Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Windows 2000 .printer remote overflow proof of concept exploit....
From: "Christopher Gerg" <gerg () berbee com>
Date: Tue, 15 May 2001 08:08:02 -0500

That root.exe sploit is actually the Solaris sadmind/ IIS Unicode worm.
I've been on several incident responses at client sites and have seen it.
It zombifies a Solaris box using the sadmind exploit (shame on them) and
then scans a range of addresses for IIS b0x3n that are vulnerable to the
Unicode exploit (again, shame!).  It copies cmd.exe to the scripts directory
and runs a search and change for index.htm index.asp default.htm and
index.asp and changes them to an anti -USA government (and anti spiderbox)

Christopher Gerg
Network Security Engineer
Page: 608.376.4658
Email: gerg () berbee com
Fax: 608.288.3007
Berbee...putting the E in business

-----Original Message-----
From: Joshua Dodds [mailto:jdodds () bevelander nl]
Sent: Friday, May 11, 2001 4:05 AM
To: BUGTRAQ () securityfocus com
Subject: Re: Windows 2000 .printer remote overflow proof of concept

It's out there. I've seen logs indicating the attacker put a "root.exe"
on the IIS5 host and then were able to issue a command to run this file via
the overflow. I don't have any more specific information on the contents of
the root.exe file or the exact script used, etc. at this time.

root.exe is just cmd.exe copied to root.exe!  doh!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]