[framework] ms04_031_netdde
Nicolas Pouvesle
npouvesle at tenablesecurity.com
Wed Feb 28 03:04:54 CST 2007
On Feb 28, 2007, at 5:48 AM, Alexander Sotirov wrote:
> In MS04-031 Microsoft says:
>
> "After the NetDDE services are started, any anonymous user who
> could deliver a
> specially crafted message to the affected system could attempt to
> remotely
> exploit this vulnerability"
>
> This seems to imply that no authentication is necessary, but the
> exploit doesn't
> work with an anonymous connection. When I run ms04_031_netdde I get:
>
> Exploit failed: The server responded with error: STATUS_ACCESS_DENIED
>
> If I set SMBUSER and SMBPASS, the exploit works, but these two
> options are not
> listed in the exploit info message. Are they really needed, or is
> there
> something I am missing?
>
Actually, I just think the exploit may only target one of the flaw
fixed in ms04-031 (I didn't even know a flaw in the RPC interface was
fixed prior to looking at the exploit code).
From what I remember a stack overflow can be exploited anonymously
on the TCP port 139 using the NDDE protocol (a netbios session must
be negotiated first).
Nicolas
More information about the framework
mailing list