mailing list archives
Exploit code Available for previously announced MS Vulnerabilities
From: Jesse Valentin <jessevalentin () yahoo com>
Date: Thu, 21 Oct 2004 08:53:26 -0700 (PDT)
As per www.incidents.org
A proof-of-concept (POC) exploit for MS04-030 has been
made available. The exploit, a perl script, claims to
trigger the DOS condition. While we are still working
to verify the exploit, here some signatures to look
The exploit will send the following header:
(the 'Host' field will hold the IP address of the
attacked host. In this example, we used '127.0.0.1')
PROPFIND / HTTP/1.1
<?xml version="1.0"?> <a:propfind xmlns:a="DAV:"
xmlns:z1="xml:" xmlns:z2="xml:" xmlns:z3="xml:" xmlns
(... repeating 'xmlns:z???="xml:", where '???' keeps
For Apache servers, the exploit will leave the
following log entries:
10.1.0.13 - - [20/Oct/2004:14:57:15 +0000] "PROPFIND /
HTTP/1.1" 400 31 "-" "-"
[Wed Oct 20 14:57:15 2004] [error] [client 10.1.0.13]
request failed: error reading the headers
(your apache install may use a different log format)
If working "as advertised", the exploit will crash
unpatched IIS servers.
MS04-032 Windows XP Metafile Overflow POC
Looks like the kids are finally catching up with all
the MSFT vulnerabilities released this month. A POC
(proof-of-concept) exploit was released to exploit the
Windows XP Metafile overflow vulnerability.
The malicious file will start a remote shell or
connect back to a URL.
This functionality goes beyond what is typically
considered a 'proof-of-concept' as it allows full
remote control to the system with all the privileges
of the user that opened the image.
The good thing is that some AV vendors already detect
From VirusTotal website:
BitDefender 7.0 10.20.2004 Exploit.FPSE.A
Sybari 7.5.1314 10.20.2004 Exploit-MS03-051
Symantec 8.0 10.19.2004 Trojan.Moo
The Manager's Briefing at
http://isc.sans.org/presentations/MS04Oct.ppt has been
updated to reflect the existence of these exploits.
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
Full-Disclosure - We believe in it.
- Exploit code Available for previously announced MS Vulnerabilities Jesse Valentin (Oct 21)