For this month’s bunch of MS security bulletins, it looks like MS06-040 (Vulnerability in Server Service Could Allow Remote Code Execution) is a very “wormable” vulnerability. MS06-040 is your typical stack overflow vulnerability. Moreover, according to the security bulletin, “Microsoft had received information that this vulnerability was being exploited” when the bulletin was released.

As of this writing, there are already three tools equipped to exploit MS06-040, and one MS06-040 NetApi32 scanner.

• Metasploit
  
  
  
  • Works against Windows 2000/XP/2003, but will only cause a denial-of-service against Windows XP SP2 and Windows 2003 SP1.
    
  • http://metasploit.com/projects/Framework/exploits.html#netapi_ms06_040
  
  
• Immunity Canvas
  
• Core IMPACT
  
  
  
  • Both are commercial security tools; hence, the exploit is only available to their customers.
  
  
• Eeye
  
  
  
  • Did not actually released an exploit, but they released a free MS06-040 NetApi32 scanner. However, the free version only allows a user to scan 16 IPs at a time.
    
  • http://www.eeye.com/html/resources/downloads/audits/NetApi.html

Update (Jovs, Sat, 12 Aug 2006 08:52:42 AM)

In addition to this, blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall. Also, Trend Micro NVP Solution can now detect the exploit at the gateway. For more information about this, check the Microsoft Advisory for MSO6-040 here.