Re: [Full-Disclosure] Windows Lsasrv.dll RPC buffer overflow Remote Exploit (MS04-011)

[- ElviS - <elvi52001@xxxxxxxxx>]

http://www.k-otik.com/exploits/04252004.ms04011lsass.c.php
http://isc.sans.org/diary.php?date=2004-04-26
 
Handler's Diary April 26th 2004 " An exploit targeting the recently released 
vulnerability in Windows' Active Directory service functions in LSASRV.DLL 
(LSASS: Local Security Authority Subsystem Service) was made public today. 
The exploit is effective against some versions of Windows 2000 with SP3 or SP4 
installed. The patch released earlier this month as part of MS04-011 will fix 
this vulnerability. 

If you have not done so already, please apply the MS04-011 patch as soon as 
possible. Even if no worm is released, we expect that all Internet facing 
systems will be probed with this exploit over the next couple of days. 

The exploit will allow full remote control via a remote shell. The port used by 
the remote shell can be changed via a command line option. we just received a 
report of the exploit being used in the wild. "

really dangerous !


Paul Tinsley <">jackhammer@xxxxxxxxx> wrote:
I haven't seen much discussion about this one other than here:
http://www.incidents.org/diary.php?date=2004-04-25&isc=24f2410ad7a5b786b009d9226c908b92
and I just figured I would pass along that this one is real and does
work. We setup some vmware sessions awhile ago and tested it against
a W2K SP4 box with no success, but a W2K SP4 box with all patches
except MS04-011 and MS04-012 was a successful target. So patching is
probably a good idea if you haven't already done so.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

                
---------------------------------
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs