MS15-002 Detection

Bill Finlayson

MS15-002 was one of the more interesting patches this month.  As such, we spent quite a bit of time on it.  But alas, it appears as though a pretty thorough analysis has already been posted at WooYun (http://drops.wooyun.org/papers/4621) which mostly aligns with our analysis of the issue.

We believe this issue to be difficult to exploit but pretty easy to detect.  Our (ugly) internal detection script can be grabbed from here for anyone who might find it useful: http://pastebin.com/aTxca42w

Please note that this script IS NOT SAFE and running it against a target multiple times will exhaust the telnet server’s maximum connections (as defined in Software\Microsoft\TelnetServer\1.0\MaxConnections) and require restarting the telnet service.

Bill Finlayson

Bill Finlayson