http://labs.portcullis.co.uk Labs Portcullis updates. en Labs portcullis Tue, 22 Feb 2011 11:21:14 GMT http://backend.userland.com/rss 60 hhttp://labs.portcullis.co.uk/mg/logo.gif http://labs.portcullis.co.uk Tue, 18 Nov 2008 12:22:54 GMT http://labs.portcullis.co.uk/application/ms08-067-check/ <p>This tool can be used to anonymously check if a target machine or a list of target machines are affected by <a href="http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx">MS08-067</a> issue (Vulnerability in Server Service Could Allow Remote Code Execution).</p> <h2>Usage</h2> <pre> $ python ms08-067_check.py -h Usage: ms08-067_check.py [option] {-t <target>|-l <iplist.txt>}<br /><br />Options:<br /> --version show program's version number and exit<br /> -h, --help show this help message and exit<br /> -d show description and exit<br /> -t TARGET target IP or hostname<br /> -l LIST text file with list of targets<br /> -s be silent<target><iplist.txt><br /></iplist.txt></target></iplist.txt></target></pre> <h2>Example</h2> <pre> $ python ms08-067_check.py -t 192.168.123.30 192.168.123.30: VULNERABLE </pre> <h2>Note</h2> <p>On Windows XP Service Pack 2 and Windows XP Service Pack 3 this check might lead to a race condition and heap corruption in the <i>svchost.exe</i> process, but it may not crash the service immediately: it can trigger later on inside any of the shared services in the process.</p> <h2>References</h2> <ul> <li>BID: <a href="http://www.securityfocus.com/bid/31874">31874</a></li> <li>CVE: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250">2008-4250</a></li> <li><a href="http://blogs.technet.com/swi/archive/2008/10/25/most-common-questions-that-we-ve-been-asked-regarding-ms08-067.aspx">http://blogs.technet.com/swi/archive/2008/10/25/most-common-questions-that-we-ve-been-asked-regarding-ms08-067.aspx</a></li> <li><a href="http://www.microsoft.com/technet/security/advisory/958963.mspx">http://www.microsoft.com/technet/security/advisory/958963.mspx</a></li> <li><a href="http://www.phreedom.org/blog/2008/decompiling-ms08-067/">http://www.phreedom.org/blog/2008/decompiling-ms08-067/</a></li> <li><a href="http://metasploit.com/dev/trac/browser/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi.rb">http://metasploit.com/dev/trac/browser/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi.rb</a></li> <li><a href="http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html">http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html</a></li> <li><a href="http://blogs.securiteam.com/index.php/archives/1150">http://blogs.securiteam.com/index.php/archives/1150</a></li> </ul>