MS05-039 p0wns j00. [UPDATE]

While I’m waiting on the RSS feeds to load up I’ll make a quick post about the latest Microsoft exploit. Microsoft release a series of OS patches last Tuesday and exploit code was made public for one of these less than a week later. The exploit targets MS Patch “MS05-039” and takes advantage of a remotely exploitable vulnerability in Microsofts Plug-n-Play feature (otherwise known as Plug-n-Pray). The Zotob Worm was also released and takes advantage of the same vulnerability.

The actual exploit code for MS05-039 can be found at milw0rm and a brief example follows below the break:

The exploit description from the code itself:
* Description:
* A remote code execution and local elevation of privilege
* vulnerability exists in Plug and Play that could allow an
* attacker who successfully exploited this vulnerability to take
* complete control of the affected system.
*
* This is a remote code execution and local privilege elevation
* vulnerability. On Windows 2000, an anonymous attacker could
* remotely try to exploit this vulnerability.
*
* On Windows XP Service Pack 1, only an authenticated user could
* remotely try to exploit this vulnerability.
* On Window XP Service Pack 2 and Windows Server 2003, only an
* administrator can remotely access the affected component.
* Therefore, on Windows XP Service Pack 2 and Windows Server 2003,
* this is strictly a local privilege elevation vulnerability.
* An anonymous user cannot remotely attempt to exploit this
* vulnerability on Windows XP Service Pack 2 and Windows
* Server 2003.

Usage is as follows:
* Compile:
*
* Win32/VC++ : cl -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Win32/cygwin: gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
* Linux : gcc -o HOD-ms05039-pnp-expl HOD-ms05039-pnp-expl.c
*
* ———————————————————————
* Example:
*
* C:>HOD-ms05039-pnp-expl 192.168.0.1 7777
*
* [*] connecting to 192.168.0.22:445…ok
* [*] null session…ok
* [*] bind pipe…ok
* [*] sending crafted packet…ok
* [*] check your shell on 192.168.0.1:7777
* Ctrl+C
*
* C:>nc 192.168.0.1 7777
*
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:WINNTsystem32>

I tested this attack against a Windows 2000 target and compromised the host in all of 15 seconds. It’s safe to say you should expect to see this exploit used as a basis for multiple attack vectors in the future.

Obviously OS patches should be applied as soon as possible to avoid getting rooted by a worm or remote attacker. Information on Windows patches can be found at the Microsoft Technet Website.

[UPDATE]
It looks like there are several variants on the web today and CNN, ABC and Caterpillar are among the major corporations being affected. The full roundup of information is available at The Internet Storm Center.

One Response to “MS05-039 p0wns j00. [UPDATE]”

  1. I believe this internet site holds very fantastic written content articles.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: