Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Exploit code Available for previously announced MS Vulnerabilities
From: Jesse Valentin <jessevalentin () yahoo com>
Date: Thu, 21 Oct 2004 08:53:26 -0700 (PDT)

As per www.incidents.org

MS04-030 POC

A proof-of-concept (POC) exploit for MS04-030 has been
made available. The exploit, a perl script, claims to
trigger the DOS condition. While we are still working
to verify the exploit, here some signatures to look

The exploit will send the following header:

(the 'Host' field will hold the IP address of the
attacked host. In this example, we used '')

Content-type: text/xml
Content-length: 188963

<?xml version="1.0"?> <a:propfind xmlns:a="DAV:"
xmlns:z1="xml:" xmlns:z2="xml:" xmlns:z3="xml:" xmlns

(... repeating 'xmlns:z???="xml:", where '???' keeps
incrementing ...)

 xmlns:z9995="xml:" xmlns:z9996="xml:"
xmlns:z9998="xml:" >


For Apache servers, the exploit will leave the
following log entries:

Access Log: - - [20/Oct/2004:14:57:15 +0000] "PROPFIND /
HTTP/1.1" 400 31 "-" "-"

Error Log:
[Wed Oct 20 14:57:15 2004] [error] [client]
request failed: error reading the headers

(your apache install may use a different log format)

If working "as advertised", the exploit will crash
unpatched IIS servers.

MS04-032 Windows XP Metafile Overflow POC

Looks like the kids are finally catching up with all
the MSFT vulnerabilities released this month. A POC
(proof-of-concept) exploit was released to exploit the
Windows XP Metafile overflow vulnerability.
The malicious file will start a remote shell or
connect back to a URL.
This functionality goes beyond what is typically
considered a 'proof-of-concept' as it allows full
remote control to the system with all the privileges
of the user that opened the image.

The good thing is that some AV vendors already detect
From VirusTotal website:
BitDefender 7.0 10.20.2004 Exploit.FPSE.A
Sybari 7.5.1314 10.20.2004 Exploit-MS03-051
Symantec 8.0 10.19.2004 Trojan.Moo

The Manager's Briefing at
http://isc.sans.org/presentations/MS04Oct.ppt has been
updated to reflect the existence of these exploits.

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]