Full Disclosure mailing list archives

Re: Exploit code Available for previously announced MS Vulnerabilities

From: Stephen Jimson <alf1num3rik () yahoo com>
Date: Thu, 21 Oct 2004 20:24:42 +0200 (CEST)

you're probably talking about those sploits 

Microsoft IIS WebDAV XML Denial of Service Exploit
(MS04-030)

http://www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php

Microsoft Windows Metafile (.emf) Heap Overflow
Exploit (MS04-032)

http://www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php

stph

--- Jesse Valentin <jessevalentin () yahoo com> wrote :

As per www.incidents.org


MS04-030 POC

A proof-of-concept (POC) exploit for MS04-030 has
been
made available. The exploit, a perl script, claims
to
trigger the DOS condition. While we are still
working
to verify the exploit, here some signatures to look
for:

The exploit will send the following header:

(the 'Host' field will hold the IP address of the
attacked host. In this example, we used '127.0.0.1')
---------------------------

PROPFIND / HTTP/1.1
Content-type: text/xml
Host: 127.0.0.1
Content-length: 188963
 

<?xml version="1.0"?> <a:propfind xmlns:a="DAV:"
xmlns:z1="xml:" xmlns:z2="xml:" xmlns:z3="xml:"
xmlns

(... repeating 'xmlns:z???="xml:", where '???' keeps
incrementing ...)

 xmlns:z9995="xml:" xmlns:z9996="xml:"
xmlns:z9997="xml:"
xmlns:z9998="xml:" >
<a:prop><a:getcontenttype/></a:prop>
</a:propfind>

--------------------------------

For Apache servers, the exploit will leave the
following log entries:

Access Log:
10.1.0.13 - - [20/Oct/2004:14:57:15 +0000] "PROPFIND
/
HTTP/1.1" 400 31 "-" "-"

Error Log:
[Wed Oct 20 14:57:15 2004] [error] [client
10.1.0.13]
request failed: error reading the headers

(your apache install may use a different log format)

If working "as advertised", the exploit will crash
unpatched IIS servers.

MS04-032 Windows XP Metafile Overflow POC

Looks like the kids are finally catching up with all
the MSFT vulnerabilities released this month. A POC
(proof-of-concept) exploit was released to exploit
the
Windows XP Metafile overflow vulnerability.
The malicious file will start a remote shell or
connect back to a URL.
This functionality goes beyond what is typically
considered a 'proof-of-concept' as it allows full
remote control to the system with all the privileges
of the user that opened the image.

The good thing is that some AV vendors already
detect
it:
From VirusTotal website:
BitDefender 7.0 10.20.2004 Exploit.FPSE.A
Sybari 7.5.1314 10.20.2004 Exploit-MS03-051
Symantec 8.0 10.19.2004 Trojan.Moo

The Manager's Briefing at
http://isc.sans.org/presentations/MS04Oct.ppt has
been
updated to reflect the existence of these exploits.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.netsys.com/full-disclosure-charter.html



        

        
                
Vous manquez despace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A 
télécharger gratuitement sur http://fr.messenger.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Exploit code Available for previously announced MS Vulnerabilities Jesse Valentin (Oct 21)
- Re: Exploit code Available for previously announced MS Vulnerabilities Stephen Jimson (Oct 21)