mailing list archives
From: npouvesle at tenablesecurity.com (Nicolas Pouvesle)
Date: Wed, 28 Feb 2007 10:04:54 +0100
On Feb 28, 2007, at 5:48 AM, Alexander Sotirov wrote:
In MS04-031 Microsoft says:
"After the NetDDE services are started, any anonymous user who
could deliver a
specially crafted message to the affected system could attempt to
exploit this vulnerability"
This seems to imply that no authentication is necessary, but the
work with an anonymous connection. When I run ms04_031_netdde I get:
Exploit failed: The server responded with error: STATUS_ACCESS_DENIED
If I set SMBUSER and SMBPASS, the exploit works, but these two
options are not
listed in the exploit info message. Are they really needed, or is
something I am missing?
Actually, I just think the exploit may only target one of the flaw
fixed in ms04-031 (I didn't even know a flaw in the RPC interface was
fixed prior to looking at the exploit code).
From what I remember a stack overflow can be exploited anonymously
on the TCP port 139 using the NDDE protocol (a netbios session must
be negotiated first).