Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Exploit code Available for previously announced MS Vulnerabilities
From: Jesse Valentin <jessevalentin () yahoo com>
Date: Thu, 21 Oct 2004 08:53:26 -0700 (PDT)

As per www.incidents.org


MS04-030 POC

A proof-of-concept (POC) exploit for MS04-030 has been
made available. The exploit, a perl script, claims to
trigger the DOS condition. While we are still working
to verify the exploit, here some signatures to look
for:

The exploit will send the following header:

(the 'Host' field will hold the IP address of the
attacked host. In this example, we used '127.0.0.1')
---------------------------

PROPFIND / HTTP/1.1
Content-type: text/xml
Host: 127.0.0.1
Content-length: 188963
 

<?xml version="1.0"?> <a:propfind xmlns:a="DAV:"
xmlns:z1="xml:" xmlns:z2="xml:" xmlns:z3="xml:" xmlns

(... repeating 'xmlns:z???="xml:", where '???' keeps
incrementing ...)

 xmlns:z9995="xml:" xmlns:z9996="xml:"
xmlns:z9997="xml:"
xmlns:z9998="xml:" >
<a:prop><a:getcontenttype/></a:prop>
</a:propfind>

--------------------------------

For Apache servers, the exploit will leave the
following log entries:

Access Log:
10.1.0.13 - - [20/Oct/2004:14:57:15 +0000] "PROPFIND /
HTTP/1.1" 400 31 "-" "-"

Error Log:
[Wed Oct 20 14:57:15 2004] [error] [client 10.1.0.13]
request failed: error reading the headers

(your apache install may use a different log format)

If working "as advertised", the exploit will crash
unpatched IIS servers.

MS04-032 Windows XP Metafile Overflow POC

Looks like the kids are finally catching up with all
the MSFT vulnerabilities released this month. A POC
(proof-of-concept) exploit was released to exploit the
Windows XP Metafile overflow vulnerability.
The malicious file will start a remote shell or
connect back to a URL.
This functionality goes beyond what is typically
considered a 'proof-of-concept' as it allows full
remote control to the system with all the privileges
of the user that opened the image.

The good thing is that some AV vendors already detect
it:
From VirusTotal website:
BitDefender 7.0 10.20.2004 Exploit.FPSE.A
Sybari 7.5.1314 10.20.2004 Exploit-MS03-051
Symantec 8.0 10.19.2004 Trojan.Moo

The Manager's Briefing at
http://isc.sans.org/presentations/MS04Oct.ppt has been
updated to reflect the existence of these exploits.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault