BTW the service that crashed with the buffer overflow was McAfee Netshield (mcshield.exe).
-----Original Message----- From: H D Moore [mailto:[EMAIL PROTECTED]] Sent: Monday, June 24, 2002 4:23 PM To: Gilbert, Austin Cc: '[EMAIL PROTECTED]' Subject: Re: False Positives from 1.2.2 against W2K Pro / IIS 5 On Monday 24 June 2002 16:16, Gilbert, Austin wrote: > if you pass the webserver this request: > http://somewebserver:2301/FireDaemon.exe > > it returns the attached page. Thanks, should be easy enough to fix, I just need to get a better match string from the "FireDaemon.exe -h" command output. > What was more interesting to me was the following. After the scan, I > connected to port 2301 with a browser to check it out, and I got a > page that had been modified. I'm not sure which plugin caused the > buffer overflow in McAffee (which apparently over wrote the compaq > insight web page with what was in memory at the time -- your script's > request), but it would be interesting to find out. That is bizzare, you are referring to the McAfee AV service? Is McAfee running any other services, such as pop3 or web proxies? If its running a web proxy, could your browser be using that when you browsed the local Compaq Insight Manager page (and hence returned a corrupted result from the proxy, not from the Compaq service)? Either way, sounds like a new bug/vuln... -HD IMPORTANT NOTICE: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information.
