検索:
ホーム   »     »   PoC for MS05-047 Exploit Released to the Public

PoC for MS05-047 Exploit Released to the Public

  • 投稿日:2005年11月22日
  • 脅威カテゴリ:未分類
  • 執筆:ウイルス解析担当者
0

The PoC for Microsoft Windows Plug and Play “Umpnpmgr.dll” Remote Exploit MS05-047. Has just been released by FRSIRT.

With this release, we are now on the look out. I predict it will just be a matter of days (or hours) for a new malware to carry this exploit.


Update (Jovs, 22 October 2005 01:55:34)

After more review of the PoC given by frsirt, we verified that it can only crash the machines targeted, since there is no actual shellcode that can be seen in the PoC.

So malware within hours might have been an overstatement in my part. Hehe… But hey when great minds work there”s no impossible right? :)


Update (JJ, 22 October 2005 02:11:24)

Some factors on why a working exploit (not just a DOS) for this requires some time (although it has already been around 2 weeks hehehe):

1. This exploit works by sending a long string using a specified registry key and appending lots of “”. Ex: “ACPI\….” (under HKLMSYSTEMCurrentControlSetEnum)
.
2. Specifying characters other than “” and characters that are not in the subkeys of HKLMSYSTEMCurrentControlSetEnum will not trigger the exploit
3. When we finally have control of the stack, it points to a “00 xx 00 yy) address.

Quote from Dave Aitel on this bug:
“The umpnp bug is a bit more complex, you can overwrite eip with 00XX00YY where XX and YY are characters from a registry key you get to pick. It’s fun for the whole family. Do you A) spam the heap with lots of your shellcode? or B) off by two EIP and hope for something cool? C) find an 0day


Update (Jovs, 22 October 2005 03:19:15)

This has already been forwarded to the NVW team and was said to be already detected with NVW pattern NVP10229.

Also some workaround for this vulnerability is included in this report made.

No related posts.



  • 個人のお客さま向けオンラインショップ
  • |
  • 法人のお客さま向け直営ストア
  • |
  • 販売パートナー検索
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • 電子公告
  • ご利用条件
  • プライバシーポリシー
  • Copyright © 2021 Trend Micro Incorporated. All rights reserved.