lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200608100257.34372.fdlist@digitaloffense.net>
Date: Thu, 10 Aug 2006 02:57:34 -0500
From: H D Moore <fdlist@...italoffense.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Exploit for MS06-040 Out?

On Wednesday 09 August 2006 13:10, Matt Davis wrote:
> Did I completely miss exploit code being released in the wild for that
> vulnerability?

The Metasploit Framework module is now public, I included a copy of the 
email I sent to the Framework mailing list below.

For the lazy:
http://metasploit.com/projects/Framework/modules/exploits/netapi_ms06_040.pm

----------  Forwarded Message  ----------

Subject: [framework] Metasploit Framework Updates
Date: Thursday 10 August 2006 02:52
From: H D Moore <hdm@...asploit.com>
To: framework@...asploit.com

Hello everyone,

I just pushed out a new round of updates for version 2.6 of the
 Metasploit Framework. This update includes new exploits, new features,
 and massive bug fixes. If it wasn't 3:00am on my birthday I would try
 for a 2.7 release :-)

New exploits:

netapi_ms06-040:
 - This exploit module should work against all Windows 2000 systems and
Windows XP SP0 and SP1. It will not work on XP SP2 or 2003 SP1. There is
a slim chance it can work with modification on 2003 SP0 and NT 4.0 SP6.
The automatic target should be reliable for most users. The cool thing
about this exploit is how it uses a strcpy call to place the shellcode
into a static buffer and then return straight back into it. I have
another version of this exploit that uses a more traditional exploit
method, but there doesn't seem to be much point in releasing it now.

ie_createobject:
 - This exploit module is capable of exploiting any "generic"
 CreateObject vulnerability in an ActiveX control. The current targets
 allow it to exploit MS06-014 and various controls that don't seem to be
 documented or often found vulnerable. This exploit uses the PE "wrapper"
 to download a generated executable containing the selected payload.

eiq_license:
 - This exploit module is one of many for the recent EIQ vulnerabilities.
I pushed this one out because of the amount of work the author put into
it and the lack of cleanup I had to do before including it. The rest of
the EIQ modules will be added and merged as I get time. Thanks again to
everyone who submitted modules for these issues.

realvnc_client:
 - This exploits an older client-side vulnerability in the VNC viewer for
Windows. Thanks again to MC for writing this up.

securecrt_ssh1:
 - This exploits an older client-side vulnerability in SecureCRT. Another
great module provided by MC.

mercury_imap:
 - This exploit module is capable of exploiting the RENAME command
overflow found in older versions of the Mercury IMAP software. Yet
another exploit by MC.

A dozen small bug fixes, new targets, and cosmetic improvements were
included with this update. Thanks to David Maciejak for sending in many
of these and having the patience to deal with my update schedule.

Matt Miller (skape) tracked down a long-time bug in the 'EXE' output mode
of msfpayload. The template executable had an invalid stack size set,
which caused all DLL Inject payloads to crash when initialized from
inside the PE template. This fix should allow you to use the vncinject
and metepreter payloads with the msfpayload X mode (standalone exe).

The msfpayload tool now has a javascript output format. Simply pass 'J'
 as the output mode of msfpayload to get an unescape()-ready string.

The next 3.0 beta should be ready sometime next week. If I get over my
fear of being owned via subversion, the actual source code respository
for 3.0 will also become public.

Enjoy!

-HD

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ