| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041021155326.42163.qmail@web60310.mail.yahoo.com> From: jessevalentin at yahoo.com (Jesse Valentin) Subject: Exploit code Available for previously announced MS Vulnerabilities As per www.incidents.org MS04-030 POC A proof-of-concept (POC) exploit for MS04-030 has been made available. The exploit, a perl script, claims to trigger the DOS condition. While we are still working to verify the exploit, here some signatures to look for: The exploit will send the following header: (the 'Host' field will hold the IP address of the attacked host. In this example, we used '127.0.0.1') --------------------------- PROPFIND / HTTP/1.1 Content-type: text/xml Host: 127.0.0.1 Content-length: 188963 <?xml version="1.0"?> <a:propfind xmlns:a="DAV:" xmlns:z1="xml:" xmlns:z2="xml:" xmlns:z3="xml:" xmlns (... repeating 'xmlns:z???="xml:", where '???' keeps incrementing ...) xmlns:z9995="xml:" xmlns:z9996="xml:" xmlns:z9997="xml:" xmlns:z9998="xml:" > <a:prop><a:getcontenttype/></a:prop> </a:propfind> -------------------------------- For Apache servers, the exploit will leave the following log entries: Access Log: 10.1.0.13 - - [20/Oct/2004:14:57:15 +0000] "PROPFIND / HTTP/1.1" 400 31 "-" "-" Error Log: [Wed Oct 20 14:57:15 2004] [error] [client 10.1.0.13] request failed: error reading the headers (your apache install may use a different log format) If working "as advertised", the exploit will crash unpatched IIS servers. MS04-032 Windows XP Metafile Overflow POC Looks like the kids are finally catching up with all the MSFT vulnerabilities released this month. A POC (proof-of-concept) exploit was released to exploit the Windows XP Metafile overflow vulnerability. The malicious file will start a remote shell or connect back to a URL. This functionality goes beyond what is typically considered a 'proof-of-concept' as it allows full remote control to the system with all the privileges of the user that opened the image. The good thing is that some AV vendors already detect it: >From VirusTotal website: BitDefender 7.0 10.20.2004 Exploit.FPSE.A Sybari 7.5.1314 10.20.2004 Exploit-MS03-051 Symantec 8.0 10.19.2004 Trojan.Moo The Manager's Briefing at http://isc.sans.org/presentations/MS04Oct.ppt has been updated to reflect the existence of these exploits. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Powered by blists - more mailing lists