Re: Exploit for MS06-040 Out?

["Brendan Dolan-Gavitt" <mooyix () gmail com>]

Is there any technical reason that an exploit cannot be developed
against XP SP2 and Server 2003 SP1? Or is this only a limitation of
the current Metasploit exploit?

Thanks,
 Brendan

On 8/10/06, H D Moore <fdlist () digitaloffense net> wrote:
> On Wednesday 09 August 2006 13:10, Matt Davis wrote:
> > Did I completely miss exploit code being released in the wild for that
> > vulnerability?
>
> The Metasploit Framework module is now public, I included a copy of the
> email I sent to the Framework mailing list below.
>
> For the lazy:
> http://metasploit.com/projects/Framework/modules/exploits/netapi_ms06_040.pm
>
> ----------  Forwarded Message  ----------
>
> Subject: [framework] Metasploit Framework Updates
> Date: Thursday 10 August 2006 02:52
> From: H D Moore <hdm () metasploit com>
> To: framework () metasploit com
>
> Hello everyone,
>
> I just pushed out a new round of updates for version 2.6 of the
>  Metasploit Framework. This update includes new exploits, new features,
>  and massive bug fixes. If it wasn't 3:00am on my birthday I would try
>  for a 2.7 release :-)
>
> New exploits:
>
> netapi_ms06-040:
>  - This exploit module should work against all Windows 2000 systems and
> Windows XP SP0 and SP1. It will not work on XP SP2 or 2003 SP1. There is
> a slim chance it can work with modification on 2003 SP0 and NT 4.0 SP6.
> The automatic target should be reliable for most users. The cool thing
> about this exploit is how it uses a strcpy call to place the shellcode
> into a static buffer and then return straight back into it. I have
> another version of this exploit that uses a more traditional exploit
> method, but there doesn't seem to be much point in releasing it now.
>
> ie_createobject:
>  - This exploit module is capable of exploiting any "generic"
>  CreateObject vulnerability in an ActiveX control. The current targets
>  allow it to exploit MS06-014 and various controls that don't seem to be
>  documented or often found vulnerable. This exploit uses the PE "wrapper"
>  to download a generated executable containing the selected payload.
>
> eiq_license:
>  - This exploit module is one of many for the recent EIQ vulnerabilities.
> I pushed this one out because of the amount of work the author put into
> it and the lack of cleanup I had to do before including it. The rest of
> the EIQ modules will be added and merged as I get time. Thanks again to
> everyone who submitted modules for these issues.
>
> realvnc_client:
>  - This exploits an older client-side vulnerability in the VNC viewer for
> Windows. Thanks again to MC for writing this up.
>
> securecrt_ssh1:
>  - This exploits an older client-side vulnerability in SecureCRT. Another
> great module provided by MC.
>
> mercury_imap:
>  - This exploit module is capable of exploiting the RENAME command
> overflow found in older versions of the Mercury IMAP software. Yet
> another exploit by MC.
>
> A dozen small bug fixes, new targets, and cosmetic improvements were
> included with this update. Thanks to David Maciejak for sending in many
> of these and having the patience to deal with my update schedule.
>
> Matt Miller (skape) tracked down a long-time bug in the 'EXE' output mode
> of msfpayload. The template executable had an invalid stack size set,
> which caused all DLL Inject payloads to crash when initialized from
> inside the PE template. This fix should allow you to use the vncinject
> and metepreter payloads with the msfpayload X mode (standalone exe).
>
> The msfpayload tool now has a javascript output format. Simply pass 'J'
>  as the output mode of msfpayload to get an unescape()-ready string.
>
> The next 3.0 beta should be ready sometime next week. If I get over my
> fear of being owned via subversion, the actual source code respository
> for 3.0 will also become public.
>
> Enjoy!
>
> -HD
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/