[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <C1008AC3.2489E%ltr@isc.upenn.edu>
Date: Thu, 10 Aug 2006 07:03:31 -0400
From: David Taylor <ltr@....upenn.edu>
To: H D Moore <fdlist@...italoffense.net>, <full-disclosure@...ts.grok.org.uk>
Cc:
Subject: Re: Exploit for MS06-040 Out?
Hi HD,
Do you plan on building a 'check' feature into this in the future? I find
those to be very handy in scripting checks on our systems.
On 8/10/06 3:57 AM, "H D Moore" <fdlist@...italoffense.net> wrote:
> On Wednesday 09 August 2006 13:10, Matt Davis wrote:
>> Did I completely miss exploit code being released in the wild for that
>> vulnerability?
>
> The Metasploit Framework module is now public, I included a copy of the
> email I sent to the Framework mailing list below.
>
> For the lazy:
> http://metasploit.com/projects/Framework/modules/exploits/netapi_ms06_040.pm
>
> ---------- Forwarded Message ----------
>
> Subject: [framework] Metasploit Framework Updates
> Date: Thursday 10 August 2006 02:52
> From: H D Moore <hdm@...asploit.com>
> To: framework@...asploit.com
>
> Hello everyone,
>
> I just pushed out a new round of updates for version 2.6 of the
> Metasploit Framework. This update includes new exploits, new features,
> and massive bug fixes. If it wasn't 3:00am on my birthday I would try
> for a 2.7 release :-)
>
> New exploits:
>
> netapi_ms06-040:
> - This exploit module should work against all Windows 2000 systems and
> Windows XP SP0 and SP1. It will not work on XP SP2 or 2003 SP1. There is
> a slim chance it can work with modification on 2003 SP0 and NT 4.0 SP6.
> The automatic target should be reliable for most users. The cool thing
> about this exploit is how it uses a strcpy call to place the shellcode
> into a static buffer and then return straight back into it. I have
> another version of this exploit that uses a more traditional exploit
> method, but there doesn't seem to be much point in releasing it now.
>
> ie_createobject:
> - This exploit module is capable of exploiting any "generic"
> CreateObject vulnerability in an ActiveX control. The current targets
> allow it to exploit MS06-014 and various controls that don't seem to be
> documented or often found vulnerable. This exploit uses the PE "wrapper"
> to download a generated executable containing the selected payload.
>
> eiq_license:
> - This exploit module is one of many for the recent EIQ vulnerabilities.
> I pushed this one out because of the amount of work the author put into
> it and the lack of cleanup I had to do before including it. The rest of
> the EIQ modules will be added and merged as I get time. Thanks again to
> everyone who submitted modules for these issues.
>
> realvnc_client:
> - This exploits an older client-side vulnerability in the VNC viewer for
> Windows. Thanks again to MC for writing this up.
>
> securecrt_ssh1:
> - This exploits an older client-side vulnerability in SecureCRT. Another
> great module provided by MC.
>
> mercury_imap:
> - This exploit module is capable of exploiting the RENAME command
> overflow found in older versions of the Mercury IMAP software. Yet
> another exploit by MC.
>
> A dozen small bug fixes, new targets, and cosmetic improvements were
> included with this update. Thanks to David Maciejak for sending in many
> of these and having the patience to deal with my update schedule.
>
> Matt Miller (skape) tracked down a long-time bug in the 'EXE' output mode
> of msfpayload. The template executable had an invalid stack size set,
> which caused all DLL Inject payloads to crash when initialized from
> inside the PE template. This fix should allow you to use the vncinject
> and metepreter payloads with the msfpayload X mode (standalone exe).
>
> The msfpayload tool now has a javascript output format. Simply pass 'J'
> as the output mode of msfpayload to get an unescape()-ready string.
>
> The next 3.0 beta should be ready sometime next week. If I get over my
> fear of being owned via subversion, the actual source code respository
> for 3.0 will also become public.
>
> Enjoy!
>
> -HD
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================
Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists