systems (W2k, fully patched all components - sp4, sql sp4, mdac sp3, post hotfixes, etc) is being hit by what appears to be a buffer overflow of IIS : 4096 bytes cycling in what appears to be an attempt to execute code. The probe starts by obtaining an index.asp page, and then drops a "SEARCH / 411 210 42" before dropping the "AAAAA<n>" string.
[...]
SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]
Looks like Windows ntdll.dll buffer overflow exploit : http://www.securityfocus.com/bid/7116/ -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread!
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Exploit Identification Request System Administrator (Apr 29)
- Re: Exploit Identification Request Cedric Blancher (Apr 29)
- Re: Exploit Identification Request Thorolf (Apr 29)
- <Possible follow-ups>
- Re: Exploit Identification Request Oliver Raymond (Apr 29)