Metasploit mailing list archives

ms04_031_netdde

From: npouvesle at tenablesecurity.com (Nicolas Pouvesle)
Date: Wed, 28 Feb 2007 10:04:54 +0100


On Feb 28, 2007, at 5:48 AM, Alexander Sotirov wrote:

In MS04-031 Microsoft says:

"After the NetDDE services are started, any anonymous user who  
could deliver a
specially crafted message to the affected system could attempt to  
remotely
exploit this vulnerability"

This seems to imply that no authentication is necessary, but the  
exploit doesn't
work with an anonymous connection. When I run ms04_031_netdde I get:

Exploit failed: The server responded with error: STATUS_ACCESS_DENIED

If I set SMBUSER and SMBPASS, the exploit works, but these two  
options are not
listed in the exploit info message. Are they really needed, or is  
there
something I am missing?


Actually, I just think the exploit may only target one of the flaw  
fixed in ms04-031 (I didn't even know a flaw in the RPC interface was  
fixed prior to looking at the exploit code).
 From what I remember a stack overflow can be exploited anonymously  
on the TCP port 139 using the NDDE protocol (a netbios session must  
be negotiated first).


Nicolas

Current thread:

ms04_031_netdde Alexander Sotirov (Feb 27)
- ms04_031_netdde Jerome Athias (Feb 27)
  - ms04_031_netdde mmiller at hick.org (Feb 27)
- ms04_031_netdde Jerome Athias (Feb 27)
- ms04_031_netdde H D Moore (Feb 28)
  - ms04_031_netdde Pusscat (Feb 28)
- ms04_031_netdde Nicolas Pouvesle (Feb 28)