[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Exploit Identification Request

To: root@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Exploit Identification Request
From: Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx>
Date: Thu, 29 Apr 2004 16:26:08 +0200

Le jeu 29/04/2004 à 15:34, System Administrator a écrit :
> One of our external systems (W2k, fully patched all components - 
> sp4, sql sp4, mdac sp3, post hotfixes, etc) is being hit by what 
> appears to be a buffer overflow of IIS : 4096 bytes cycling in 
> what appears to be an attempt to execute code. The probe starts by 
> obtaining an index.asp page, and then drops a "SEARCH / 411 210 
> 42" before dropping the "AAAAA<n>" string. 
[...]
> SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]

Looks like Windows ntdll.dll buffer overflow exploit :

        http://www.securityfocus.com/bid/7116/


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Exploit Identification Request
  - From: System Administrator

Prev by Date: RE: [Full-Disclosure] Heads up: Possible lsass worm in the wild
Next by Date: Re: [Full-Disclosure] Exploit Identification Request
Previous by thread: [Full-Disclosure] Exploit Identification Request
Next by thread: Re: [Full-Disclosure] Exploit Identification Request
Index(es):
- Date
- Thread