Full Disclosure mailing list archives
Exploit code Available for previously announced MS Vulnerabilities
From: Jesse Valentin <jessevalentin () yahoo com>
Date: Thu, 21 Oct 2004 08:53:26 -0700 (PDT)
As per www.incidents.org MS04-030 POC A proof-of-concept (POC) exploit for MS04-030 has been made available. The exploit, a perl script, claims to trigger the DOS condition. While we are still working to verify the exploit, here some signatures to look for: The exploit will send the following header: (the 'Host' field will hold the IP address of the attacked host. In this example, we used '127.0.0.1') --------------------------- PROPFIND / HTTP/1.1 Content-type: text/xml Host: 127.0.0.1 Content-length: 188963 <?xml version="1.0"?> <a:propfind xmlns:a="DAV:" xmlns:z1="xml:" xmlns:z2="xml:" xmlns:z3="xml:" xmlns (... repeating 'xmlns:z???="xml:", where '???' keeps incrementing ...) xmlns:z9995="xml:" xmlns:z9996="xml:" xmlns:z9997="xml:" xmlns:z9998="xml:" > <a:prop><a:getcontenttype/></a:prop> </a:propfind> -------------------------------- For Apache servers, the exploit will leave the following log entries: Access Log: 10.1.0.13 - - [20/Oct/2004:14:57:15 +0000] "PROPFIND / HTTP/1.1" 400 31 "-" "-" Error Log: [Wed Oct 20 14:57:15 2004] [error] [client 10.1.0.13] request failed: error reading the headers (your apache install may use a different log format) If working "as advertised", the exploit will crash unpatched IIS servers. MS04-032 Windows XP Metafile Overflow POC Looks like the kids are finally catching up with all the MSFT vulnerabilities released this month. A POC (proof-of-concept) exploit was released to exploit the Windows XP Metafile overflow vulnerability. The malicious file will start a remote shell or connect back to a URL. This functionality goes beyond what is typically considered a 'proof-of-concept' as it allows full remote control to the system with all the privileges of the user that opened the image. The good thing is that some AV vendors already detect it:
From VirusTotal website:
BitDefender 7.0 10.20.2004 Exploit.FPSE.A Sybari 7.5.1314 10.20.2004 Exploit-MS03-051 Symantec 8.0 10.19.2004 Trojan.Moo The Manager's Briefing at http://isc.sans.org/presentations/MS04Oct.ppt has been updated to reflect the existence of these exploits. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Exploit code Available for previously announced MS Vulnerabilities Jesse Valentin (Oct 21)
- Re: Exploit code Available for previously announced MS Vulnerabilities Stephen Jimson (Oct 21)