Full Disclosure mailing list archives

RE: MS04-028 Shell Exploit[Scanned]


From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 23 Sep 2004 17:33:57 +0100

FYI, Symantec uses the Bloodhound name on heuristic detection. Therefore
IMHO, this detection can work but shouldn't be trusted as protection,
just yet.

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Andy Silva
Sent: Thursday, September 23, 2004 8:16 AM
To: Adam () shockwave systems pipex net
Cc: Mailing List - Full-Disclosure; Mailing List - Patch Management
Subject: Re: [Full-disclosure] MS04-028 Shell Exploit[Scanned]

Well, on my WinXP SP1 machine, the shellcode will not excecute when
displayed in a web browser (firefox PR1 and IE 6 SP1).
It will however excecute when windows opens the folder that it's in
(trying to make a thumbnail i would assume.) A few seconds after the
command window opens, explorer crashes.
(un)Fortunately none of the email accounts that I had up and running let
the attatchment through... they thought it was Bloodhound.Exploit.13.
I didn't have enough time to try anything fancy immediately before i
left work so I left it at that. I wonder if this could potentially turn
into an email worm.

-andy

Todd Towles wrote:

MS04-028 Exploit

Launches local cmd.exe (not port bound)

http://www.k-otik.com/exploits/09222004.ms04-28-cmd.c.php


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Josh L.
Perrymon
Sent: Wednesday, September 22, 2004 1:48 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] New GDI exploit

Game over...

So the exploit is out that will open a local command prompt on the
machine exploiting the GDI library..

This thing allows 2500 bytes of shellcode..

How long before this turns nasty?

Seems easy to me to make it reverse shell...


--------

The problem I have is patching with SMS. MBSA won't pickup the needed
patched in SMS so you have to push out to all machines in a container
for a certain software type-

IE
XP
VIsio


blah blah so on....

------------

The cycle continues..

JP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 



---
To unsubscribe send a blank email to
leave-patchmanagement () patchmanagement org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

---
To unsubscribe send a blank email to leave-patchmanagement () patchmanagement org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: