On Monday 24 June 2002 16:16, Gilbert, Austin wrote: > if you pass the webserver this request: > http://somewebserver:2301/FireDaemon.exe > > it returns the attached page.
Thanks, should be easy enough to fix, I just need to get a better match string from the "FireDaemon.exe -h" command output. > What was more interesting to me was the following. After the scan, I > connected to port 2301 with a browser to check it out, and I got a > page that had been modified. I'm not sure which plugin caused the > buffer overflow in McAffee (which apparently over wrote the compaq > insight web page with what was in memory at the time -- your script's > request), but it would be interesting to find out. That is bizzare, you are referring to the McAfee AV service? Is McAfee running any other services, such as pop3 or web proxies? If its running a web proxy, could your browser be using that when you browsed the local Compaq Insight Manager page (and hence returned a corrupted result from the proxy, not from the Compaq service)? Either way, sounds like a new bug/vuln... -HD
