This module exploits a stack overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account) This exploit module was written by Kingcope (kcope2@googlemail.com) and hdm (hdm@metasploit.com)
Exploit code for a remote reboot flaw in Microsoft’s implementation of the SMB2 protocol has been posted on the internet, exposing users of Windows 7 and Windows Vista to the teardrop attacks that used to be popular on Windows 3.1 and Windows 95.
The CSIS Security Groupfound (credit correction - see the update below) a 0day exploit in-the-wild that exploit a vulnerability within Microsoft DirectShow (msvidctl.dll) in the way it handles MPEG-2 files.
The exploit found is used to preform drive-by attacks via compromised Chinese web sites. Original exploit (as it is in-the-wild) can be found here (shellcode changed to execute calc.exe) - aa.rar. You can read the translated post here or read this post from ISC diary.
Here’s a Metasploit exploit module I wrote that exploit this vulnerability. Tested successfully on the following platforms (fully patched 06/07/09): - Internet Explorer 6, Windows XP SP2 - Internet Explorer 7, Windows XP SP3
Also, if you want to test this vulnerability manually, here’s a little Ruby script I wrote that build GIF files to trigger the vulnerability: Download msvidctl_gif.rb.
This is the second exploit found in-the-wild in the past month that exploit a vulnerability in Microsoft DirectShow. In June, an exploit was found in-the-wild that exploit a vulnerability in DirectShow QuickTime Movie Parser Filter (quartz.dll). Liam O Murchu of Symantec wrote an analysis for this exploit here: DirectShow Exploit In the Wild DirectShow Exploit In the Wild, Part II
This post will update with additional updates about this vulnerability.