| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: alf1num3rik at yahoo.com (Stephen Jimson) Subject: Exploit code Available for previously announced MS Vulnerabilities you're probably talking about those sploits Microsoft IIS WebDAV XML Denial of Service Exploit (MS04-030) http://www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php Microsoft Windows Metafile (.emf) Heap Overflow Exploit (MS04-032) http://www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php stph --- Jesse Valentin <jessevalentin@...oo.com> wrote : > As per www.incidents.org > > > MS04-030 POC > > A proof-of-concept (POC) exploit for MS04-030 has > been > made available. The exploit, a perl script, claims > to > trigger the DOS condition. While we are still > working > to verify the exploit, here some signatures to look > for: > > The exploit will send the following header: > > (the 'Host' field will hold the IP address of the > attacked host. In this example, we used '127.0.0.1') > --------------------------- > > PROPFIND / HTTP/1.1 > Content-type: text/xml > Host: 127.0.0.1 > Content-length: 188963 > > > <?xml version="1.0"?> <a:propfind xmlns:a="DAV:" > xmlns:z1="xml:" xmlns:z2="xml:" xmlns:z3="xml:" > xmlns > > (... repeating 'xmlns:z???="xml:", where '???' keeps > incrementing ...) > > xmlns:z9995="xml:" xmlns:z9996="xml:" > xmlns:z9997="xml:" > xmlns:z9998="xml:" > > <a:prop><a:getcontenttype/></a:prop> > </a:propfind> > > -------------------------------- > > For Apache servers, the exploit will leave the > following log entries: > > Access Log: > 10.1.0.13 - - [20/Oct/2004:14:57:15 +0000] "PROPFIND > / > HTTP/1.1" 400 31 "-" "-" > > Error Log: > [Wed Oct 20 14:57:15 2004] [error] [client > 10.1.0.13] > request failed: error reading the headers > > (your apache install may use a different log format) > > If working "as advertised", the exploit will crash > unpatched IIS servers. > > MS04-032 Windows XP Metafile Overflow POC > > Looks like the kids are finally catching up with all > the MSFT vulnerabilities released this month. A POC > (proof-of-concept) exploit was released to exploit > the > Windows XP Metafile overflow vulnerability. > The malicious file will start a remote shell or > connect back to a URL. > This functionality goes beyond what is typically > considered a 'proof-of-concept' as it allows full > remote control to the system with all the privileges > of the user that opened the image. > > The good thing is that some AV vendors already > detect > it: > From VirusTotal website: > BitDefender 7.0 10.20.2004 Exploit.FPSE.A > Sybari 7.5.1314 10.20.2004 Exploit-MS03-051 > Symantec 8.0 10.19.2004 Trojan.Moo > > The Manager's Briefing at > http://isc.sans.org/presentations/MS04Oct.ppt has > been > updated to reflect the existence of these exploits. > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.netsys.com/full-disclosure-charter.html > Vous manquez d?espace pour stocker vos mails ? Yahoo! Mail vous offre GRATUITEMENT 100 Mo ! Cr?ez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Le nouveau Yahoo! Messenger est arriv? ! D?couvrez toutes les nouveaut?s pour dialoguer instantan?ment avec vos amis. A t?l?charger gratuitement sur http://fr.messenger.yahoo.com
Powered by blists - more mailing lists