Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Exploit code Available for previously announced MS Vulnerabilities
From: Stephen Jimson <alf1num3rik () yahoo com>
Date: Thu, 21 Oct 2004 20:24:42 +0200 (CEST)

you're probably talking about those sploits 

Microsoft IIS WebDAV XML Denial of Service Exploit


Microsoft Windows Metafile (.emf) Heap Overflow
Exploit (MS04-032)



--- Jesse Valentin <jessevalentin () yahoo com> wrote :
As per www.incidents.org

MS04-030 POC

A proof-of-concept (POC) exploit for MS04-030 has
made available. The exploit, a perl script, claims
trigger the DOS condition. While we are still
to verify the exploit, here some signatures to look

The exploit will send the following header:

(the 'Host' field will hold the IP address of the
attacked host. In this example, we used '')

Content-type: text/xml
Content-length: 188963

<?xml version="1.0"?> <a:propfind xmlns:a="DAV:"
xmlns:z1="xml:" xmlns:z2="xml:" xmlns:z3="xml:"

(... repeating 'xmlns:z???="xml:", where '???' keeps
incrementing ...)

 xmlns:z9995="xml:" xmlns:z9996="xml:"
xmlns:z9998="xml:" >


For Apache servers, the exploit will leave the
following log entries:

Access Log: - - [20/Oct/2004:14:57:15 +0000] "PROPFIND
HTTP/1.1" 400 31 "-" "-"

Error Log:
[Wed Oct 20 14:57:15 2004] [error] [client]
request failed: error reading the headers

(your apache install may use a different log format)

If working "as advertised", the exploit will crash
unpatched IIS servers.

MS04-032 Windows XP Metafile Overflow POC

Looks like the kids are finally catching up with all
the MSFT vulnerabilities released this month. A POC
(proof-of-concept) exploit was released to exploit
Windows XP Metafile overflow vulnerability.
The malicious file will start a remote shell or
connect back to a URL.
This functionality goes beyond what is typically
considered a 'proof-of-concept' as it allows full
remote control to the system with all the privileges
of the user that opened the image.

The good thing is that some AV vendors already
From VirusTotal website:
BitDefender 7.0 10.20.2004 Exploit.FPSE.A
Sybari 7.5.1314 10.20.2004 Exploit-MS03-051
Symantec 8.0 10.19.2004 Trojan.Moo

The Manager's Briefing at
http://isc.sans.org/presentations/MS04Oct.ppt has
updated to reflect the existence of these exploits.

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 

Full-Disclosure - We believe in it.


Vous manquez d’espace pour stocker vos mails ? 
Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/

Le nouveau Yahoo! Messenger est arrivé ! Découvrez toutes les nouveautés pour dialoguer instantanément avec vos amis. A 
télécharger gratuitement sur http://fr.messenger.yahoo.com

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]