MS05-039 Exploit Code in The Wild
Results 1 to 9 of 9

Thread: MS05-039 Exploit Code in The Wild

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    MS05-039 Exploit Code in The Wild

    That didn't take long...

    2 to 1 that we have a worm by next week.

    Read on.


    Alert: Exploits for Plug and Play Vulnerability Released

    eEye Digital Security is alerting administrators to the existence of exploit code for the recently added Plug and Play Service vulnerability, which Microsoft patched this week as part of the August Security Update (security bulletin MS05-039). Specific information on this particular vulnerability can be found towards the end of this announcement. As a service to the network security community eEye has released a scanning utility, free of charge, which will identify vulnerable systems and provide remediation instructions. This tool can be downloaded immediately at:
    http://www.eeye.com/html/resources/d...its/index.html

    About the Exploit
    Today, several instances of exploit code targeting the vulnerability discussed in MS05-039 were released to the world. The eEye Research Team, upon discovering two instances of exploit code online, conducted thorough testing to confirm that both present a legitimate threat to Windows 2000 systems (completely patched SP 4 with all hotfixes). One exploit, released by an anonymous author, will bind a command prompt to TCP port 8721.

    eEye reiterates our original position that users should consider this patch highly critical, and that it should be installed as soon as possible. For networks with multiple versions of Windows operating systems, eEye recommends allocating resources to remediate systems in this order:
    Windows 2000 (All Service Packs)
    Windows NT
    Windows XP
    Windows 2003

    As a refresher, the vulnerability is an unchecked buffer in the Plug and Play service that can be exploited as a privilege escalation or to run remote code as SYSTEM. Users running Windows 2000 are vulnerable to a potential worm attack that would take advantage of this flaw. The Microsoft patch updates the Plug and Play service code to validate the length of a message before it passes it to the allocated buffer.

    MS05-039
    Vulnerability in Plug and Play Could Allow Remote code Execution and Elevation of Privilege (899588)

    Microsoft Severity Rating: Critical
    http://www.microsoft.com/technet/sec.../MS05-039.mspx
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    A new similar dcom exploit ?

    Exploit worked/tested on my own server : Windows 2000(patched),XP(SP2),Windows 2003 Enterprise Server(SP1).

    I think for some people/kiddies.. they already scanning vurlnerable server
    Not an image or image does not exist!
    Not an image or image does not exist!

  3. #3
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi thehorse_13,

    I'm patched...but...if I wanted to check to see if I'm vunerable ( curiousity sake ) which of these ' tools ' would I use for my home computer ?

    Eg

  4. #4
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Ahhhhhhhhhhhhh dcom

    Direct, compromisation, owning, method
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    Originally posted here by Egaladeist
    Hi thehorse_13,

    I'm patched...but...if I wanted to check to see if I'm vunerable ( curiousity sake ) which of these ' tools ' would I use for my home computer ?

    Eg
    TH looks like he's off-line so ill jump on and say....its the first one, on the top of the page (for ms05-039). i just compiled the exploit in mdk if you have any use for the binary
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi Tedob1,

    Thanks ! I wasn't sure as they all seemed to be for multiple set-ups.
    i just compiled the exploit in mdk if you have any use for the binary
    My old-tech mind deciphers that as : you got the little bu@@er trapped, and would I like to see it for testing or curiousity ( close? ).

    Well...I'm not that curious ...and I wouldn't have the foggiest what to do with it anyways...so...I'll leave that up to you and other much more proficient computer professionals...this old man has a long way to go before he starts tackling that sort of thing...but I do appreciate the offer.

    Eg

  7. #7
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    I think some of ISP's already block port 445 (from the last worm), maybe is hard to find vurnerable IP's (maybe some kiddies got lucky) or dumb admin open that port and I just tried that exploit on my own vmware server...cause..I am to "chicken" to try it on someone else server
    Not an image or image does not exist!
    Not an image or image does not exist!

  8. #8
    Senior Member
    Join Date
    Jun 2003
    Posts
    188
    Disabling port 445 permanently

    goto to registry key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

    set the TransportBindName string value to nothing

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    What did I tell ya. What did that take? 4 days?

    Zotob

    http://isc.sans.org/diary.php?date=2005-08-14
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •